SaaS Security Audit Checklist: Best Practices and Principles
SaaS tools (automated data storage and processing systems, management, etc.) are used today by almost any organization or enterprise. In this regard, it becomes necessary to ensure the safety of information circulating in them. We had already touched this topic before in Development costs growth on a post MVP phase of a SaaS product.
An audit is required to assess whether everything is in order with data protection and other aspects of information security. It allows you to obtain objective qualitative and quantitative assessments of the security indicators of information and other systems.
Let's figure out why it is necessary to conduct an information security audit, who is it better to entrust, what to look for, etc. This will help you protect yourself from the negative consequences associated with the loss of important data, as well as eliminate problems with the law (after all, information security is also regulated by the relevant regulatory legal acts).
What is Software-as-a-Service Audit and Why It’s Important?
It is customary to call information security the protection of data from the interference of an accidental or intentional type, both artificial and natural, which can lead to financial or moral damage to the data owner. As a rule, the need to conduct an audit of information security systems arises if the company's field of activity involves working with personal data of customers or financial information. An audit is the most effective way to obtain objective and real data on the condition.
As a result of a comprehensive SaaS audit program within the framework established by the customer, the audit allows you to achieve several goals:
- Providing the customer with complete data on possible methods of penetration into the information system and the level of risk in various protection options;
- Planning different measures to reduce the level of risks - depending on the time span - urgent, medium-term, and long-term;
- Determination of the main directions for improving the information security system depending on the scope of the company;
- Drawing up plans for obtaining international certificates in the field of information systems security;
- Drawing up a reasonable financial plan for spending on information security and rationalizing costs;
- Consulting activities with specialists in the information security department of the customer's company, as well as the development of methodological manuals for ordinary employees.
It is recommended to conduct a security audit of information systems at least once a year. If there is a frequent change in the structure of the company, the scope of activity, or the emergence of other security requirements, the audit should be carried out more often. This will allow the timely adoption of appropriate methods and new management decisions and minimize possible risks of hacking data systems.
Types of Audit For SaaS Product
For ease of reference, it is customary to divide audit operations into several types - active audit (internal and external) and expert. Each type is used depending on the situation and implies an assessment of protection systems in terms of the response of programs to intrusions, and comparison with generally accepted standards. The whole process of assessing information security systems is a documented examination, the main task of which is to analyze the level of data protection of a particular enterprise. Without objective data on the real state of security, it will not be possible to develop an effective protection system. The entire audit procedure consists of several sequential operations:
- Setting the time and other frames of the proposed analysis, including the list of analyzed resources and other customary conditions;
- A comprehensive analysis of the protective systems of the customer's company within a clearly established framework, during which a survey of employees is carried out, a study of a technical and management package of documents in this area, testing of data system components;
- Analysis of the data that was obtained at the previous stages, which makes it possible to diagnose possible risks and make sure that the information security system complies with international requirements;
- Drawing up a list of measures to improve the quality of protection, the list of which may include options for possible technical and organizational solutions, examples of estimates for the implementation of protection methods, methods of preparation for certification based on international standards.
For smaller companies, the role of an internal auditor may be filled by a senior-level IT manager within the organization. This employee is responsible for building robust audit reports for C-suite executives and external security compliance officers. Larger companies tend to take this one step further, hiring designated Corporate Internal Auditors. These individuals usually have an impressive background as a Certified Information Systems Auditor, Certified Internet Audit Professional, or certified accountant.
An external auditor takes many forms, depending on the nature of the company and the purpose of the audit being conducted. While some external auditors hail from federal or state government offices (like the Health and Human Services Office for Civil Rights), others belong to third-party auditing companies specializing in technology auditing. These auditors are hired when certain compliance frameworks, like SOX compliance, require it.
Now that we know who can conduct an audit and for what purpose, let’s look at the two main types of audits:
A manual audit can be performed by an internal or external auditor. During this type of audit, the auditor will interview your employees, conduct security and vulnerability scans, evaluate physical access to systems, and analyze your application and operating system access controls.
An automated audit is a computer-assisted audit technique, also known as a CAAT. These audits are run by robust software and produce comprehensive, customizable audit reports suitable for internal executives and external auditors. Advanced auditing software will even provide an extra layer of security, continuously monitoring the IT infrastructure and alerting IT technicians when suspicious activity occurs and when predetermined security thresholds have been crossed.
Cost of Audit For Software-as-a-Service Product
From a single Google search, you can find anywhere from $1500 to $50,000 quoted for a security audit. So it depends. $1500 seems to be a daily rate for an auditor, so a month of their time would cost around $30,000. Penetration tests and other services would add to that cost. You might want to use pentesters in your Portfolio audits, and maybe your Tollgates. So it depends.
Audits are an important piece of your overall security strategy in this current “we are all hacked” business climate. When we were looking for the security audit we chose to work with CYLINX. They show your SaaS project is at risk and monitors your sensitive data for attacks from both inside and out.
Best Practices for SaaS Security Audit: Full Guide
Regardless of which type of audit is chosen for a particular case, the following stages are distinguished on how to audit SaaS product properly:
Most often, the security check of a resource is carried out according to the "black box" method - a security specialist begins attempts to hack his target as if he were a real attacker and pursued some selfish goal: hack a competitor, attack site visitors, secretly monetize the site from the owner or just to amuse your ambition.
