If you consider developing a software-as-a-service (SaaS) platform, data safety should be your priority from day one. This article outlines major SaaS security issues and offers practical tips to prevent them. A downloadable checklist of best practices for comprehensive SaaS security comes as a bonus.
Onix’s experts can also advise you on data security and other aspects of SaaS product development, build or help build a secure SaaS product for you, or improve the safety of your existing system using the wealth of our experience.
90% of organizations use cloud computing, including SaaS services, to achieve cost reduction, faster time-to-market, and other critical business objectives. The global market for SaaS, estimated at US$ 96.76 billion in 2022, is projected to reach US$ 234.9 billion by 2028, growing at a CAGR of nearly 16%.
However, development and new opportunities come hand in hand with new risks. SaaS applications are primarily built using cloud platform services (PaaS), deployed on cloud infrastructure (IaaS), and hosted and managed by several providers. An app’s security is developed at all layers but owned mainly by the service provider.
The need for increased security grows in sync with the increasing reliance on cloud infrastructure and demand for SaaS services across different industries. Organizations’ growing dependence on such apps to run mission-critical processes hasn’t gone unnoticed by cybercriminals.
Hackers are particularly attracted to environments that deploy SaaS apps because of the volume of sensitive data stored there, such as payment card numbers, personally identifiable information (PII), or protected health information (PHI). Moreover, SaaS data is more difficult to protect: the volumes are large, data models more sophisticated, and integrations, regulations, and business processes are more complex.
While a SaaS platform is an unlikely potential attack victim thanks to strict technical controls, cybercriminals can attack the data in the system through end-user phishing, malware, API key leaks, and other methods that are also becoming more sophisticated. Then, attackers can export the data, overwrite it, and demand a ransom to decrypt it.
The cost of data breaches is growing continuously.
Besides the costs, data breaches come with a whole packet of negative consequences: lost productivity, potential non-compliance penalties, damaged reputation, and a recovery that is often lengthy, difficult, and incomplete. However, enterprises are still not fully prepared for attacks on mission-critical SaaS data that are increasingly frequent and successful.
A 2022 global survey by Odaseva and Dimensional Research revealed that ransomware attacks on SaaS data succeeded more than attacks on any other environment: 52% of these attacks succeeded in penetrating enterprise defenses.
However, only 43% of companies fully back up their SaaS data, and 59% don’t protect their data in public infrastructure clouds.
The survey also highlighted a dangerous misconception persisting among customer companies: 25% still believe it is solely the cloud or SaaS provider’s responsibility to protect their SaaS data.
Although in a ‘shared responsibility’ model, the customer is responsible for securing and managing the data generated, SaaS platforms remain responsible for the security and integrity of the platform. A 2021 ruling of the District Court for the District of South Carolina further raised the stakes for SaaS vendors.
In 2020, cybercriminals attacked Blackbaud Inc., a cloud data collection and maintenance provider, and copied the PII and PHI of its customers’ donors, members, students, and patients. Following the ransomware attack discovery, several customers filed suits against Blackbaud, blaming its “deficient security program” and non-compliance with industry and regulatory standards for the data breach.
During the proceedings, the court found that:
After a federal judge ruled that Blackbaud was liable in the state where the breached servers were located, it will now face negligence and privacy claims under Massachusetts state law.
There are serious implications for SaaS providers. The arguments that SaaS customers are primarily responsible for the security of their end-users’ data or that SaaS provider has no relationship directly with individual users may not help SaaS providers avoid liability. They should make every effort to maintain up-to-date and effective security measures to protect the sensitive information they collect, store, process, or transmit.
It’s fair to say that adherence to the best practices for SaaS security is a matter of life and death for startups. The developers’ neglect of security may jeopardize your product’s adoption, especially if you target small and medium-sized companies. If they doubt your app’s regulatory compliance, they will choose one of your standard-compliant competitors.
If you succeed in winning them over, you will have to maintain customer trust continuously. This includes making every effort to protect their business information and customer data. Yet, “for 83% of companies, it’s not if a data breach will happen, but when.”
It may take months to recover from damage caused by a cyberattack. If it results in the loss of sensitive information, the damaged reputation and legal and financial implications can be detrimental even for an established company. For a startup, increased customer churn and customer acquisition cost will be fatal.
The first step to avoiding this early awareness of the potential vulnerabilities, threats, and risks. Building a secure application from the ground up is easier and cheaper than dealing with eventual security breaches.
Some of the critical risks include, but are not limited to:
Cybercriminals can steal weakly protected sensitive data, such as social security numbers, credit card information, etc., and use them for identity theft, fraud, and other illicit activities.
