Why security is not separate from SaaS product
By: Harold Rodriguez
Developing a successful SaaS product can be pretty damn exciting. Getting it to market and building up a user base is the dream of many aspiring product developers.
But sometimes, those SaaS dreams can turn into cybersecurity nightmares.
Take, for example, DriveHer, a women-only ride-sharing app, which pairs female drivers with female passengers. While the company’s heart is in the right place, its cybersecurity protocols were unfortunately not.
Less than a month after it launched (with 1,000+ downloads), the company sent an email to its users notifying them there had been “a data security incident” and that personal information – such as names, home addresses, drivers licences and insurance slips – had potentially been exposed.
Because DriveHer didn’t do their due diligence in terms of security, their entire customer database (which was vulnerable to all sorts of very low-hanging, rudimentary attacks) was dumped. A basic SQL injection attack allowed hackers to access, query and dump out the entire database through the application.
The DriveHer story, while a sad one, is not at all unique. In fact, it joins the ranks of many SaaS companies that focus on features and function, customer adoption and first-mover advantage without considering cybersecurity risks.
Fast growth + lack of security accountability = big trouble
By definition, SaaS companies need to grow fast. But often, these organizations will grow from 1 to 50 employees incredibly quickly without much thought to the importance of having someone manage the security of their product.When it comes to growth, if you focus on speed at any cost, you’re effectively building the fastest car – with no brakes.Generally speaking, SaaS companies don’t have someone internally who is knowledgeable about security. This means the job is either dropped on the CEO’s plate (because they have so much spare time!) or it becomes the responsibility of another senior-level team member. Many organizations also falsely assume that their product developers are inherently cybersecurity experts and that their SaaS product will be completely secured before it goes to market, covered against any potential security threats.But most developers are not security experts – especially when you consider so much of the development process these days involves cutting and pasting from Stack Overflow or borrowing from an open-source library like GitHub. And while the code might work, very rarely is it adequately secured, creating insecurity in the development ecosystem.
Having the cybersecurity conversation
The best way to protect your product is by being proactive and implementing cybersecurity best practices from the get-go.
This includes assessing your organization’s risk tolerance and considering how likely you are to be targeted by an attack. If you’re one of hundreds of thousands of digital companies, perhaps your risk initially is low. But as your business gains momentum and exposure, you’re likely to become a bigger target than you think you are.
As a team, ask yourself the following questions: How much risk are we willing to accept and what is our risk appetite?
If you can’t answer those questions, it’s basically impossible to put the proper controls and processes in place.
Because many organizations don’t fully understand the risk landscape they’re operating in, this conversation often happens too late. With a focus on profits and growth first, it’s rare that within the first six months of product development, a team would step back and say, “OK, we’re about to feed this thing with credit card data or health information, or other personally identifiable information. How concerned and prepared are we?”
What happens when you aren’t ready for a breach
When a company does face a cybersecurity breach, the fallout can be monumental. This includes the cost of having forensics and incident response come out and spend time figuring out how the breach happened and where the vulnerabilities are. And then there’s the cost to actually fix them. This cost could be anywhere from 3 to 30 times what it would have cost to bring in a cybersecurity expert beforehand. And that doesn’t take into account if hackers gained access to your whole network base, like your emails and employee data, which could result in a ransomware attack.
Ultimately, the cost of these breaches basically has no ceiling.
How to protect your product and reputation
The best place to start is by bringing on a cybersecurity expert beforehand. But there are other ways to help protect your business. Start with OWAS’ Top 10 and run an assessment to validate that you have – to the best of your ability – covered off each loss case.It’s also worth looking at the MITRE ATT&CK® framework. This framework enables organizations to break down an attack into its component parts, map out the sequence of events that occurred during an attack and provide details on the outcome. This information can then be used to validate their resilience against particular types of attacks in the future.It’s also critical to ensure your developers have completed secure coding training. You can do this through online providers like Udemy, SANS Developer Training or hiring a cybersecurity firm.You’ll also want to run semi-automated vulnerability scans of your application using tools like Beagle or Rapid7. While this is a good first step, it’s nowhere near as effective as getting an expert in to do a full deep manual patch.And be aware of the security controls around the infrastructure environment your product is using. Almost 90% of the SaaS companies we work with are using Azure, AWS or GCP, which have their own inherent security controls. It’s important not to assume this means your product is safe and to be fully aware of the insecurity that comes from these environments.
Enlisting the experts
Do you need help protecting your business from cyberattacks? Cycura provides research-powered, customized offensive cybersecurity services to organizations and governments of all sizes. We’re a scalable, responsive cybersecurity partner, ready to help you close gaps, reduce risk, and strengthen your security posture.
To learn more, set up a free discovery call for your organization.