By Chris Wallis, Founder and CEO at Intruder
Despite increased security efforts by companies,
cyberattacks still rose
28% in 2022. Attackers are becoming smarter and more agile, and they're
targeting firms of all sizes across various sectors.
SaaS companies are no exception. To combat this upswing and
avoid being the next victim in 2023, they'll need to take more action now to
effectively secure their environments. Not only that, but many customers are
now demanding cyber security certifications like SOC2 before doing business
with SaaS vendors, making cyber security a business enabler as well as a key
risk reduction play.
The following are four key areas SaaS organizations should
prioritize for the remainder of the year and beyond to stay secure and keep
their business growing:
1. Web applications and APIs
Web applications, the core of SaaS companies, are great
digital tools that have revolutionized the way we work. However, they often
have access to highly sensitive data like customers' email addresses, employees'
HR information, or in some cases, details on a company's own security
weaknesses. This can make them high-value targets for attackers.
Therefore, SaaS companies storing this sensitive information
must carefully secure their web applications from easily exploitable
vulnerabilities like injection or logic flaws, access control weaknesses, and
more. While many developers are security aware these days, with growing dev
teams and the pace required to get competitive features out, these can be easy
mistakes to miss, even with modern development frameworks and secure code
review practices.
Vendors should use pentesting services after making major
changes to their applications and integrate an automated vulnerability scanner
into their development process to help design and build secure web
applications. Additionally, it's important to ensure developers have access to
and undergo security training. It isn't enough to assume they'll know how to
avoid these critical mistakes.
Most modern web applications are also built as Single Page
Applications to sit on top of an API, and many APIs can combine to create the
company and service you want to protect. While microservices has also become a
common trend these are not usually all exposed to the internet (or users). With
that in mind, it's important to make sure that any attack surface is covered
and any API made available to end users is fully tested to avoid hidden weak
spots that may be difficult to discover from old fashioned "crawling" scanners,
designed to pore over links and forms on a static website. Be careful when
selecting tools to ensure that what you think is being covered is actually
being covered, and as much visibility is given to the tool as possible.
2. Cloud Misconfigurations
Within their own cloud systems, CTOs and developers must
secure a plethora of user roles, permissions, and settings to ensure they don't
inadvertently leave their systems open to attack. From making sure users only
have as much access as necessary, to securely configuring each system component
within the cloud, there's many places to slip up. In fact, Gartner predicts
that until 2025, we'll attribute 99% of cloud environment failures to human
error.
Unfortunately, due to the size and complexity of modern
cloud deployments it can be very difficult to manually discover
misconfigurations and track them to completion. As a result, using software has
become essential. At Intruder we once had a customer tell us we'd found
security flaws on an IP address that wasn't theirs, when we investigated it
turned out to be in an AWS region the customer didn't know they had. You can't
secure what you don't know about, so the added visibility you can gain from
using tooling is highly recommended.
Combining cloud asset
managemeng with external network monitoring can provide vendors visibility of
their entire attack surface and uncover misconfigurations and vulnerabilities
as soon as they are created - minimising the opportunity an attacker would have
to strike.
3. Patch management
Vulnerable software and patching are still persistent
problems today for all companies.
To help ensure services are always deployed to a fully
patched system, companies can lean on DevOps practices, ephemeral
infrastructure. However, they also must make sure they're consistently
monitoring for and discovering any new weaknesses that pop up in between each
release.
Also, while Serverless and Platform as a Service (PaaS)
offerings can handle patching operating systems on their behalf, companies
should ensure their service's libraries are also frequently updated with
security patches, so that weaknesses don't creep in between deploys.
It's also highly worth remembering that hackers don't always
shoot straight, if it's easier for them to compromise a laptop and go from
there to get into the development environment, potentially introducing rogue
code as was the case in the SolarWinds compromise - then that's what they'll
do. As always you must remember who your potential threat actors are, not every
SaaS vendor will be in the sights of nation state cyber forces, but worth
remembering that it's not just about securing the obvious things.
4. Internal security
Along with technical controls, it's worth remembering that
the human factor is often significant part in every compromise. No company is
perfectly secure, but it can help to get on a path to security by adopting a
security framework early. This could be SOC2 or ISO27001, which can be heavy
for smaller companies. In the UK a scheme called Cyber Essentials aimed to get
the absolute basics every company should follow down to a small set of
controls. Following something like this can at least put a stake in the ground
and help those new to the cyber world to get a foot on the first rung, and help
focus on both technical and the process and training side of cyber security.
No time like the present to start
SaaS companies large and small are no exception to security
threats, which are becoming more and more inevitable each day as hackers expand
their scope and increase the sophistication of their attacks. While
cybersecurity is ultimately a balance between risk and available resources,
particularly for startups, implementing good cyber hygiene practices at a
minimum is crucial in today's environment. And companies should keep in
mind that as their business scales, so should their investment in security.
##
ABOUT THE AUTHOR
Chris Wallis, CEO and founder of Intruder, has over a
decade of experience in cyber security working with the big four consulting and international finance
organizations. Having previously provided counsel on the cybersecurity operations of numerous FTSE
100 companies, as well as blue teams defending critical national infrastructure, he founded
Intruder with a clear mission 8 years ago. His goal was to solve the overload crisis in vulnerability
management, where tools were great at finding issues but less useful at prioritizing, tracking, and
alerting to those problems. Currently, 2,500 businesses worldwide have entrusted the team at Intruder
to protect them against ever-evolving cyber threats.