Archive

Top 10 ways to secure your SaaS application

Share this post:

By Abhi Deshmukh

Did you know that the latest IBM 2013 Cyber Security Intelligence Index study indicates that an average organization sustains about 1,400 security events like SQL injection, spear phishing and URL tampering, per week?  In addition, a recent study by Gartner indicates that most software as a service (SaaS) contracts do not adequately cover security aspects of the service.

Security

If you are a SaaS provider, you will need to check if your development team has implemented secure engineering practices in the design and code. I’d like to share a list of top 10 security issues that you should address to make sure your SaaS application is secure. This list has been curated by The Open Web Application Security Project (OWASP). The 2013 list includes the top 10 wide spread security vulnerabilities that most web applications face.

The following is a brief listing of the top 10 security issues (by OWASP) that your SaaS offering should address:

  1. SQL, operating system or LDAP injection
  2. Insecure authentication and session management
  3. Cross-site scripting because of lack of data validation
  4. Insecure exposure to references like files and directories
  5. Incorrectly configured (from a security perspective) databases, middleware and operating systems
  6. Exposing sensitive data like user IDs, passwords and personal identification information
  7. Checking for access inside the business logic on the server side
  8. Cross-site request forgery
  9. Using components with known vulnerabilities
  10. Unvalidated redirects and forwards

If your SaaS service is also accessible on mobile devices, then this list of top 10 mobile risks should be considered.

During the development and testing process, you should seriously consider application security scanners or companies that provide application scanning services.  There are also source code scanners, which could be used as part of nightly builds.  Both these categories of tools and services are automated and provide quick and detailed analysis of security issues. Furthermore, you do not need to be a security expert to run and use these tools. And if you are running short of budget, there are plenty of free, open source tools available.

If you are customer of SaaS application, you can consider asking the vendor for a vulnerability report against these top 10 risks. This report should ideally from an independent, third party security auditor.

If you are a software ISV, then you may want to consider formal guidelines & processes to ensure that your products are secure. For example, IBM has secure engineering guidelines that address secure engineering issues in product development.  The  IBM guide Security in Development: The IBM Secure Engineering Framework  further describes these secure engineering practices.

What are your thoughts on this topic? Comment below if you have a favorite set of tools for application security testing or a better list of top 10 issues.

More stories

Why we added new map tools to Netcool

I had the opportunity to visit a number of telecommunications clients using IBM Netcool over the last year. We frequently discussed the benefits of have a geographically mapped view of topology. Not just because it was nice “eye candy” in the Network Operations Center (NOC), but because it gives an important geographically-based view of network […]

Continue reading

How to streamline continuous delivery through better auditing

IT managers, does this sound familiar? Just when everything is running smoothly, you encounter the release management process in place for upgrading business applications in the production environment. You get an error notification in one of the workflows running the release management process. It can be especially frustrating when the error is coming from the […]

Continue reading

Want to see the latest from WebSphere Liberty? Join our webcast

We just released the latest release of WebSphere Liberty, 16.0.0.4. It includes many new enhancements to its security, database management and overall performance. Interested in what’s new? Join our webcast on January 11, 2017. Why? Read on. I used to take time to reflect on the year behind me as the calendar year closed out, […]

Continue reading