As the technology decision makers for SaaS startups, we CTOs are a burdened lot. We need to constantly balance agility, security, and regulatory compliances. Figuring out the right balance of our time and attention can feel impossible to get right. So what are the security best practices and approaches given our constraints?
The ideal security for any software system is a perfect blend of application security, infrastructure security (i.e. network security), and operational security. Alternatively, we can look at them as the measures that cover people, processes, and technology. A three-by-three matrix can be drawn from these two approaches addressing all aspects of security.
However, as we all know, it is impossible to achieve perfect security across all of these vectors.
A more practical approach would be the creation of a threat model that lists all potential vulnerabilities and all probable attacks for the product. A security plan can then be created around this threat model. However, in a fast-growing SaaS startup, it’s often too time-consuming a task to create, let alone keep updated. So the question becomes, is there a simpler solution that would provide a list of the best practices instead of forcing us to reinvent the wheel each time?
We at Sqreen set out to create that checklist and analyzed hundreds of SaaS products and their security needs. The result of that exercise is a list that captures the best practices for security across the matrix.
Let’s start with operational security, as a large percentage of hacks are attributed to human error rather than inherent flaws in the technology itself.
Operational — People and Processes
People and process measures form the core of operational security practices. They make sure that everyone (customers, employees, and contractors) dealing with the system knows the importance of security measures and practices them as part of their day-to-day activities.
1. Protect your employees
Social engineering continues to be one of the most prevalent hacking methods. Insufficient awareness and preparedness are at the root cause of many victims of social engineering. Below are the best practices to counter these:
- Security training for employees: train your engineers on operational security and on building secure products. Conduct security training especially for the non-engineers, using a service like https://sudo.pagerduty.com/.
- Create unique accounts for everyone and educate them about the dangers of sharing accounts. Make policies that prevent employees from sharing user accounts.
- Enforce 2FA on all logins: educate your employees about common phishing and vishing (phishing on phone calls) attacks and make sure they are equipped to deal with them when they happen.
- Enforce password managers: password managers help with managing multiple credentials and secure sharing.
2. Build a security culture
A strong security culture is essential for making your operational security measures stick. The particulars will depend on your broader company culture, but some of the security best practices for infusing security into your culture are:
- Create security champions. Security champions are the folks who encourage and enforce security across the organization. They will be the go-to people for the rest of the organization when dealing with security issues.
- Allow employees some time to focus on security topics. Communicate that it’s a priority.
- Show your customers that security is important to you. Your customers care about the security of the SaaS tools they use. An excellent way to communicate that you recognize this and take security seriously is by having a webpage touting your security practices. If you need a template, we created an open source security page.
- Adopt a blameless attitude. If someone makes a mistake, you want to know about it as soon as possible, rather than having people hiding it out of fear of blame or punishment.
And last but not least,
3. Hire a dedicated or partially dedicated security resource
One of the biggest mistakes that SaaS companies make is waiting too long to hire a security engineer. This causes the security debt to pile up, and as we all know, the later you wait to fix something, the more costly it becomes.
It is also essential to clearly define the tasks of your first security engineers. At Sqreen, we created a checklist for the first 100 days in the life of a new security engineer. Check it out at https://www.sqreen.com/checklists/security-engineer-checklist.
4. Protect your customers
Ideally, your customers and their employees also should undergo similar training as detailed above. However, a few more things are critical for protecting your customers as well. One of them is account takeover (ATO), wherein a criminal can impersonate your customer and take control of their account. There are many ways an account takeover can happen. The most prevalent one is by getting hold of email IDs and passwords linked to that account. To fight against ATO:
- Educate customers about security and account takeover fraud. In particular, ensure they are using a strong enough password.
- Insist on using 2FA and password managers for your platform.
- User logins and passwords are a commodity in the cybercrime world and can be easily obtained. Ask your customers to check sites like https://haveibeenpwned.com/ to see if their identities have been compromised and if so, to take corrective measures.
Account takeovers are not only harmful to customers, but also pose a threat to your SaaS product. They act as privileged entry points for criminals to look for product vulnerabilities. This could potentially give them access to other customer’s accounts or even control of the entire product itself. SaaS products are especially vulnerable to this due to the fact that several important resources are shared between all user accounts.
Safeguards against ATOs need to be built as part of the product. This can be done by using rate-limiting and brute-force prevention techniques in the code. A simpler approach is to use ATO prevention solutions like Sqreen. At Sqreen, we analyze user behavior and flag compromised accounts in real time. We wrote more about how we do that here: https://blog.sqreen.com/detecting-human-hackers-app-sqreen/
Now let’s look at the technology side of security. Technology security best practices span application security and infrastructure security aspects. They are explained below.
Technology — application security
Application security deals with safeguarding the application against well-known attacks and potential zero-day hacks.
Your SaaS application is the key guardian of your customer data. There are thousands of known vulnerabilities and attacks across different systems, languages, and platforms. It is impossible to protect against them all. Fortunately, there are a handful of attacks that are attempted much more frequently than others, and it is wise to safeguard against them rather than trying to fix every last possible potential vulnerability in your code. Steps five to seven explain the best practices in this regard.
5. Protect what matters most
One of the main reasons why people attack SaaS products is access to sensitive data. It is therefore important to protect the main application and the database against the well-known attacks in this space.
- Protect against the most common attacks, such as the OWASP top 10.
- Monitor suspicious security events to act quickly in case of an attack.
- Protect your APIs against injection attacks.
6. Don’t use packages with known vulnerabilities
Given that most applications nowadays are an integration of various packages and libraries, it is important to make sure that 3rd party software packages do not have known vulnerabilities (CVEs).
Update all your dependencies with the latest security patches. It is an easy fix and Github can help you stay on top of this. At Sqreen, we analyze packages for known vulnerabilities and help you avoid the most exploitable ones.
7. Review your code for security bugs
Secure coding is a software engineering discipline that can prevent many security bugs from creeping in in the first place. Implementing the secure coding best practices described below can save you huge headaches later on.
- Enforce secure coding guidelines as part of the SDLC, specifically during code reviews. Reviewers need to pay extra attention to the security flaws every time a sensitive part of the code is touched (such as authentication, payment, or rendering).
- Use a good SAST (static application security testing) tool like Brakeman for Ruby or FindBugs for Java. But be aware of the many false positive that these tools generate.
Technology — infrastructure security
Finally, let’s take a look at the infrastructure/network security which is often considered the backbone of security practices. It addresses hardening of the OS, securing the perimeters, transport security, and IAM (Identity and Access Management).
8. Safeguard your infrastructure
Most well-known cloud providers have built-in security functionalities, but they need to be used properly to truly enable robust security.
If you want a better sense of what that looks like, we put together a list of AWS security best practices. While this piece is AWS-specific, measures for other cloud providers generally fall into a similar vein.
In a nutshell, the key considerations are:
- Enforce proper Identity and Access Management roles for all personnel accessing the cloud. Enforce 2FA and a strong password policy.
- Enable firewalls and security groups.
- Configure and backup frequently and systematically. This can be useful for business continuity in case of denial of services attacks and ransomware attacks.
- Enable all logs, and monitor them for suspicious activities.
- Create network boundaries by isolating your infrastructure assets.
These steps provide an overview for managing the security matrix at your company. However, understanding security best practices and prioritizing them are two different issues. That’s why we created a checklist that maps these security best practices and more to the stages of the startup lifecycle.
If you’re interested in learning more about how to implement real-time security monitoring and protection in minutes, set up a demo of Sqreen. We’d be happy to show you what we’ve built.
Originally published at https://blog.sqreen.com on March 13, 2019.