Software developers undermine defenses and enable attacks by using components with known vulnerabilities, incorrect setup of computing assets, or overlooking errors in the operating system, middleware, or database.
Stolen or compromised credentials are the most common cause of data breaches. For example, a preserved default account with the original password exposes the app to attacks.
As SaaS environments operate in the public cloud, cloud misconfigurations are an apparent concern. These lapses in cloud application security management leave organizations vulnerable to cloud leaks, ransomware and malware attacks, phishing, penetration by external hackers, and insider threats.
A typical cloud misconfiguration is a permissions gap when an administrator provides too many access rights to an end-user. The public access settings for Amazon’s Simple Storage Service (S3) storage buckets are a notorious example of a cloud service provider misconfiguration.
S3 buckets are private by default, but even the world’s largest companies have been spotted leaving them publicly accessible. Organizations create S3 buckets, modify the default permissions, and then dump data into them without validating their configurations. If a bucket contains a corporate database, customer base, or other sensitive information, this can result in a severe data breach.
Simply checking S3 instances’ public permissions to ensure they are closed may prevent more breaches than all cybersecurity technologies put together. They must be validated for every S3 bucket added as a node, not just at deployment but continuously and automatically.
The OWASP cloud top 10 risks provide a good starting point for learning about SaaS cloud security.
Users accessing SaaS applications over the Internet from almost any device increase the risk of an unauthorized user accessing data or accidentally releasing data into the web. Flawed authentication and session management functions in many SaaS products give bad guys opportunities to compromise passwords, session tokens, or keys and steal users’ identities.
Notably, a popular online credit card payment method may pose the risk of identity theft. Inadequate enforcement of access restrictions enables cybercriminals to operate as administrators or authenticated users, modify access rights and user information, and view files.
Read also: How to choose and integrate a payment gateway into a mobile app
Hackers can use a SaaS app’s code flaws to inject malicious code (scripts) into a web page viewed by a user. It gives them access to the user’s browser and lets them hijack user sessions and redirect users to malicious sites.
Structured Query Language (SQL) is a programming language used to maintain most databases. By inserting specialized SQL statements into an entry field, an attacker makes the system execute commands that allow various manipulative behaviors.
For example, the security risks of multi-tenancy architecture include injecting a tenant and trying to cross the boundary of another tenant to access their restricted data.
Attackers can emulate the identity of a more privileged user, make themselves or others database administrators, tamper with, retrieve, or destroy server data, modify transactions and balances, and even gain complete control over the system.
Cybercriminals can also exploit vulnerabilities in your organization’s supply chain, i.e. the various software you rely on. By targeting the source code, updating mechanisms, or building processes of your vendors, they can compromise your company’s sensitive data. For this reason, your security team needs detailed visibility into the entire vendor ecosystem to identify and remediate any vulnerabilities before cybercriminals do so.
Without proper frequent logging and monitoring, you risk overlooking unauthorized and potentially malicious activities, such as tampering, theft, or destruction of data.
Non-compliance is fraught with the risks of data breaches, hefty fines, and reputational damage.
Depending on your app’s type and the location of your customers, the regulations and standards you may have to follow may include but are not limited to:
Continuous risks and app security assessment should be integral to your product development process. The understanding of vulnerabilities will enable the team to address the most common security problems, protect vulnerable hotspots, develop practices to minimize risks, and devise protection from emerging cyber threats.
Your software development team must also adhere to the best practices to protect a SaaS app from the onset. Let us recommend a few.
This checklist should include the potential security flaws to watch out for, established SaaS security standards, and internal measures promoting security.
Read also: Salesforce security best practices and tips
Multiple levels of security should reduce risks and help minimize damage. For example, on the organizational level, SaaS security can be promoted by:
Brainstorm with your software developers, stakeholders, and domain experts to create your startup’s SaaS security checklist. An expert agency like Onix can help you define the key checkpoints and offer actionable advice on protecting your SaaS application and customers.
For your convenience, we have curated a basic list of recommendations. Every organization can find relevant best practices for SaaS security there or base its unique checklist on the template.
Keep abreast with current security threats and developments and regularly review and update your checklist. Make it easily accessible to keep all involved on the same page throughout your product development.
Secure SDLC implies activities promoting security at every stage, so it’s baked into the process. This includes integrating SaaS application security requirements alongside functional requirements in your project specification, analyzing architecture risks during the discovery phase, technology choice, adopting secure coding methodologies, penetration testing, and other measures.
