Onix stands with Ukraine. Please monitor current status here.

Onix Blog WebBest Practices for SaaS Security (+Checklist for Startups) | Onix

SaaS Application Security Best Practices + Bonus Checklist

February 8, 2023

If you consider developing a software-as-a-service (SaaS) platform, data safety should be your priority from day one. This article outlines major SaaS security issues and offers practical tips to prevent them. A downloadable checklist of best practices for comprehensive SaaS security comes as a bonus.

Onix’s experts can also advise you on data security and other aspects of SaaS product development, build or help build a secure SaaS product for you, or improve the safety of your existing system using the wealth of our experience.

Learn about Onix’s work for Adoric — SaaS for intuitive and easy development of marketing campaigns without any coding skill

90% of organizations use cloud computing, including SaaS services, to achieve cost reduction, faster time-to-market, and other critical business objectives. The global market for SaaS, estimated at US$ 96.76 billion in 2022, is projected to reach US$ 234.9 billion by 2028, growing at a CAGR of nearly 16%.

However, development and new opportunities come hand in hand with new risks. SaaS applications are primarily built using cloud platform services (PaaS), deployed on cloud infrastructure (IaaS), and hosted and managed by several providers. An app’s security is developed at all layers but owned mainly by the service provider.

Why You Should Prioritize SaaS Application Security

The need for increased security grows in sync with the increasing reliance on cloud infrastructure and demand for SaaS services across different industries. Organizations’ growing dependence on such apps to run mission-critical processes hasn’t gone unnoticed by cybercriminals.

Hackers are particularly attracted to environments that deploy SaaS apps because of the volume of sensitive data stored there, such as payment card numbers, personally identifiable information (PII), or protected health information (PHI). Moreover, SaaS data is more difficult to protect: the volumes are large, data models more sophisticated, and integrations, regulations, and business processes are more complex.

While a SaaS platform is an unlikely potential attack victim thanks to strict technical controls, cybercriminals can attack the data in the system through end-user phishing, malware, API key leaks, and other methods that are also becoming more sophisticated. Then, attackers can export the data, overwrite it, and demand a ransom to decrypt it.

The cost of data breaches is growing continuously.

Average cost of a data breach in 2023-min.png

Source

Besides the costs, data breaches come with a whole packet of negative consequences: lost productivity, potential non-compliance penalties, damaged reputation, and a recovery that is often lengthy, difficult, and incomplete. However, enterprises are still not fully prepared for attacks on mission-critical SaaS data that are increasingly frequent and successful.

A 2022 global survey by Odaseva and Dimensional Research revealed that ransomware attacks on SaaS data succeeded more than attacks on any other environment: 52% of these attacks succeeded in penetrating enterprise defenses.

attacks on SaaS data

However, only 43% of companies fully back up their SaaS data, and 59% don’t protect their data in public infrastructure clouds.

The survey also highlighted a dangerous misconception persisting among customer companies: 25% still believe it is solely the cloud or SaaS provider’s responsibility to protect their SaaS data.

Although in a ‘shared responsibility’ model, the customer is responsible for securing and managing the data generated, SaaS platforms remain responsible for the security and integrity of the platform. A 2021 ruling of the District Court for the District of South Carolina further raised the stakes for SaaS vendors.

In 2020, cybercriminals attacked Blackbaud Inc., a cloud data collection and maintenance provider, and copied the PII and PHI of its customers’ donors, members, students, and patients. Following the ransomware attack discovery, several customers filed suits against Blackbaud, blaming its “deficient security program” and non-compliance with industry and regulatory standards for the data breach.

During the proceedings, the court found that:

the contractual relationship between the SaaS provider and its customers supports the recognition of a duty to the customers;
the SaaS provider was in the best position to prevent harm associated with a data breach.

After a federal judge ruled that Blackbaud was liable in the state where the breached servers were located, it will now face negligence and privacy claims under Massachusetts state law.

