SaaS Security Basics on a Shoestring Budget

Basic controls, tools, techniques and tips for SaaS and software companies.

Card img Image credit: GltchSecure

SaaS Security Basics on a Shoestring Budget

Jade Null
Jade Null
· 23 MINUTE READ

Introduction

This blog post is meant to accompany a talk titled “SaaS Security Basics on a Shoestring Budget.”

The talk shares my perspective as a recent founder who has spent a lot of the last year helping other founders with their security. Over that time I’ve come to realise that there is a lot of mystery and basic knowledge gap when it comes to keeping your product and infrastructure secure that the average technical founder or small team simply doesn’t have a grasp on.

Authentication

Password Managers

Info Advice
Advice Advice

A password manager is a software tool that helps individuals and organizations securely store and manage their passwords. It acts as a vault for storing passwords and generates strong, unique passwords for each account. Some benefits of using a password manager include:

Actionable steps:

Links:

MFA

MFA stands for Multi-Factor Authentication, a security measure that adds an extra layer of protection to the authentication process by requiring users to provide multiple forms of verification to access a system or an account. MFA helps prevent unauthorized access and strengthens the security of sensitive information.

Benefits of MFA:

Actionable Steps:

Links: -Multi-Factor Authentication Cheat Sheet

Leaked Passwords

Breached or leaked password monitoring is a process that allows individuals and organizations to check if their passwords have been exposed or compromised in data breaches. This can help increase the security of online accounts and systems by identifying weak or compromised passwords.

Benefits:

Actionable steps:

Links:

Email Security

Info Advice
Advice Advice

SPF

SPF (Sender Policy Framework) is an email authentication protocol that helps prevent email spoofing and phishing attacks. It allows email recipients to check if the sender is authorized to send emails on behalf of the claimed domain.

Benefits of SPF:

Actionable steps:

Links:

DKIM

DomainKeys Identified Mail (DKIM) is an email authentication method that allows the recipient of an email to verify that it came from the domain it claims to be from and that it hasn’t been modified during transit.

Benefits of DKIM:

Actionable steps for implementing DKIM:

Links:

DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is another email authentication protocol that helps protect against email spoofing and phishing attacks. It allows organizations to specify how their emails should be handled when received by the recipients server and can help provide better visibility and control over email authentication in order to safeguard your domain from unauthorized use.

Benefits of DMARC:

Actionable steps to implement DMARC:

Links:

Limiting attack surface

Info Advice
Advice Advice

Identifying subdomains

Subdomain enumeration is the process of discovering and mapping out all the subdomains associated with a particular domain. By doing so, organizations can effectively limit their attack surface by identifying and securing these potentially vulnerable entry points into their network.

Benefits:

Actionable steps:

Links:

Port Scanning

Port scanning is a technique used by attackers to identify open ports on a target system. By scanning different ports, attackers can gather information about potential vulnerabilities in a network or system.

Benefits:

Actionable Steps:

Links:

Web Application Firewalls

A web application firewall (WAF) is a security tool designed to protect web applications from various attacks, including SQL injection, cross-site scripting (XSS), and other vulnerabilities. It acts as a shield between the web application and the internet, monitoring and filtering incoming traffic to identify and block malicious requests.

Benefits:

Actionable steps:

Links:

Source Code Security

Info Advice
Advice Advice

Branch protections

Branch protections on services such as Github and Gitlab allow repository administrators to enforce certain rules and restrictions on specific branches within a repository. These protections help maintain the integrity and security of the codebase, as well as facilitate collaboration among developers.

Benefits:

Actionable steps:

Links:

Commit signing

Commit signing refers to the process of adding a digital signature to software code commits in order to ensure their integrity and authenticity. It involves using cryptographic techniques to generate a unique signature that can be verified to prove that the commit has not been tampered with and was made by a trusted source.

Benefits:

Actionable steps:

Dependencies

DDependency monitoring with tools like Snyk and Dependabot refers to the practice of continuously monitoring the dependencies used in an application or software project for any known security vulnerabilities or other issues, and taking proactive measures to address them.

Benefits:

Actionable steps:

Links:

SAST

SAST stands for Static Application Security Testing. It is a type of security testing that involves analyzing the source code of an application to identify vulnerabilities and potential security weaknesses.

