Tuesday, January 28, 2020

The curious connection between washing dishes, AppSec & growing enterprise sales for your SaaS

It’s a combination of habit, hygiene and ultimately, common sense. When you finish eating dinner at home, do you place those plates and cutlery back in the drawer or do you wash them?

To re-frame this for you, your plates are on a regular hygiene schedule where eating from them is the trigger for them to be cleaned.

Let me ask you: what triggers the security hygiene schedule to be undertaken for the SaaS application that your team builds?

Do you have a “dish washing” process to find and eliminate the security vulnerabilities in your SaaS app?

Think about this: if your plates and spoons were to become unusable, they can be easily replaced with a trip to your closest shopping mall. However, if your cloud software is infested with security holes, then you’ll agree that it would take many more $$$’s and even more upheaval for you to contain the damage.

But my SaaS app hasn’t been hacked yet

“Yet” is the critical word here. In fact, statistics from the 2019 Vulnerability Statistics Report shows that a vulnerability in web applications is exposed for an average of 69 days before it is discovered.

That means hackers have a 2-month head start on your development team. What they could’ve installed, downloaded, ripped off or stolen from your servers in the last 2 months is mind-boggling:
  • Stolen your entire codebase (ie. your valuable IP)
  • Downloaded your customers’ sensitive data that they entrusted with you
  • Installed crypto mining software maxing out your server resources (have you had to add more capacity recently?)
  • Stolen your customers’ payment details if billing is integrated into your SaaS application
  • Accessed your secret keys and encryption keys to get back into your system at their leisure
You get the picture – the list really is endless.

But the thing is, the stat below is even more alarming. It says that it takes on average a further month for software development teams to fix the security vulnerabilities from the time that they are reported. That means your favourite criminal hacker's head start is now at least 3 months long!

But your SaaS app hasn’t been hacked yet, so you might forgive yourself for thinking...

…my SaaS app won't be hacked, so tell me something that will help me

You can take that risk if you want. After all we live in a (mostly) free world. But what if I gave you an upside to investing in your application security (AppSec) for your cloud software?

You see, IBM Security did a study of the purchasing habits of enterprise buyers. They found that the most important factor during a purchasing journey was the quality of the software. That is, the software should have no bugs.

The second most important aspect was security. That is, the cloud software should have no security vulnerabilities.

Now, as Tony Robbins reminds us, it’s not knowledge that is powerful, but the targeted application of that knowledge.

So, how can I apply this incredible insight to my benefit?

My company, Audacix, is a SaaS company. Many of the world’s biggest companies use our SaaS test automation software. So, like you, we were also keen to figure out how to exploit this information.

We knew that most of our competitors usually focus on pitching their product’s features and benefits throughout the sales process.

Differentiating our solution based on features and benefits was getting harder. After a while, in buyers’ minds, all the features start melding into one massive blob of sales speak.

To get ahead of the pack, we decided to focus on the data and show our prospects a part of us that our competitors were either trying to hide or neglecting altogether.

So, we turned our app’s security into a differentiator. From the start of a sales process.

Now, what consistently gets us through to the final stages (and beyond) of enterprise sales conversations is a clear understanding of our prospect’s priorities. You see, our SaaS app’s features are meaningless to large enterprises if there is even the slightest chance that your app will leak their sensitive data.

We literally show our prospects the lengths we travel to protect their data and their brand, ie. we literally show them our “dish washing” schedule and its results.

When you start a sales process based on trust, rather than features and benefits, you’re more likely to actually close the sale.

Don’t get me wrong, we don’t win deals because of our security resilience alone. But because we have hardcopy evidence to back up our security claims, our ability to prove our security resilience builds trust fast. This has huge benefits for the other aspects of our pitch.
When you start a sales process based on trust, rather than features and benefits, you’re more likely to actually close the sale.

Ok, what AppSec work can my team get started on by themselves?

There are definitely things your development team should do before engaging a AppSec company to do an exhaustive web application and API penetration test on your cloud software.

Here’s a quick list of must-do AppSec tasks that will cost you no extra to implement:
  1. Apply all patches and updates to any open source modules or libraries used in your SaaS app.
  2. Check for and close any ports that shouldn’t be open after each release.
  3. Ensure directory permissions are not set to 777 for all folders.
  4. Ensure your app’s HTTP security headers are appropriately configured – they can use the free Cyber Chief service to give them clear, actionable instructions.
  5. Repeat the above steps for all your environments – dev, test, pre-prod, staging, prod, etc.
Once your team have done all the above for a few consecutive releases, then you’ll know that they’re starting to implement the dish washing schedule in your app development process.

You should accept that doing application security properly is more like scrubbing heavily soiled pots, as opposed to putting your breakfast bowls in the dishwasher – it will take many cleaning iterations.

If a) your team is handling the above steps well and you’re ready to take your AppSec to the next level where it helps your sales process, or b) you want a done-for-you AppSec solution talk to our team about whether we may be able to help you.
SaaS Brief