Industry

Top 10 ways to secure your SaaS application

Share this post:

Screen Shot 2015-03-31 at 11.14.32 PM

Did you know that the latest IBM 2013 Cyber Security Intelligence Index study indicates that an average organization sustains about 1,400 security events like SQL injection, spear phishing and URL tampering, per week?  In addition, a recent study by Gartner indicates that most software as a service (SaaS) contracts do not adequately cover security aspects of the service.

Security

If you are a SaaS provider, you will need to check if your development team has implemented secure engineering practices in the design and code. I’d like to share a list of top 10 security issues that you should address to make sure your SaaS application is secure. This list has been curated by The Open Web Application Security Project (OWASP). The 2013 list includes the top 10 wide spread security vulnerabilities that most web applications face.

The following is a brief listing of the top 10 security issues (by OWASP) that your SaaS offering should address:

  1. SQL, operating system or LDAP injection
  2. Insecure authentication and session management
  3. Cross-site scripting because of lack of data validation
  4. Insecure exposure to references like files and directories
  5. Incorrectly configured (from a security perspective) databases, middleware and operating systems
  6. Exposing sensitive data like user IDs, passwords and personal identification information
  7. Checking for access inside the business logic on the server side
  8. Cross-site request forgery
  9. Using components with known vulnerabilities
  10. Unvalidated redirects and forwards

If your SaaS service is also accessible on mobile devices, then this list of top 10 mobile risks should be considered.

During the development and testing process, you should seriously consider application security scanners or companies that provide application scanning services.  There are also source code scanners, which could be used as part of nightly builds.  Both these categories of tools and services are automated and provide quick and detailed analysis of security issues. Furthermore, you do not need to be a security expert to run and use these tools. And if you are running short of budget, there are plenty of free, open source tools available.

If you are customer of SaaS application, you can consider asking the vendor for a vulnerability report against these top 10 risks. This report should ideally from an independent, third party security auditor.

If you are a software ISV, then you may want to consider formal guidelines & processes to ensure that your products are secure. For example, IBM has secure engineering guidelines that address secure engineering issues in product development.  The  IBM guide Security in Development: The IBM Secure Engineering Framework  further describes these secure engineering practices.

What are your thoughts on this topic? Comment below if you have a favorite set of tools for application security testing or a better list of top 10 issues.

More Industry stories

French insurer teams with IBM Services to develop fraud detection solution

Auto insurance fraud costs companies billions of dollars every year. Those losses trickle down to policyholders who absorb some of that risk in policy rate increases. Thélem assurances, a French property and casualty insurer whose motto is “Thélem innovates for you”, has launched an artificial intelligence program, prioritizing a fraud detection use case as its […]

Continue reading

Cloud innovation in real estate: Apleona and IBM rely on new technologies

Digitization does not stop at the proverbial concrete gold — real estate. In fact, the real estate industry is on the move. Companies are realizing the benefits of digital transformation and are capitalizing on the power of new technologies such as cloud, AI and blockchain. Take, for example, Apleona GmbH, one of Europe’s largest real […]

Continue reading

Innovate with Enterprise Design Thinking in the IBM Garage

We’ve all been there. You have an amazing idea that’s really exciting. Maybe it’s a home improvement project, or perhaps it’s a new business idea. You think about all the details required to make it real. But, once you get to the seventh action item, you’re not so excited anymore. Sometimes when we realize the […]

Continue reading