Rhino Security Labs

Leading security

Security for SaaS Companies:
Leveraging Infosec for Business Value

Introduction: SaaS Company Security Needs

The requirements of running a SaaS company change constantly—through the process of agile development, responding to customer needs, and adapting to shifts in regulations.  One of the biggest factors in the success of a SaaS application is the trust consumers have in the service. As a result, SaaS organizations must treat security as a strategic driver to grow their business rather than viewing security as a ‘cost center’ that delivers no value.  In this blog post we’ll discuss the security needs of SaaS companies, how to handle security internally, and prioritized steps for maturing a SaaS security program.

What makes SaaS Security Unique?

There are a couple of things that make SaaS security unique. First, there is customer and user data—lots of it.  Segregation and storage of that data drive security complexity. In addition, as part of the SaaS model, organizations will be dealing with large, complex, regularly updated applications.  Add today’s robust and dynamic regulatory environment and these factors increase the complexity and difficulty of proper security.

To effectively address SaaS risk during the application development and deployment process, organizations need to consider the following security aspects:

  • Server deployment and IT Automation
  • Application and API Security
  • Cloud/Network Security
  • Regulatory Compliance
  • SaaS Availability / Stability
  • Data and System Backup
  • User Identity Management and Authentication

Below are the five unique security needs SaaS firms should consider for their security posture.

Need 1: Ensuring Service Uptime (Protection Against DoS)

SaaS companies are particularly vulnerable to the impacts of Denial of Service (DoS) attacks. It is easy to see why: For SaaS companies, service availability is a critical part of their business model. While many (nontech) businesses can have their website targeted by DoS/DDoS attacks and be relatively unharmed, any attack that brings down or degrades a SaaS service can cause almost immediate harm to the company. If customers are paying for service and not receiving it, they can quickly become dissatisfied. Think about that for a moment. A falling prey to a single significant attack can impact your revenues and your reputation, sending your customers into the arms of a competitor.

Going offline is bad. For SaaS companies, it’s even worse. While security is typically thought of as a matter of confidentiality, SaaS firms are also vulnerable to attacks which disrupt the normal use of their service.  For this reason alone, SaaS companies need to harden their systems against the impacts of DoS/DDos attacks and reduce their attact surface to the smallest possible footprint.

In late 2016, the infamous Dyn DDoS attack crippled the internet. As reported by Infoworld, Justin Harvey, security consultant to Fortune 500 companies, highlighted the issue this way, “Information security has three core elements: confidentiality, integrity, and availability. While the focus tends to fall on keeping information safe and ensuring no one tampers with the data, the attack shows that availability is just as important as the other two elements of information security.

(Source: Dyn DDoS attack exposes soft underbelly of the cloud, Infoworld, Fahmida Y. Rashid, October 24, 2016; https://www.infoworld.com/article/3134023/security/dyn-ddos-attack-exposes-soft-underbelly-of-the-cloud.html)

Need 2 - European Data Privacy and GDPR

Effective May 25, 2018, GDRP is a major step toward improving the way organizations manage security and privacy. It fundamentally changes the way companies create, store, manage, retain and use data for EU Citizens. By significantly advancing consumer protections, it not only generates an opportunity to address security concerns but it provides a way for organizations to demonstrate leadership by getting out in front of data protection.

If that doesn’t excite you enough, GDPR carries a big stick — penalties for breach are stiff, encouraging a greater protection of data

One of the biggest challenges with GDPR, however, is the non-prescriptive nature of the regulation. It is open to interpretation in the reading of the articles and also in how they are implemented. As such, it can highlight some of the difficulties with keeping pace with change in a SaaS security environment.

Here are some key guidelines to keep top of mind when thinking about how GDPR impacts your SaaS applications:

  1. Data Protection by Designand by Default – Your security and engineering teams should be working together to ensure that design processes are in place to meet compliance with this requirement of the GDPR.
  2. Right to Erasure (“Right to be Forgotten”)– Perhaps the most well-known component of the new GDPR laws, companies need to evaluate technical and/or procedural solutions to satisfy this requirement of the GDPR.
  3. Designation of a Data Protection Officer – Based on the type of data your company processes, you may be required to fill this role.
  4. Contractual Agreements/Consent– Your company may need to update your Master Subscription Agreements (MSA) and/or create addenda to existing agreements in place to comply with the GDPR.
  5. Incident Response Plan– Companies should maintain an incident response plan that is reviewed annually.

All these requirements present an opportunity to address various security concerns, be more transparent about how your organization stewards the privacy of consumers and emphasize the approach you’ve taken to protect data. Again, referring to consumer confidence and trust as reasons to adopt your platform, these differentiators can dramatically improve adoption (much the way sloppy data and security practices run the risk of customer abandonment and reputational damage).