Thus, a tester must solve at least one of the global problems:
- Violate the confidentiality of customer information.
- Restrict access to key data.
- Modify or destroy any information without the possibility of its recovery.
As you can see from this list, you can't just take and audit the site. You need some preparation for penetration testing, without which it will either be ineffective or can become a real hacker attack with dire consequences. You need to do at least the following:
- Signing a non-disclosure agreement. A researcher in the course of his work can gain access to very valuable confidential information. Reputable organizations involved in security testing are unlikely to use it for their own purposes, but it is not always possible to check the integrity of the performer, so it is better to conclude an agreement.
- Conducting an audit on a full copy of the main software data. The tester will use all methods of hackers, including those leading to a breakdown of a web resource or destruction of data on it. It is better not to expose the combat version of the project to such stress and limit yourself to a clone.
- Concealment of the audit. The fewer people know about testing, the better. Attackers rarely warn about their attack, so if you tell a large number of people about the event, this can distort the result.
Open source search
Since the "black box" method is used, the tester is absolutely not aware of what the attacked object looks like from the inside, otherwise hacking would be an extremely trivial task. Therefore, a preliminary collection of information is used.
A specialist is primarily interested in the technical side of a web application - in what language it is written, what CMS it uses, and with what extensions. You can find out all this without even resorting to special tools, sometimes only Google is enough. For example, you can find employees of the attacked company on LinkedIn, identify programmers among them, and determine what language they specialize in.
Moreover, if you wish, you can find out what exactly they were doing. To do this, just search by their names or nicknames, and you can find a lot of interesting things in the search results. This can be, for example, a discussion on behalf of this programmer of a module for the engine or an order from a corporate account with a freelance contractor of a new plug-in with detailed technical specifications.
Definition of protective equipment
The presence of some kind of security software - intrusion prevention systems, DDoS protection, firewall - can seriously complicate the task of hacking, so it must be detected. Usually, special programs are used for this. For example, you can detect the presence of a firewall using a port scanner, and anti-DDoS services are determined by domain DNS records.
Exploiting common vulnerabilities
Before starting to look for unknown zero-day vulnerabilities, examining the logic of the web application and its architecture, the tester will check the site's resistance to common attack methods. For example, it may be using a known exploit for an old version of the engine. It was at this stage that the aforementioned Interpark and the Ubuntu forum suffered.
In general, at this stage, the following usually happens:
- An attempt was made to execute code remotely.
- Attempted SQL injection.
- The exploitation of XSS, RFI, and LFI vulnerabilities.
- Search for backup storage locations and gain access to them.
- Manipulations with the authorization system: brute force, search for unsafe password recovery, bypass authentication.
- Studying the file structure of the site in order to find files, access to which is limited only by the absence of an explicit link to it.
- Traffic interception and research.
- Search for options for unauthorized access to confidential information.
An unconventional approach
When well-known methods do not help, the tester, using a combination of all the methods described above and his understanding of security systems, tries to bypass the existing protection or discover a hitherto unknown vulnerability.
Not all auditors carry out this procedure, since it is quite complex, requires very high qualifications of specialists, and costs a lot. As practice shows, very often zero-day vulnerabilities are discovered by third-party researchers. However, they receive a corresponding reward for finding them.
In fact, if your site is successfully tested for all standard types of threats, then the test can be considered successful. A more detailed and in-depth study of hacking methods is relevant only for very large projects, for hacking which can involve really high-class hackers who are able to discover new security holes.
Completion of the auditThe result of any penetration testing is a document that must include:
- Information on the methods used at the time of the inspection.
- Development of the concept of an attacker, his potential goals, and motivation.
- Description of attack scenarios developed and implemented by testers.
- A detailed report on all vulnerabilities found.
- Recommendations for their elimination.
We have already mentioned our brainchild called Stripo-email template builder many times. This SaaS product was repeatedly hacked at the initial stage. And it even happened that we got several emails from Indian hackers, who found some vulnerabilities in our system and asked for money for a hint to fix it and for the fact that they themselves would not try to hack us.
Another way to seduce hackers was using the public API, but over time we closed it and allowed it to be used only after verification.
The audit saas provider, with which we cooperate in security audit, is a certified Google partner, which was of great importance to us. Every year, they conduct a certification audit process for SaaS project, such as the reliability of the Stripo in a variety of ways, including:
- Penetration testing;
- Hacking an application;
- Putting the system down;
Typically, after such an audit, they send a 60-page report for correction. Also, every month we receive about 10-15 reports of hacking attempts.
A competently performed audit is a very effective measure for finding weaknesses in the SaaS and its server. It is extremely rare that the test is passed completely, usually, some detail is overlooked by the developers. But even if the web resource could not be hacked, this is still a result - now its owner will definitely be able to sleep peacefully.
Working on a large number of projects from the very beginning, we are used to taking into account what security measures need to be followed in order to minimize attempts to hack your project in the future. Therefore, if you still have questions and or have a desire to entrust us with the safe custom development of your idea, Ardas is ready to help you!
Interested in this expertise?
Get in touch with us and let's discuss your case. We will gladly share our knowledge and experience with you and find the most suitable option for you.