Top 10 ways to secure your SaaS application

Share this post:

Screen Shot 2015-03-31 at 11.14.32 PM

Did you know that the latest IBM 2013 Cyber Security Intelligence Index study indicates that an average organization sustains about 1,400 security events like SQL injection, spear phishing and URL tampering, per week?  In addition, a recent study by Gartner indicates that most software as a service (SaaS) contracts do not adequately cover security aspects of the service.


If you are a SaaS provider, you will need to check if your development team has implemented secure engineering practices in the design and code. I’d like to share a list of top 10 security issues that you should address to make sure your SaaS application is secure. This list has been curated by The Open Web Application Security Project (OWASP). The 2013 list includes the top 10 wide spread security vulnerabilities that most web applications face.

The following is a brief listing of the top 10 security issues (by OWASP) that your SaaS offering should address:

  1. SQL, operating system or LDAP injection
  2. Insecure authentication and session management
  3. Cross-site scripting because of lack of data validation
  4. Insecure exposure to references like files and directories
  5. Incorrectly configured (from a security perspective) databases, middleware and operating systems
  6. Exposing sensitive data like user IDs, passwords and personal identification information
  7. Checking for access inside the business logic on the server side
  8. Cross-site request forgery
  9. Using components with known vulnerabilities
  10. Unvalidated redirects and forwards

If your SaaS service is also accessible on mobile devices, then this list of top 10 mobile risks should be considered.

During the development and testing process, you should seriously consider application security scanners or companies that provide application scanning services.  There are also source code scanners, which could be used as part of nightly builds.  Both these categories of tools and services are automated and provide quick and detailed analysis of security issues. Furthermore, you do not need to be a security expert to run and use these tools. And if you are running short of budget, there are plenty of free, open source tools available.

If you are customer of SaaS application, you can consider asking the vendor for a vulnerability report against these top 10 risks. This report should ideally from an independent, third party security auditor.

If you are a software ISV, then you may want to consider formal guidelines & processes to ensure that your products are secure. For example, IBM has secure engineering guidelines that address secure engineering issues in product development.  The  IBM guide Security in Development: The IBM Secure Engineering Framework  further describes these secure engineering practices.

What are your thoughts on this topic? Comment below if you have a favorite set of tools for application security testing or a better list of top 10 issues.

More Industry stories

Cloud innovation enhances fan experience

Hate standing in queues? Me too. In fact, I’ll avoid them even if there’s no alternative. This is how Nicco was born. I was at a sports bar, and the queue for drinks was so long that I refused to get in line. Over three hours, I had one drink and one snack and walked […]

Continue reading

Startup helps food companies reduce risk and maintenance costs with IBM Cloud solution

EcoPlant is helping food and beverage companies significantly improve energy use, optimize maintenance and save money. Our software as a service (SaaS) solution continually monitors and optimizes compressed air systems in near real time to help food and beverage makers, as well as companies in other industries, maintain and manage air compression systems. Air compression […]

Continue reading

Talium, Irene Energy remove barriers to accessing electricity in Africa

Approximately 600 million people do not have electricity in Africa according to reports on World Bank data. Even though progress has been made to get more people in Africa on the grid, the absolute number of people without power remains the same due to population growth. In rural areas, cell phones are vital for people […]

Continue reading