There are serious implications for SaaS providers. The arguments that SaaS customers are primarily responsible for the security of their end-users’ data or that SaaS provider has no relationship directly with individual users may not help SaaS providers avoid liability. They should make every effort to maintain up-to-date and effective security measures to protect the sensitive information they collect, store, process, or transmit.

It’s fair to say that adherence to the best practices for SaaS security is a matter of life and death for startups. The developers’ neglect of security may jeopardize your product’s adoption, especially if you target small and medium-sized companies. If they doubt your app’s regulatory compliance, they will choose one of your standard-compliant competitors.

If you succeed in winning them over, you will have to maintain customer trust continuously. This includes making every effort to protect their business information and customer data. Yet, “for 83% of companies, it’s not if a data breach will happen, but when.”

It may take months to recover from damage caused by a cyberattack. If it results in the loss of sensitive information, the damaged reputation and legal and financial implications can be detrimental even for an established company. For a startup, increased customer churn and customer acquisition cost will be fatal.

The first step to avoiding this early awareness of the potential vulnerabilities, threats, and risks. Building a secure application from the ground up is easier and cheaper than dealing with eventual security breaches.

The Common SaaS Security Issues

Some of the critical risks include, but are not limited to:

Sensitive data exposure

Cybercriminals can steal weakly protected sensitive data, such as social security numbers, credit card information, etc., and use them for identity theft, fraud, and other illicit activities.

Software developers undermine defenses and enable attacks by using components with known vulnerabilities, incorrect setup of computing assets, or overlooking errors in the operating system, middleware, or database.

Stolen or compromised credentials are the most common cause of data breaches. For example, a preserved default account with the original password exposes the app to attacks.

As SaaS environments operate in the public cloud, cloud misconfigurations are an apparent concern. These lapses in cloud application security management leave organizations vulnerable to cloud leaks, ransomware and malware attacks, phishing, penetration by external hackers, and insider threats.

A typical cloud misconfiguration is a permissions gap when an administrator provides too many access rights to an end-user. The public access settings for Amazon’s Simple Storage Service (S3) storage buckets are a notorious example of a cloud service provider misconfiguration.

S3 buckets are private by default, but even the world’s largest companies have been spotted leaving them publicly accessible. Organizations create S3 buckets, modify the default permissions, and then dump data into them without validating their configurations. If a bucket contains a corporate database, customer base, or other sensitive information, this can result in a severe data breach.

Simply checking S3 instances’ public permissions to ensure they are closed may prevent more breaches than all cybersecurity technologies put together. They must be validated for every S3 bucket added as a node, not just at deployment but continuously and automatically.

The OWASP cloud top 10 risks provide a good starting point for learning about SaaS cloud security.

Inadequate user authentication

Users accessing SaaS applications over the Internet from almost any device increase the risk of an unauthorized user accessing data or accidentally releasing data into the web. Flawed authentication and session management functions in many SaaS products give bad guys opportunities to compromise passwords, session tokens, or keys and steal users’ identities.

Notably, a popular online credit card payment method may pose the risk of identity theft. Inadequate enforcement of access restrictions enables cybercriminals to operate as administrators or authenticated users, modify access rights and user information, and view files.

Cross-site scripting (XSS)

Hackers can use a SaaS app’s code flaws to inject malicious code (scripts) into a web page viewed by a user. It gives them access to the user’s browser and lets them hijack user sessions and redirect users to malicious sites.

SQL injections

Structured Query Language (SQL) is a programming language used to maintain most databases. By inserting specialized SQL statements into an entry field, an attacker makes the system execute commands that allow various manipulative behaviors.

For example, the security risks of multi-tenancy architecture include injecting a tenant and trying to cross the boundary of another tenant to access their restricted data.

Attackers can emulate the identity of a more privileged user, make themselves or others database administrators, tamper with, retrieve, or destroy server data, modify transactions and balances, and even gain complete control over the system.

