September 30, 2013 | Written by: IBM Cloud Staff
Share this post:
By Abhi Deshmukh
Did you know that the latest IBM 2013 Cyber Security Intelligence Index study indicates that an average organization sustains about 1,400 security events like SQL injection, spear phishing and URL tampering, per week? In addition, a recent study by Gartner indicates that most software as a service (SaaS) contracts do not adequately cover security aspects of the service.
If you are a SaaS provider, you will need to check if your development team has implemented secure engineering practices in the design and code. I’d like to share a list of top 10 security issues that you should address to make sure your SaaS application is secure. This list has been curated by The Open Web Application Security Project (OWASP). The 2013 list includes the top 10 wide spread security vulnerabilities that most web applications face.
The following is a brief listing of the top 10 security issues (by OWASP) that your SaaS offering should address:
- SQL, operating system or LDAP injection
- Insecure authentication and session management
- Cross-site scripting because of lack of data validation
- Insecure exposure to references like files and directories
- Incorrectly configured (from a security perspective) databases, middleware and operating systems
- Exposing sensitive data like user IDs, passwords and personal identification information
- Checking for access inside the business logic on the server side
- Cross-site request forgery
- Using components with known vulnerabilities
- Unvalidated redirects and forwards
If your SaaS service is also accessible on mobile devices, then this list of top 10 mobile risks should be considered.
During the development and testing process, you should seriously consider application security scanners or companies that provide application scanning services. There are also source code scanners, which could be used as part of nightly builds. Both these categories of tools and services are automated and provide quick and detailed analysis of security issues. Furthermore, you do not need to be a security expert to run and use these tools. And if you are running short of budget, there are plenty of free, open source tools available.
If you are customer of SaaS application, you can consider asking the vendor for a vulnerability report against these top 10 risks. This report should ideally from an independent, third party security auditor.
If you are a software ISV, then you may want to consider formal guidelines & processes to ensure that your products are secure. For example, IBM has secure engineering guidelines that address secure engineering issues in product development. The IBM guide Security in Development: The IBM Secure Engineering Framework further describes these secure engineering practices.
What are your thoughts on this topic? Comment below if you have a favorite set of tools for application security testing or a better list of top 10 issues.