Benefits of SAST:

Actionable steps for implementing SAST:

Links:

Logging & Error Monitoring

Logging and error monitoring is the process of collecting and analyzing logs and error messages generated by various systems, applications, and devices to identify and rectify any issues or anomalies that may indicate potential security threats or system vulnerabilities.

Benefits:

Actionable steps:

Links:

Application Security

Info Advice
Advice Advice

HSTS

HSTS stands for HTTP Strict Transport Security. It is a security feature that helps protect websites against certain types of attacks, such as SSL stripping and man-in-the-middle attacks. When a website has HSTS enabled, it tells the user’s browser to only access the website over a secure HTTPS connection, even if the user types in “http://” in the address bar.

Benefits of HSTS:

Actionable steps to enable HSTS:

Links:

Cookies

Cookie attributes such as Secure, HttpOnly, Path, Domain, and expiry are important features in web security to protect user information and prevent unauthorized access to cookies.

Benefits:

Actionable Steps:

Links:

Session Management

Session management refers to the process of maintaining and tracking the various sessions or interactions between a user and a system or website. It involves creating, maintaining, and terminating sessions to ensure secure and seamless user experience.

Benefits of session management:

Actionable steps for session management:

Links:

Rate Limiting

Rate Limiting is a technique used to control and limit the number of requests or actions made to a system or network within a certain time frame. It is employed to prevent abuse, protect against DDoS attacks, and ensure fair usage of resources.

Benefits of Rate Limiting:

Actionable steps for implementing Rate Limiting:

Links:

IDOR

IDOR stands for Insecure Direct Object Reference, which refers to a vulnerability in web applications where an attacker can access unauthorized resources or perform unauthorized actions by manipulating direct object references. This vulnerability arises when an application does not properly enforce access controls on the direct object references it exposes.

Benefits:

Actionable Steps:

Links:

Injection Flaws

Injection flaws, such as SQLi (SQL Injection), XSS (Cross-Site Scripting), and SSRF (Server-Side Request Forgery), are vulnerabilities that allow an attacker to manipulate input data to execute arbitrary commands or inject malicious code into an application’s database, client-side scripts, or server-side requests. These flaws can lead to unauthorized access, data breaches, and compromise of sensitive information.

Benefits of addressing injection flaws:

Actionable steps to address injection flaws:

Links:

Security Testing

Info Advice
Advice Advice

Vulnerability Scanning

Vulnerability scanning is the process of identifying and analyzing vulnerabilities in computer systems, networks, and software applications. It is a proactive approach to identify potential weaknesses that can be exploited by attackers. Vulnerability scans typically rely on fingerprinting in order to determine if a vulnerability may reasonability exist.

Benefits:

Actionable steps:

Links:

DAST

Dynamic Application Security Testing (DAST) is a security testing methodology that assesses the security of web applications by sending requests and analyzing the responses in real-time. It helps identify vulnerabilities in the application code, configurations, and server-side components from the perspective of an external attacker.

Benefits of DAST:

Actionable steps for DAST:

Links:

Penetration Testing

Penetration testing, is a security assessment technique that involves simulating real-world attacks to identify vulnerabilities in a system or network. It is performed by trained professionals who attempt to exploit weaknesses and gain unauthorized access, giving organizations an opportunity to identify and resolve security issues before malicious hackers can exploit them.

Benefits:

Actionable steps:

Vulnerability Reports

Info Advice
Advice Advice

Vulnerability Disclosure Policies

Vulnerability disclosure policy refers to a documented set of guidelines and procedures for reporting security vulnerabilities in software or systems to the organization responsible for maintaining them. It defines how individuals can responsibly disclose vulnerabilities they have discovered and how the organization will respond to and remediate those vulnerabilities.

Benefits:

Actionable steps:

Links:

Bug bounty

Bug bounty programs are initiatives offered by organizations to incentivize cybersecurity researchers to find and report vulnerabilities in their systems and software. These programs can be highly beneficial for companies, as they allow them to identify and fix vulnerabilities before they are exploited by malicious hackers. Additionally, bug bounty programs can help organizations improve their overall security posture and gain public trust. For researchers, bug bounty programs provide an opportunity to earn rewards for their skills and expertise.

Benefits:

Actionable steps for organizations:

Actionable steps for researchers:

Links:

Ready to get hacked? Get expert hackers on your side. Learn how we can start improving your security posture together.