Supply chain attacks

Cybercriminals can also exploit vulnerabilities in your organization’s supply chain, i.e. the various software you rely on. By targeting the source code, updating mechanisms, or building processes of your vendors, they can compromise your company’s sensitive data. For this reason, your security team needs detailed visibility into the entire vendor ecosystem to identify and remediate any vulnerabilities before cybercriminals do so.

Insufficient logging and monitoring of the app activity

Without proper frequent logging and monitoring, you risk overlooking unauthorized and potentially malicious activities, such as tampering, theft, or destruction of data.

Regulatory non-compliance

Non-compliance is fraught with the risks of data breaches, hefty fines, and reputational damage.

Depending on your app’s type and the location of your customers, the regulations and standards you may have to follow may include but are not limited to:

General Data Protection Regulations (GDPR) if you are going to provide services in the European Union and the European Economic Area.
Payment Card Industry Data Security Standard (PCI DSS), which applies to all entities that collect, transmit, or store credit card information.
Health Insurance Portability and Accountability Act (HIPAA), if you are going to store and transmit patients’ data between devices.
the Health Information Technology for Economic and Clinical Health (HITECH) Act, which also applies to medical apps in the US.
ISO/IEC 27001, an international certificate that fintech entities may be required to implement.
Sarbanes–Oxley Act (SOX), a US federal law that mandates certain practices in financial record keeping and reporting.
NIST 800-171, a special publication by the National Institute of Standards and Technology that recommends requirements for protecting controlled unclassified information by defense contractors.
The Center for Internet Security (CIS) best practices.

Saas security issues

Continuous risks and app security assessment should be integral to your product development process. The understanding of vulnerabilities will enable the team to address the most common security problems, protect vulnerable hotspots, develop practices to minimize risks, and devise protection from emerging cyber threats.

Your software development team must also adhere to the best practices to protect a SaaS app from the onset. Let us recommend a few.

SaaS Security Best Practices

1. Develop a detailed SaaS security requirements checklist.

This checklist should include the potential security flaws to watch out for, established SaaS security standards, and internal measures promoting security.

Multiple levels of security should reduce risks and help minimize damage. For example, on the organizational level, SaaS security can be promoted by:

public and internal security policies
regular information of the employees about the security measures you expect them to follow
cybersecurity training for employees to help prevent social engineering, phishing, etc.
use of password managers
centralized user management that controls the dataflow within your app ecosystem
information of your customers about the data you collect and process
customer education aimed at preventing account takeover fraud and other attacks

Brainstorm with your software developers, stakeholders, and domain experts to create your startup’s SaaS security checklist. An expert agency like Onix can help you define the key checkpoints and offer actionable advice on protecting your SaaS application and customers.

For your convenience, we have curated a basic list of recommendations. Every organization can find relevant best practices for SaaS security there or base its unique checklist on the template.

Keep abreast with current security threats and developments and regularly review and update your checklist. Make it easily accessible to keep all involved on the same page throughout your product development.

2. Ensure a secure software development life cycle.

Secure SDLC implies activities promoting security at every stage, so it’s baked into the process. This includes integrating SaaS application security requirements alongside functional requirements in your project specification, analyzing architecture risks during the discovery phase, technology choice, adopting secure coding methodologies, penetration testing, and other measures.

These activities should enable you to detect and eliminate potential vulnerabilities or weaknesses as early as possible. For instance, using the latest versions of libraries and frameworks can automatically prevent XSS.

Introducing DevOps security early in the SaaS product life cycle is a good idea. Among other benefits, it helps reduce data breaches.

Implementing a CI/CD pipeline facilitates rapid delivery of features and fixes, including security-related ones.

3. Adopt a shared responsibility model.

Establish a shared responsibility between your organization and customers so that both can actively play their clearly defined roles in your SaaS security. As a SaaS provider, you must handle the physical infrastructure, network, operating system, and application. Each customer is in charge of their data and identity management.

Another good practice is the separation of duties and accounts within your company’s operational teams.

4. Help protect data at the customer and end-user levels.

At the customer level, enforced security protocols like role-based permissions, access, and distribution of tasks will help reduce internal security gaps. Admins should have the exclusive right to access critical files and folders and to grant privileges to different categories of users.