These activities should enable you to detect and eliminate potential vulnerabilities or weaknesses as early as possible. For instance, using the latest versions of libraries and frameworks can automatically prevent XSS.
Introducing DevOps security early in the SaaS product life cycle is a good idea. Among other benefits, it helps reduce data breaches.
Implementing a CI/CD pipeline facilitates rapid delivery of features and fixes, including security-related ones.
Establish a shared responsibility between your organization and customers so that both can actively play their clearly defined roles in your SaaS security. As a SaaS provider, you must handle the physical infrastructure, network, operating system, and application. Each customer is in charge of their data and identity management.
Another good practice is the separation of duties and accounts within your company’s operational teams.
At the customer level, enforced security protocols like role-based permissions, access, and distribution of tasks will help reduce internal security gaps. Admins should have the exclusive right to access critical files and folders and to grant privileges to different categories of users.
The principle of least privilege is a good practice essential for cybersecurity. Users should receive only the minimum access required to perform their duties. Provide a unified framework to manage user authentication through business rules that determine appropriate user access based on organizational role, the system accessed, the data requirements, and workflow assignments, independently of the device used.
Multi-factor authentication (MFA) will help eliminate another point of entry for attackers.
Besides the standard quality assurance and automated testing, your SaaS product development should include security-specific testing. For example, you can use a static application security testing (SAST) tool to analyze your application’s source code and highlight any security vulnerabilities.
Conduct your SaaS security testing with an eye on OWASP’s Top 10 security issues. This report will help you design tests to discover vulnerabilities in your SaaS system. The OWASP Testing Guide includes information about security monitoring and various test procedures.
Comprehensive SaaS security testing should include automated and manual checks considering real-world scenarios and the latest threats.
The whole technical team can participate in simulated attacks on the product’s weak spots in search of vulnerabilities. A full blind discovery will facilitate a more profound audit of your SaaS platform. Outsider professional penetration testers may provide a comprehensive list of vulnerabilities and issues to address urgently.
SaaS business owners may need to obtain certifications like PCI DSS to prove that sensitive data is transmitted, processed, and stored securely. For instance, a SOC 2 audit aims to assess a service organization’s security, processing integrity, and confidentiality and privacy controls based on compliance with the Trust Services Criteria of the American Institute of Certified Public Accountants.
These essential certifications are something customers look for when selecting a SaaS vendor, a good indicator of a vendor’s readiness for regulatory compliance and maintaining high security standards.
Policies regarding the retention of personal data, such as names, addresses, social security numbers, financial records, etc., are often a major compliance requirement. For example, GDPR allows keeping such data as long as it is needed for the purpose for which it was collected and requires deleting it once no longer needed.
SaaS businesses need a data retention policy for their applications, especially for account management and subscriptions. A data deletion policy must specify what would happen to the customer data once the data retention period ends: the data should be deleted programmatically from your systems. A data deletion process must be implemented accurately and on time, and appropriate logs must be generated and maintained.
Be open about your customers’ data retention and deletion by disclosing these policies to your customers, e.g., as part of the service agreement.
Your company’s security or dedicated compliance team must regularly monitor the changing industry standards and regulations and validate your product’s compliance to identify and remediate any security gaps.
Real-time monitoring can help the system distinguish between legitimate queries and malicious attacks, such as SQL injections, XSS, and account takeovers. Real-time protection tools, such as protection logic, can be integrated into the code at the development stage.
Firewalls filter out potentially dangerous or unknown traffic that might constitute a threat based on set rules about the types of traffic and permitted source/destination addresses on the network.
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) that look for suspicious traffic after it has passed through the firewall further enhance perimeter protection.
Logs are vital for monitoring security incidents and detecting cyber attacks. You need an automatic logging mechanism and procedures for investigating potential security breaches. Security incidents must be captured, reported, and tracked to closure.
The integration of real-time monitoring into your SaaS app results in improved visibility, compliance, control, and policy management. After launch, you can integrate third-party security services. The data protection solutions shouldn’t be generic but specifically designed and built for the needs of enterprises.
Data loss prevention (DLP) systems can scan data in use, in motion, or at rest for sensitive information through keyword and phrase searches. Once detected, the DLP system blocks the transfer of sensitive data and can notify the administrator to verify the detection.
To prevent resource drainage, you can schedule scans or perform them whenever you see fit.
Your product’s logging mechanism should also assist customers with regular monitoring or audits.
