5 Tips for Securing Software as a Service

By balaji

October 25, 2006

5 Tips for Securing Software as a Service

Field notes on how best to secure "Software as a Service"(SaaS). We ran into 12 SaaS apps last quarter - we were asked to test them. Here're our field notes from those assignments, our favorite security tips to SaaS developers:

We ran into 12 SaaS apps last quarter - we were asked to test them. Here're our field notes from those assignments, our favorite security tips to SaaS developers:

1. Validate Relationships, not just Inputs

SaaS applications usually have a deep hierarchy of relationships: Organizations, Departments, Users, Roles, Documents, Privileges, to start with. It's not enough anymore to validate inputs for the format, but also to validate its relationship. For instance, when the app gets a request for modifying a document, it's not enough to check that the requested document id is valid, but also that it belongs to the requested user. It sounds obvious. Sadly, it's difficult to enforce these validations consistently, and across all requests. But, enforce, you must. Consider Page Tokens, they are a great way to enforce these relationships automatically.

2. Watch out for those Hidden Form Fields

The deep hierarchy of relationships in SaaS apps result in developers embedding Hidden Form fields in HTML pages. These fields are a convenient shortcut for the app to navigate the hierarchy and look up data. For instance, it's tempting to embed the RoleId of a user in a hidden field when requesting a specific document - this saves the server the work of looking up the RoleId and then its associated permissions. But all hidden form fields can be manipulated, and manipulated they will be, by an adversary who wants to escalate privileges. So, use hidden fields judiciously, and do not trust them ever.

3. Escape those Text Area boxes

Mitre reports that Cross Site Scripting is on the rise. And SaaS apps are a great target because these networked apps share data between users. If the adversary embeds a script in the data, the script could execute in the victim's browser and hijack his session. A SaaS app - with its large number of inputs - presents multiple opportunities to inject scripts. This is specially true for Text Area boxes that take free form text input: addresses, notes, comments, annotations. A free form input, by its very nature, cannot be validated with a good white list. The better alternative is to escape all special characters as we discussed in Palisade some months ago.

Threats staring at SaaS

What are the threats SaaS applications face? Let's take the common spreadsheet software as an example to illustrate threats to SaaS. [Google spreadsheets is an example of a spreadsheet as SaaS. Both the software and user data are hosted at the server.] Here're some of the threats to an online spreadsheet software.

An adversary:

  • Steals the spreadsheets of other users
  • Modifies spreadsheets of other users
  • Alters read/edit privileges granted to users
  • Deletes all spreadsheets
  • Surreptitiously edits a formula
  • Purges older versions of spreadsheets
  • Impersonates other users and fakes the audit trail
  • Resets the passwords of all users

4. Log events in good detail

For those days when an adversary finally compromises your application, you need detailed event logs that lets you trace back the adversary. Remember to log at least the IP address, the timestamp, user id and transaction details for all suspicious events. Check out our guide to logging for more.

5. Test incremental releases

SaaS apps in a competitive market place are adding new features regularly. Weekly and monthly releases are common in the race to bring new features out first. That's great for users, and adversaries too if the incremental releases have holes. At the risk of sounding self-serving (we are a security testing company), it is essential to test applications when new releases are made. The new functionality might add new holes, or re-open ones already closed. It is not enough to run an automated scan on the incremental release (the adversary is not going to stop at that, for sure) to save costs. Set up efficient processes to test the incremental release thoroughly and quickly.

Attacks rocking SaaS

What are the most common attacks we see succeed in SaaS applications today? Here's an "unscientific" Top 5 list from our recent security tests:

  • Variable Manipulation
  • Hidden Field Manipulation
  • Cross Site Scripting
  • Insecure caching
  • SQL Injection

Tags: Best Practices