Monday, August 5, 2019

3 simple security questions to ask before buying (or geting a free trial) of a SaaS subscription

In years gone (and even for some niches today) the "freemium" model was the favoured one of SaaS platforms that were trying to attract new startup or SME customers. Now even enterprises are willing to use "free trial" offers from new SaaS providers in an effort to secure a winning edge on the cheap.

While freemium offers are great for slashing the cost of evaluating a new marketing platform, have you considered the software cybersecurity risks that these free trial offers pose to your IP, your data and your business?

Why should you care about software cybersecurity risks in someone else's SaaS?

It's easy to get caught up in simply trying to achieve your marketing objectives without stopping to consider what might actually be at risk for your organisation.

Given that most of our systems are connected, either with direct integrations using APIs or through external services like Zapier, you can be sure that a security breach in one service could open up your crown jewels to the internet's underbelly.

As a marketer you can’t possibly be expected to understand how all your company’s CRM, ERP and digital systems are connected. But it is definitely your responsibility to ensure that any external services you use do not increase the risk of a security breach or corporate espionage.

While no business wants to be hacked, you might be surprised to learn that very few SaaS businesses take all the necessary steps to protect their users. Worryingly, Trustwave found as far back as 2016 that "fewer than one in four organisations consider themselves to be "very proactive" in the context of security testing."

In our world of interconnected everything applications, these stats from Norton should have you concerned:
  • The global average cost of recovering from a cybersecurity breach is US$3.86 million, which is money that would otherwise have been invested in growth projects. 
  • On average it takes 196 days to find a security breach, which is an alarming amount of time that hackers have to rummage around in your network, applications and databases.

So what should I do before accepting a free trial of a SaaS product?

It is not uncommon to be excited at discovering a new product that you think might save you an inordinate amount of time or help you finally achieve those seemingly unreachable targets that your boss sets for you.

But you should remember that time is your friend. And knowing the right questions to ask of the SaaS provider is your secret weapon:

Question 1: Does the SaaS vendor have publicly published security policies?

Publicly published security controls may not give you hard data about the efficacy of the security policies, but they represent a level of maturity. Such policies signal that that SaaS company is taking proactive steps to protect your data, their IP and ultimately the think that their relationship with you and their other customers is valuable enough to protect.

All popular cloud services that you probably use, think Dropbox, Slack, AWS, Gmail, etc, have such pages that spell out their security practices. Look them up.

What you want to understand by reading these security policies are some of the following pieces of information:
  1. Is application security a part of the vendor's application design process or is it just an afterthought?
  2. In which geographic location will the SaaS vendor store your data?
  3. Which third parties does your vendor contract with to deliver their SaaS solution?
  4. How often do they generally perform vulnerability assessments and penetration testing on their applications?
  5. Which other entities, related or not, potentially have access to your data (often referred to as sub-processors)?
  6. What are their backup and disaster recovery processes?
The first point in the list above is a very important one, because if security is not considered and designed into an application right form its inception, then whatever security processes are implemented later are probably too little too late:

Question 2: Does the SaaS vendor have any information security accreditations? 

Have you ever seen companies claiming to ISO9001 or ISO4008 or ISOxyz accredited? Well, there is an ISO accreditation that for information security: ISO27001 and you should look for it, or something similar like SOC 2, when you're evaluating your next marketing SaaS vendor.

These accreditations are not an ironclad guarantees that the accredited vendor's SaaS product is ACTUALLY free of security vulnerabilities. But such accreditations do signal that they have the policies and processes in place and if their teams actually follow those processes then their applications should be pretty secure.

The processes enforced by ISO27001 in particular generally serve to reduce the time between when security vulnerabilities are found and when they are fixed. After all, wouldn't you want your SaaS vendors to fix security vulnerabilities ASAP? If so, you'd be forgiven shifting uncomfortably in your chair when you discover that:
Find cybersecurity vulnerability in web apps

Question 3: When did the vendor last conduct penetration testing on their application and infrastructure?

Interestingly an HP Enterprise study found that 72% of web applications have at least one security vulnerability that allow hackers to gain access to things only admins should be able to see. The only way to be sure that the application you want to use isn't riddled by such security holes is to look at the vendor's penetration testing report.

Most smart SaaS companies regularly use reputed web application penetration testing services to find and patch security vulnerabilities before they ship a new version of their app. And if you ask them for the latest version of such a report, they will be more than happy to provide it to you - as long as you're a serious buyer, of course.

Conducting penetration testing through specialist and qualified penetration testing service providers like Audacix is a critical step on the road to finding and patching web and mobile application security vulnerabilties. A penetration test is more comprehensive and robust than a simple vulnerability scan and helps to uncover and bring issues like this to the app developers' attention:

Is this a foolproof way to guarantee that the SaaS app I want to evaluate is secure? There is no "foolproof" or "ironclad" way to ensure that a SaaS vendor has mitigated all cybersecurity risks. But there are proven ways to ensure that your prospective SaaS vendor has minimised the likelihood of a serious security breach.

Ask these questions before you accept your next free trial and satisfy yourself that your company's sensitive information doesn't fall in the hands of the type of people who shouldn't have it.

Download our Cheat Sheet For Building Unhackable Apps to understand the minimum security controls that SaaS applications must have. It could just save your product and your company from much embarrassment and even the loss of you and your team's livelihood.
SaaS Brief