The majority of applications being used today are SaaS (Software as a Service) solutions accessed via the cloud. The convenience of apps such as Google’s G-Suite, Salesforce, Basecamp and others brings with it the challenge of securing all the data being transmitted by millions of people every day.
The growing demand for SaaS and cloud-based solutions is increasing opportunities for hackers to steal sensitive information. Recent high-profile security breaches include 2017’s Equifax hack, which affected 148 million consumers and was caused by an application vulnerability on one of the company’s websites. A leaked password led to over 57 million Uber customers’ information being compromised when hackers were able to access the company’s GitHub account and steal AWS login credentials.
The Cloud Security Alliance (CSA) recently released a report detailing the top 12 security concerns when it comes to SaaS and cloud-based software solutions. Several areas of concern happen during the development process itself. Software developers can help prevent future attacks by making security a top priority throughout the development process.
Here are 5 best practices developers should follow when creating SaaS solutions.
- Develop a detailed security plan way before the project commences.
One of the CSA’s recommendations for SaaS and cloud-based technologies is to have a clear roadmap when it comes to security. In order to make security a priority throughout the development process, a detailed plan should be developed by the entire tech team way before the first line of code is written. If you are working with a cloud hosting or service provider, it’s important to include them in your planning as well.
Map out all the scenarios in which the product could be compromised in the future, and then decide how you can include security features to combat each one. Develop user personas and risk profiles. Where are the potential vulnerabilities? Plan for an active user group and possibly even a hackathon to expose weaknesses.
Once you have the security plan in place, make sure everyone on the team understands it clearly. Have regular meetings to discuss and reinforce the plan. Provide every team member with a copy of the plan so they can refer to it during development.
By starting with clarity and focus, it’s easier to keep security top of mind through the entirety of the project.
- Perform testing and security checks throughout the entire development cycle, not just at the end.
Most development teams operate on an Agile method in order to meet deadlines and reduce the time it takes to deliver a product to market. While this is an effective project management philosophy, focusing too much on speed of delivery can limit time devoted to testing and security checks.
There should be several phases throughout the project where testing is performed before moving on to the next step. It’s a good idea to bring in a separate QA team at the very beginning of the project and allow them to test throughout development. Having a separate team focused solely on testing and identifying vulnerabilities can also help keep you on target to meet a deliverable deadline.
Testing as you go not only helps you produce a better product overall, it also helps to deliver a more secure one as well.
- Create an extra layer of security through encryption.
A study by RedLock’s Cloud Security Intelligence Team (CSI) showcased the fact that 82 percent of databases in the cloud are not encrypted. Encryption is the final line of defense that protects the data even if it is compromised by hackers. They may have gained access to the data, but there is little they can do with it when it is encrypted.
Every SaaS solution should be designed to include data encryption. Don’t depend solely on the cloud provider offering encryption services. Also, make sure that you maintain and protect control of the encryption keys locally, rather than allowing a hosting or cloud solution company to manage.
- Develop added security features into APIs.
CSA states that the security of any SaaS application is dependent on the security of APIs. Application programming interfaces should be designed and developed to protect against hacking.
You can’t secure APIs in the same manner used to protect web and mobile applications. APIs tend to be pretty transparent and self-documenting, providing way too much information for cyber criminals looking to hack.
There are three major ways that attacks take place on APIs: parameter attacks, identity attacks, and the transmission of unencrypted data. Developers should plan for all of these types of breaches and arm applications with proper defense mechanisms.
- Build in better password security.
So, you’ve gone through all the steps to make your application as secure as possible and now it’s time for launch and deployment. The one thing that can undo all the work you’ve put into protecting your app from hackers is users that never change the original admin password or chose weak passwords that are easily determined.
Requiring two-step authentication or setting minimums for password length and variety of characters should be standard. Factoring in specific personal questions for password reset – such as what the name of your favorite teacher is or what was your first pet’s name – is also a good idea.
Even biometrics is becoming more common as a secure login procedure. Thumbprint scans, facial recognition and retina scanning may replace standard passwords in the near future.
In conclusion, the only way to build a more secure SaaS application is to plan for all the ways an attack could happen and then develop procedures to combat them. By putting security and testing at the forefront of the development process rather than at the end, you not only deliver a better product, but you also deliver a highly secure one that people can trust.