Virtualization Technology News and Information
Article
RSS
Tips for Protecting Your SaaS Organization from Today's Top Cybersecurity Threats

By Chris Wallis, Founder and CEO at Intruder

Despite increased security efforts by companies, cyberattacks still rose 28% in 2022. Attackers are becoming smarter and more agile, and they're targeting firms of all sizes across various sectors.

SaaS companies are no exception. To combat this upswing and avoid being the next victim in 2023, they'll need to take more action now to effectively secure their environments. Not only that, but many customers are now demanding cyber security certifications like SOC2 before doing business with SaaS vendors, making cyber security a business enabler as well as a key risk reduction play.

The following are four key areas SaaS organizations should prioritize for the remainder of the year and beyond to stay secure and keep their business growing:

1.     Web applications and APIs

Web applications, the core of SaaS companies, are great digital tools that have revolutionized the way we work. However, they often have access to highly sensitive data like customers' email addresses, employees' HR information, or in some cases, details on a company's own security weaknesses. This can make them high-value targets for attackers.

Therefore, SaaS companies storing this sensitive information must carefully secure their web applications from easily exploitable vulnerabilities like injection or logic flaws, access control weaknesses, and more. While many developers are security aware these days, with growing dev teams and the pace required to get competitive features out, these can be easy mistakes to miss, even with modern development frameworks and secure code review practices.

Vendors should use pentesting services after making major changes to their applications and integrate an automated vulnerability scanner into their development process to help design and build secure web applications. Additionally, it's important to ensure developers have access to and undergo security training. It isn't enough to assume they'll know how to avoid these critical mistakes.

Most modern web applications are also built as Single Page Applications to sit on top of an API, and many APIs can combine to create the company and service you want to protect. While microservices has also become a common trend these are not usually all exposed to the internet (or users). With that in mind, it's important to make sure that any attack surface is covered and any API made available to end users is fully tested to avoid hidden weak spots that may be difficult to discover from old fashioned "crawling" scanners, designed to pore over links and forms on a static website. Be careful when selecting tools to ensure that what you think is being covered is actually being covered, and as much visibility is given to the tool as possible.

2.     Cloud Misconfigurations

Within their own cloud systems, CTOs and developers must secure a plethora of user roles, permissions, and settings to ensure they don't inadvertently leave their systems open to attack. From making sure users only have as much access as necessary, to securely configuring each system component within the cloud, there's many places to slip up. In fact, Gartner predicts that until 2025, we'll attribute 99% of cloud environment failures to human error.

Unfortunately, due to the size and complexity of modern cloud deployments it can be very difficult to manually discover misconfigurations and track them to completion. As a result, using software has become essential. At Intruder we once had a customer tell us we'd found security flaws on an IP address that wasn't theirs, when we investigated it turned out to be in an AWS region the customer didn't know they had. You can't secure what you don't know about, so the added visibility you can gain from using tooling is highly recommended.

 Combining cloud asset managemeng with external network monitoring can provide vendors visibility of their entire attack surface and uncover misconfigurations and vulnerabilities as soon as they are created - minimising the opportunity an attacker would have to strike.

3.     Patch management

Vulnerable software and patching are still persistent problems today for all companies.

To help ensure services are always deployed to a fully patched system, companies can lean on DevOps practices, ephemeral infrastructure. However, they also must make sure they're consistently monitoring for and discovering any new weaknesses that pop up in between each release.

Also, while Serverless and Platform as a Service (PaaS) offerings can handle patching operating systems on their behalf, companies should ensure their service's libraries are also frequently updated with security patches, so that weaknesses don't creep in between deploys.

It's also highly worth remembering that hackers don't always shoot straight, if it's easier for them to compromise a laptop and go from there to get into the development environment, potentially introducing rogue code as was the case in the SolarWinds compromise - then that's what they'll do. As always you must remember who your potential threat actors are, not every SaaS vendor will be in the sights of nation state cyber forces, but worth remembering that it's not just about securing the obvious things.

4.     Internal security

Along with technical controls, it's worth remembering that the human factor is often significant part in every compromise. No company is perfectly secure, but it can help to get on a path to security by adopting a security framework early. This could be SOC2 or ISO27001, which can be heavy for smaller companies. In the UK a scheme called Cyber Essentials aimed to get the absolute basics every company should follow down to a small set of controls. Following something like this can at least put a stake in the ground and help those new to the cyber world to get a foot on the first rung, and help focus on both technical and the process and training side of cyber security.

No time like the present to start

SaaS companies large and small are no exception to security threats, which are becoming more and more inevitable each day as hackers expand their scope and increase the sophistication of their attacks. While cybersecurity is ultimately a balance between risk and available resources, particularly for startups, implementing good cyber hygiene practices at a minimum is crucial in today's environment. And companies should keep in mind that as their business scales, so should their investment in security.

##

ABOUT THE AUTHOR

Chris-Wallis 

Chris Wallis, CEO and founder of Intruder, has over a decade of experience in cyber security working with the big four consulting and international finance organizations. Having previously provided counsel on the cybersecurity operations of numerous FTSE 100 companies, as well as blue teams defending critical national infrastructure, he founded Intruder with a clear mission 8 years ago. His goal was to solve the overload crisis in vulnerability management, where tools were great at finding issues but less useful at prioritizing, tracking, and alerting to those problems. Currently, 2,500 businesses worldwide have entrusted the team at Intruder to protect them against ever-evolving cyber threats.
Published Thursday, June 08, 2023 7:31 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<June 2023>
SuMoTuWeThFrSa
28293031123
45678910
11121314151617
18192021222324
2526272829301
2345678