The principle of least privilege is a good practice essential for cybersecurity. Users should receive only the minimum access required to perform their duties. Provide a unified framework to manage user authentication through business rules that determine appropriate user access based on organizational role, the system accessed, the data requirements, and workflow assignments, independently of the device used.

Multi-factor authentication (MFA) will help eliminate another point of entry for attackers.

5. Perform proper SaaS application security testing.

Besides the standard quality assurance and automated testing, your SaaS product development should include security-specific testing. For example, you can use a static application security testing (SAST) tool to analyze your application’s source code and highlight any security vulnerabilities.

Conduct your SaaS security testing with an eye on OWASP’s Top 10 security issues. This report will help you design tests to discover vulnerabilities in your SaaS system. The OWASP Testing Guide includes information about security monitoring and various test procedures.

SaaS application security testing

Comprehensive SaaS security testing should include automated and manual checks considering real-world scenarios and the latest threats.

The whole technical team can participate in simulated attacks on the product’s weak spots in search of vulnerabilities. A full blind discovery will facilitate a more profound audit of your SaaS platform. Outsider professional penetration testers may provide a comprehensive list of vulnerabilities and issues to address urgently.

6. Ensure сompliance via сertifications and audits.

SaaS business owners may need to obtain certifications like PCI DSS to prove that sensitive data is transmitted, processed, and stored securely. For instance, a SOC 2 audit aims to assess a service organization’s security, processing integrity, and confidentiality and privacy controls based on compliance with the Trust Services Criteria of the American Institute of Certified Public Accountants.

These essential certifications are something customers look for when selecting a SaaS vendor, a good indicator of a vendor’s readiness for regulatory compliance and maintaining high security standards.

Policies regarding the retention of personal data, such as names, addresses, social security numbers, financial records, etc., are often a major compliance requirement. For example, GDPR allows keeping such data as long as it is needed for the purpose for which it was collected and requires deleting it once no longer needed.

SaaS businesses need a data retention policy for their applications, especially for account management and subscriptions. A data deletion policy must specify what would happen to the customer data once the data retention period ends: the data should be deleted programmatically from your systems. A data deletion process must be implemented accurately and on time, and appropriate logs must be generated and maintained.

Be open about your customers’ data retention and deletion by disclosing these policies to your customers, e.g., as part of the service agreement.

Your company’s security or dedicated compliance team must regularly monitor the changing industry standards and regulations and validate your product’s compliance to identify and remediate any security gaps.

7. Integrate real-time protection.

Real-time monitoring can help the system distinguish between legitimate queries and malicious attacks, such as SQL injections, XSS, and account takeovers. Real-time protection tools, such as protection logic, can be integrated into the code at the development stage.

Firewalls filter out potentially dangerous or unknown traffic that might constitute a threat based on set rules about the types of traffic and permitted source/destination addresses on the network.

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) that look for suspicious traffic after it has passed through the firewall further enhance perimeter protection.

Logs are vital for monitoring security incidents and detecting cyber attacks. You need an automatic logging mechanism and procedures for investigating potential security breaches. Security incidents must be captured, reported, and tracked to closure.

The integration of real-time monitoring into your SaaS app results in improved visibility, compliance, control, and policy management. After launch, you can integrate third-party security services. The data protection solutions shouldn’t be generic but specifically designed and built for the needs of enterprises.

Data loss prevention (DLP) systems can scan data in use, in motion, or at rest for sensitive information through keyword and phrase searches. Once detected, the DLP system blocks the transfer of sensitive data and can notify the administrator to verify the detection.

To prevent resource drainage, you can schedule scans or perform them whenever you see fit.

Your product’s logging mechanism should also assist customers with regular monitoring or audits.

8. Ensure secure SaaS application deployment.

Two main options are available for SaaS deployment:

1) Self-hosted deployment. In this scenario, it will be your responsibility to research SaaS security issues, adopt stringent application security policies, and implement appropriate safeguards to prevent denial-of-service (DoS) and network penetration attacks. Best practices for solving this problem include continuous integration, delivery, and deployment. Maximal automation of the deployment process is also recommended.