Two main options are available for SaaS deployment:
1) Self-hosted deployment. In this scenario, it will be your responsibility to research SaaS security issues, adopt stringent application security policies, and implement appropriate safeguards to prevent denial-of-service (DoS) and network penetration attacks. Best practices for solving this problem include continuous integration, delivery, and deployment. Maximal automation of the deployment process is also recommended.
2) Cloud deployment. Public cloud vendors like Amazon or Google take shared responsibility for securing SaaS applications. Their infrastructure services help ensure data segregation, data security, network security, etc. If you choose to deploy your SaaS app on a public cloud, make sure to adhere to the best practices and norms recommended by the vendor. It's also a good idea to check the service’s compliance with applicable security principles and standards.
When choosing a cloud services provider, take your time to learn about certification and see the documentation. The general key compliance certificates include SOC 1, SOC 2, and ISO 27001, but more certificates apply to financial, healthcare, and other services.
As organizations continue to deploy virtual machines, concerns about the security of both on-premises and VMs in the cloud are growing. You need a strategic plan in place to maintain a secure infrastructure and prevent hackers from gaining access to your VMs and other company assets. Some of the best practices to secure VMs are:
You can find more tips in the downloadable SaaS security checklist.
The use of various methods for data encryption at rest and in transit is arguably the most important practice for data breach prevention. Encryption protects data by encoding it. Even if unauthorized users break through security barriers, they won’t be able to use your data without the encryption keys that only authorized users have. This method will help you both increase your cybersecurity level and comply with regulations.
Secure encryption configuration provides the needed protection from eavesdropping, tampering, or other interference with data in transit between your service and customers. All of the app’s interactions with the servers should occur over the Transport Layer Security protocol to ensure encryption during transmission. TLS 1.2 and 1.3 are the most popular versions currently. External data protection certificates should be configured correctly and follow good practices. The TLS should only terminate within the cloud service provider.
Sensitive data in transit between microservices, whether within the same cloud or multiple cloud services, must be protected at the same levels as client/service data transfers.
Data in storage should also be encrypted to protect sensitive information. Cloud service providers often provide field-level encryption and allow customers to specify the fields they want to encrypt, such as credit card numbers.
Data at rest may utilize strong cloud security measures for backup data, similar to your laptop’s hard drive data encryption. Datastores in a SaaS database must be classified and encrypted to the level of user needs. Data in lower SaaS environments has to be equally secured. Encryption technology for data at rest allows building a hierarchy of client-side and server-side encryption with separation of duty at different levels, customer control, and full audit trails.
Best practice solutions offer customers control over their encryption keys so that cloud operations employees cannot decrypt customer data.
Your software development team should use the best cryptography libraries, mechanisms, and tools, such as:
Consider adopting the Secure Access Service Edge (SASE) model. This cloud security architecture offers more advanced data protection functionality than traditional network security solutions. It empowers organizations to scale their networking and security capabilities directly across all endpoints through the cloud delivery model. Technologies from previously siloed security stacks can work together seamlessly across the network.
The SASE security model includes the following core components:
Businesses that mainly or solely rely on SaaS instead of cloud infrastructure should use SSPM tools for regular monitoring of their SaaS applications in the areas of configurations, user permission settings, and compliance.
SSPM tools automatically detect security risks, such as:
Once SSPM has discovered a threat, it notifies security teams automatically or may even mitigate some of these risks itself.
A data breach is an expensive, embarrassing, and often destructive event that any SaaS provider should try to avoid at all costs. The failure to prioritize data protection can make their SaaS data vulnerable to ransomware attacks, which are rampant now. Yet, many large enterprises still aren’t fully prepared for them.
We recommend the following SaaS security best practices to protect applications:
SaaS data lost in a ransomware attack is least likely to be fully recovered. However, proper backing up of SaaS data, metadata, and files facilitates restoration after a ransomware attack or another disaster. The solution must be specifically designed for the increased data volume and complexity. Just as important, the recovery of backed-up SaaS data must be fast enough to avoid damage to the business. Here are a couple of recommendations:
If you have questions about SaaS application security in general or possible risks for your unique product, please feel free to contact Onix. Our award-winning web and mobile app development agency has vast experience in developing secure SaaS applications. Our experts can assess the risks, discover potential vulnerabilities, and help meet all of your SaaS security needs.
Onix provides its outsourcing clients with senior tech talent and product development expertise acquired over 23 years. We can:
The possible consequences of neglecting the security of a SaaS product, building insecure software, or a data leak or breach include, but are not limited to:
The primary security risks include, but are not limited to:
The SaaS provider and the customer share the responsibility for the security of the data in the system.