SaaS Security

Securing the cloud-based apps

Organizations use different cloud services like SaaS, IaaS, and PaaS with private, public, or hybrid deployment models. It is equally important to provide security for the applications hosted on all the different services offered. Cloud Computing Security or simply Cloud Security involves securing a network, information, and application security in the cloud environment.

The most significant threat / risk associated with cloud computing technology is data loss. Although transforming to cloud computing is fast, important business-level security policies, practices, and processes have to be followed and implemented to avoid severe data breaches.

Security challenges with SaaS:

Most of the organizations are adapting to the latest technologies on cloud. As a result of that, a new window of challenges has opened for them:

• Identity threats
• Access management / authentication
  • Application level
  • Network level
  • Data security
  • Compliance with Cloud Security standards
    • SOX
    • HIPPA
    • PCI-DSS

Security testing for SaaS:

Due to the increase in the use of Cloud Computing technology, security testers have to ensure the security of SaaS applications. The complexity of implementing SaaS leads to continuous Security testing at frequent intervals as ’one-time’ testing doesn’t suffice.

Security testing of SaaS offerings should ensure the following but not limit to:

• Authentication
• Authorization
• Availability
• Data Integrity
• Data Security

Following are the major security litmus tests performed for SaaS:

Denial of Service (DOS):

DOS occurs when the attacker intentionally brings down the deployment servers or networks by simulating huge traffic. This is usually done by man-in-the-middle attack with IP-spoofing. Hence, to mitigate this, we implement proper  access mechanisms.

SQL Injection:

Attackers inject bad SQL queries into input fields of the application to acquire sensitive information. Best practice for this is filtering / validating the input data.

Hidden Form Parameters:

We avoid using hidden form fields in SaaS-hosted applications as the hidden form parameters are a  big threat to data integrity.

Cookie Values:

Cookies should be properly encrypted with strong encryption methodologies like SHA / MD5. We must cookie-test  manually apart from automatic vulnerability scanning.

XSS:

Since a SaaS application is shared across different users, Cross Site Scripting (XSS) attacks are the most prominent type of attacks that the attackers use. This attack is usually done using phishing attacks. Automated Vulnerability scan of the application would be the better technique for this type of attacks.

Best practices for SaaS Security:

• Protection of API Keys
• Salting and Hashing
•  Use of TLS / SSL protocols for data transmission
• Passphrases (advantage of a passphrase is its length. Since it is a longer set of characters, password guessing and cracking is more difficult.)
• Proxy Encryption
• Encryption of stored and transmitted data
• Single sign-on option between on-premise systems and cloud. By leveraging a single sign-on option, users are able to access both their own desktops and any cloud services via a single password. This approach also reduces the incidences of dangling accounts, which are vulnerable to unauthorized usage, after users leave organizations
•  Prohibiting the sharing of account credentials between users and services
• Leveraging strong two-factor authentication techniques wherever possible
•  Running anti-virus and anti-malware software as a measure of defense mechanism against threats
•  Using a Firewall
•  Enabling automatic OS and application updates