2) Cloud deployment. Public cloud vendors like Amazon or Google take shared responsibility for securing SaaS applications. Their infrastructure services help ensure data segregation, data security, network security, etc. If you choose to deploy your SaaS app on a public cloud, make sure to adhere to the best practices and norms recommended by the vendor. It's also a good idea to check the service’s compliance with applicable security principles and standards.

When choosing a cloud services provider, take your time to learn about certification and see the documentation. The general key compliance certificates include SOC 1, SOC 2, and ISO 27001, but more certificates apply to financial, healthcare, and other services.

9. Keep your virtual machines secure.

As organizations continue to deploy virtual machines, concerns about the security of both on-premises and VMs in the cloud are growing. You need a strategic plan in place to maintain a secure infrastructure and prevent hackers from gaining access to your VMs and other company assets. Some of the best practices to secure VMs are:

Ensure that the guest operating system of the VM is updated to the latest patch;
Keep up with the latest threats and patches available on the market and deploy them timely to protect your VM, e.g., using anti-malware, anti-spyware, and other threat monitoring tools to actively monitor for vulnerabilities in the system and alert administrators before issues arise;
Disable unwanted or rarely used features;
Enable the secure boot feature of the Unified Extensible Firmware Interface (UEFI) that verifies the integrity of the OS and blocks attacks that may harm the OS.

You can find more tips in the downloadable SaaS security checklist.

10. Implement data encryption.

The use of various methods for data encryption at rest and in transit is arguably the most important practice for data breach prevention. Encryption protects data by encoding it. Even if unauthorized users break through security barriers, they won’t be able to use your data without the encryption keys that only authorized users have. This method will help you both increase your cybersecurity level and comply with regulations.

Secure encryption configuration provides the needed protection from eavesdropping, tampering, or other interference with data in transit between your service and customers. All of the app’s interactions with the servers should occur over the Transport Layer Security protocol to ensure encryption during transmission. TLS 1.2 and 1.3 are the most popular versions currently. External data protection certificates should be configured correctly and follow good practices. The TLS should only terminate within the cloud service provider.

Sensitive data in transit between microservices, whether within the same cloud or multiple cloud services, must be protected at the same levels as client/service data transfers.

Data in storage should also be encrypted to protect sensitive information. Cloud service providers often provide field-level encryption and allow customers to specify the fields they want to encrypt, such as credit card numbers.

Data at rest may utilize strong cloud security measures for backup data, similar to your laptop’s hard drive data encryption. Datastores in a SaaS database must be classified and encrypted to the level of user needs. Data in lower SaaS environments has to be equally secured. Encryption technology for data at rest allows building a hierarchy of client-side and server-side encryption with separation of duty at different levels, customer control, and full audit trails.

Best practice solutions offer customers control over their encryption keys so that cloud operations employees cannot decrypt customer data.

best practices for SaaS security

11. Use proven cryptography tools.

Your software development team should use the best cryptography libraries, mechanisms, and tools, such as:

authentication using keys
JCA, cryptographic libraries in Java
CertMgr.exe and SignTool.exe

12. Implement modern cloud security mechanisms.

Consider adopting the Secure Access Service Edge (SASE) model. This cloud security architecture offers more advanced data protection functionality than traditional network security solutions. It empowers organizations to scale their networking and security capabilities directly across all endpoints through the cloud delivery model. Technologies from previously siloed security stacks can work together seamlessly across the network.

The SASE security model includes the following core components:

Zero-trust network access (ZTNA): This information security model requires all users inside or outside the network edge to verify or authenticate themselves, typically via MFA, each time they request access to any network resources and cloud services. ZTNA gives organizations visibility and access control of all users, devices, and apps through the least privilege principle. Network security is also supported through encryption, file system permissions, security information and event management, and mechanisms for cloud infrastructure entitlement management.

