Security is a never-ending battle. After all, to protect the application you must have no holes in your system. While those trying to break in only need to find a single opening. Fundamentally you are never 100% secure. And getting close to 100% can be prohibitively expensive, to the degree that a product is not profitable.
However, it’s not that hard or expensive to make a system relatively secure by considering the best SaaS application security checklist. If your system is hardened so that only a small number of hackers might be able to break-in, that often is sufficient. Because the best hackers are going after the most valuable targets and that usually is someone else.
Here are seven SaaS security best practices that are both easy and inexpensive to implement:
1. Encrypt all Customer Data: Use the underlying databases system to encrypt the data stored in the database (in SQL Server this is Transparent Data Encryption). Once this is enabled all of the data stored to the DB is encrypted, yet you do not have to do anything different in your code. The encryption/decryption occurs below your calls in the database and you can avoid a lot of SaaS security risks and protect everything running on your software application.
2. Use the Customer’s Key Store: Have all keys used to access the database, encrypt the data, any private keys for document signing, etc. stored in a key store. A distinct key store for each customer. And the customer is the only one with full access to the key store. Your SaaS application can use the keys as needed when accessing the DB, signing documents, etc., but your application cannot read or copy the keys.
3. Use their Active Directory for all Authentication & Authorization: First, make this optional as some customers have good reasons to want the user & group information for your app to be separate. But where they can, make the sole source for authentication & authorization the customer’s Active Directory. This way only they control who has access and to what in the application.
4. Use a 3rd Party to Get & Store Credit Cards: To get a credit card, use a 3rd party app like Square where it is their HTML that is prompting for and then storing the credit card number. Do not touch that full number (it’s fine if you have the last 4 digits) even just to read it and pass it on.
5. Use SetParameter() for any Parameter in a SQL (or OData, XPath, etc.) Query: Never ever do a string substitution or any other approach that opens you up to an injection attack. Besides, this makes your code more robust against inadvertent issues with user field entries for O’Malley or Smith & Sons to Coffee;Tea;Milk.
6. Use a Robust Hosting Service (AWS, Azure, etc.) and Make Full Use of the Security they Offer: Several capabilities in the hosting stack will help protect your application. Take full advantage of them.
7. Engage a Secure SDLC Process —Focus on Security Right from the Start: Instead of placing a security bolt on top of your SaaS application, you can bake (embed) security right at the beginning of your Software Development Life Cycle (SDLC). So right from the development stage of the application you can quickly identify any vulnerabilities and come up with a secure SaaS application, thus avoid any potential setbacks in the end.
The next big step after the above is certification. This is where it starts to get expensive. Also, certification and agile development are in direct conflict with each other. Because as soon as you make one change in the program (and with agile you make several each week), the certification is now void.
When you get certified, you will likely need to then offer your application in three versions:
Certified – this is the version certified. You will add a list of known bugs in this version, but nothing will be fixed.
Certified + bug fixes – this is the certified version with any serious bugs fixed. So no longer certified, but the changes from the certified version are minimal.
Latest – this is the latest fully tested version, from your ongoing agile development. As time goes on it will have more & larger differences from the certified version.
Then once a year (or at a different cadence), you get the agile version certified and start over for the above three releases.
Windward takes security seriously, which is why we offer the best-in-class document automation software that's secure and safe to use no matter where and how you work.