Need 3 - Security as a Sales Tool

Another benefit of treating security as a key differentiator is that it can become a ‘secret weapon’ during the sales process. Having application security pen tests available for your organization demonstrates proof of an independent, 3rd party test of your systems. It can serve to eliminate a whole line of objections and questions during the SaaS sales cycle.

Here are some other ways demonstrating your SaaS security approach can have a positive impact on your business:

  • Improve/streamline your SaaS audit questionnaires; as a security person, ask your sales people how often security comes up in conversations. This is good ammo for discussing with management.
  • Shorten your days to close; even if you win the same number of deals, having better answers to security questionnaires will result in fewer hiccups and slowdowns for client procurement.
  • Win more deals! A growing number of companies are using security risk as a factor in their procurement process — chronically poor security posture may be a silent killer of deals.

For companies seeking to highlight the meaning of their security approach, posting a security policy page even linking to pentest reports and the company that performed them can be an easy fix.

Need 4 - Mergers, Acquisitions, and SaaS valuation

In their blog post on SaaS Valuations, FE International lists SaaS security as critical to valuation of a SaaS business, highlighting the need for thorough penetration testing and source code review.  Particularly with higher-end valuations, well-documented code is almost a must-have for investors that are looking to scale into 7-figures and beyond.  It can be a deal-killing issue and is one that is readily avoidable through adequate preparation ahead of coming to market.

Tangible security risks can affect M&A deals as well, as shown in Verizon’s acquisition of Yahoo.  After a breach of Yahoo user data came to light, a discount of $350 million was applied to the acquisition, cutting the total price significantly for Verizon.

Need 5 - Minimize Risk of Breach (Preventing Loss of Trust)

Everyone is familiar with the argument that companies need to prioritize security to prevent breaches and protect their brand. While the jury is still out on how much damage these incidents cause to brands long-term, we’ve recently seen a new picture start to emerge. Specifically, organizations that fail to prioritize security and protect consumer data are taking significant losses both in value and in consumer confidence.

Take the Facebook example involving Cambridge Analytica. While not a breach (technically, the Facebook API was abused), the company is reeling from the damage and the bad news may not be over yet. Following the revelation that the company failed to protect the data of 50 million users from a political data firm, Facebook has lost nearly $50 billion in market cap since the data scandal. Companies like SpaceX are deleting their corporate accounts. Many more organizations are pulling advertising, a move that will have long term impacts on the health of Facebook’s core business. And, perhaps most troubling, people are cancelling their personal accounts in droves, vowing never to come back.

This incident may have far reaching impact as Congressional hearings and lawsuits emerge. As one reporter put it “The regulatory aftershocks could rattle companies beyond Facebook. In the big M&A deals in play in the media sector — AT&T’s bid for Time Warner, Comcast’s pending acquisition of Sky, Disney’s proposed takeover of 20th Century Fox — streaming media is front and center. And everyone wants to use big data to serve up highly targeted ads over the internet, just as Facebook does. Hundreds of billions of dollars [in digital ad spending] are at stake over the next several years over this issue.”

Moving the Needle: Recommended Security Steps

For organizations seeking to move the needle for security, Rhino Security Labs recommends the following:

  • Cloud Security Testing.  Nearly all SaaS companies rely on cloud infrastructure and their API’s, creating a series of new security challenges.  Specialized AWS penetration testing ensures proper configuration of your environment and security of cloud assets in particular.
  • Perform security policy review/audit. This will provide documentation of your security approach, identify potential gaps or operational weaknesses for your to consider and help you when you are ready to create a security roadmap to improve your security posture over time.
  • Regular penetration testing for your compliance, security and development efforts. Penetration testing should involve more than cursory scanning. It should also include a tailored approach delivered by an independent 3rd party that will provide you with documentation of the effort, findings and remediation recommendations.
  • Undergo a secure code review. Code reviews can document and verify the security of your application. They can also identify gaps and weaknesses to address to improve security over-all.

These steps can be undertaken at any point during the development lifecycle and can even be performed after a solution is deployed. When looking for a penetration testing or code review partner, look for one that can support agile development processes as well as one that has enough experience to examine complex SaaS solutions operating in their environment.

Conclusion

Securing SaaS applications takes experience and know-how. New security threats emerge on a daily basis and regulations can have sweeping impact on your approach. For organizations that prioritize security, however, the benefits can be significant. Those benefits include: Improved customer trust and confidence, more sales, better brand protection and the ability to demonstrate regulatory compliance. All of these factors can improve profitability, support valuation and lead to greater success in the market.