Software-defined wide area network (SD-WAN): This cloud-based service efficiently routes traffic to the cloud and SaaS services across the WAN via strategically placed points-of-presence distributed across the SASE network near devices, branch offices, and data centers. Network security features can be added to the SD-WAN’s functionality instead of being implemented separately at each branch/data center on the network edge.

Firewall-as-a-service (FWaaS): These applications can operate on-premises or through the cloud in a SASE configuration. In addition to network monitoring, packet filtering, and IP mapping, FWaaS offers next-generation features, such as deep packet inspection, IDS, IPS, advanced threat protection, domain name system security, and application control.

Cloud access security brokers (CASBs): CASBs eliminate the need to route traffic externally from the SASE network by using authentication and authorization through standards like the Security Assertion Markup Language (SAML) to allow employees to access internal and SaaS apps through the same portal. CASBs also provide cloud application discovery, adaptive access control, user and entity behavior analytics, malware detection, and DLP.

Secure web gateways (SWG): An SWG protects organizations from phishing attacks, botnets, and malware and can implement security policies, prevent corporate data leakage, and prevent unauthorized users from gaining access.

13. Use SaaS security posture management.

Businesses that mainly or solely rely on SaaS instead of cloud infrastructure should use SSPM tools for regular monitoring of their SaaS applications in the areas of configurations, user permission settings, and compliance.

SSPM tools automatically detect security risks, such as:

misconfigurations
errors in the security setup that could leave data exposed to the Internet
excessive user permissions
inactive and unnecessary user accounts that increase the number of attack vectors
security risks that could put an organization out of compliance with data security and privacy regulations

Once SSPM has discovered a threat, it notifies security teams automatically or may even mitigate some of these risks itself.

Conclusion

A data breach is an expensive, embarrassing, and often destructive event that any SaaS provider should try to avoid at all costs. The failure to prioritize data protection can make their SaaS data vulnerable to ransomware attacks, which are rampant now. Yet, many large enterprises still aren’t fully prepared for them.

We recommend the following SaaS security best practices to protect applications:

create a checklist of requirements, standards, and recommendations on SaaS security for your company at several levels and stick to it
embrace data security and regulatory compliance as an approach to your SaaS product development
adopt a ‘shared responsibility for SaaS security’ model but promote data protection at the customer and end-user levels
Conduct regular and thorough automatic and manual security-specific testing with an eye on OWASP’s Top 10 security issues
obtain certification and hold audits to ensure regulatory compliance
keep abreast of the changing standards, cyber threats, and developments in the area of SaaS data security
implement real-time monitoring and protection mechanisms
patch your software regularly
ensure secure deployment of your SaaS application
implement end-to-end data encryption
use the best cryptography libraries, mechanisms, and tools
secure your virtual machines
adopt the modern Secure Access Service Edge cloud security architecture
leverage SaaS security posture management tools

SaaS data lost in a ransomware attack is least likely to be fully recovered. However, proper backing up of SaaS data, metadata, and files facilitates restoration after a ransomware attack or another disaster. The solution must be specifically designed for the increased data volume and complexity. Just as important, the recovery of backed-up SaaS data must be fast enough to avoid damage to the business. Here are a couple of recommendations:

Back up data as frequently as necessary
Run regular restore tests to identify any potential roadblocks to a quick and effective data restoration

If you have questions about SaaS application security in general or possible risks for your unique product, please feel free to contact Onix. Our award-winning web and mobile app development agency has vast experience in developing secure SaaS applications. Our experts can assess the risks, discover potential vulnerabilities, and help meet all of your SaaS security needs.

Onix provides its outsourcing clients with senior tech talent and product development expertise acquired over 23 years. We can:

help you develop your startup’s security strategy
build a secure SaaS product for you from A to Z on time and within budget
complement your in-house team with specialists following all the best practices to protect your SaaS application.

FAQ

Why is SaaS data security important?

The possible consequences of neglecting the security of a SaaS product, building insecure software, or a data leak or breach include, but are not limited to: