Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Cloud Security for SaaS Startups Part 2: Application & Platform Security

Home
Industry Insights
Cloud Security for SaaS Startups Part 2: Application & Platform Security

Blog Article Published: 05/03/2021

Based on the Cloud Security for Startups guidelines written by the CSA Israel Chapter

As a SaaS startup, how can your organization ensure you implement proper security for your applications and platforms? In this blog we provide a preview of the information and guidelines available in the Cloud Security for Startups. Check out Part 1 of this blog series to learn about the requirements for the early stages of a startup.


Application Security

Application security is an important pillar when planning security foundations. A lack of good application development and deployment methods can result in an inability to adhere to regulations and standards in addition to exposure to application attacks. Neglecting application security practices at the early stages of a startup makes it much harder and more expensive to correct later.

General Recommendations

Understand the different aspects of application security and reflect them to your customers and employees. Being transparent and offering your clients useful security insights regarding the best ways to integrate your service into the client’s environment may position you as a trusted advisor. This proactive approach may help you earn your client’s appreciation when they go to evaluate your company’s security risks. Consider providing clients with recommended guidance on security best practices that pertain to the services they seek.

The CSA Guidance For Critical Areas In Cloud Computing provides information on all security domains of cloud computing. Use this guide to predict what your customers will want to know.

When your startup has reached maturity, your customers may ask for external verification of your security. It becomes time for the following actions:

  • Test your application with external penetration testing.
  • While your development team is growing, provide programmers and quality assurance representatives with security awareness training. All developers should at least be familiar with the OWASP Top 10 Vulnerabilities.

Tips

  • Start small, but learn from big players such as Amazon and Microsoft.
  • Each development environment has its own security implementation and best practice documents. Use them.
  • Make sure to authenticate all services and validate all input.
  • Explore security solutions for storing your application secrets (API keys, connection strings, etc.), such as AWS Parameter Store, GCE KMS or Azure Key Vault.
  • Protect your source code. Make sure you map all access to source code and keep external backups.

More topics related to Application Security are covered in the full publication:

  • Authentication and Authorization
  • APIs: Do Not Neglect Security
  • Secure Software Security Development Lifecycle (SSDLC)

To read more about application security download the full paper Cloud Security for Startups.

Platform Security

The cloud platform is the IaaS/PaaS platform on which the SaaS company is developing. While securing the cloud platform is a responsibility of the cloud provider, securing the running instances and the management dashboard are a cloud consumer’s responsibility.

General Recommendations

  • Understand the shared responsibility model between you and your provider. Most mature providers have detailed documentation on this topic.
  • Ensure you are using secure data backup strategies and processes. Always keep copies of critical backups outside the cloud environment and be sure to run through restore procedures to ensure the integrity of backups. Encrypt backups if they include sensitive data.
  • Consider deploying to more than one region in your cloud provider platform in order to increase resilience to region-level failures

Management (Client) Dashboard

The IaaS/PaaS management dashboard is a primary attack vector. Failure to protect it can result in an inability to access, manage or provide your services for good.

The following procedures should be implemented during Phase 1 of the SaaS Startup Lifecycle:

  • Follow your service provider’s security best practices checklist.
  • Avoid using the Master/Root account on your dashboard. Instead, create and use sub-accounts with relevant and least privileged roles.
  • Protect your admins with 2FA. Revoke unused API keys.
  • Protect your DNS with a trustable provider. Domain Name registrants and operators have become popular attack vectors.
  • Store API keys and other secrets in a safe location.

Tips

  • Activate management dashboard logging tools (e.g. AWS Cloud-Trail) from the first day of development.
  • Create roles for operations admins, and separate account management to different roles.
  • Explore cross-account permission to limit blast radius in case of account hijacking.
  • Use a designated email address for your master cloud account to protect against phishing.

More topics related to Platform Security are covered in the full publication:

  • Management (Client) Dashboard
  • Data Flows and Network Separation
  • Physical Security
  • Protecting Your Instances
  • Encryption and Key Management

To read more about platform security download the full paper Cloud Security for Startups.

Acknowledgments

The content for this blog was created by the Israeli chapter of the Cloud Security Alliance (CSA). The Israeli chapter of the Cloud Security Alliance was founded by security professionals united in a desire to promote responsible cloud adoption in the Israeli market and deliver useful knowledge and global best practices to the Israeli innovation scene.

Creators

  • Moshe Ferber
  • Shahar Geiger Maor
  • Yael Nishry
  • Contributors
  • Marius Aharonovich
  • Ron Peled
  • Yuval Reut
  • Ofer Smadari
  • Omer Taran
StartupsTransitioning to the cloud

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Enhance your cloud security skills with CSA's online training options.
Related Articles:
Do You Know These 7 Terms About Cyber Threats and Vulnerabilities?

Published: 04/19/2024

Navigating Your Cloud Journey in 2024: Key Resources from the Cloud Security Alliance

Published: 04/05/2024

Runtime is the Way

Published: 04/04/2024

10 Essential Identity and Access Management (IAM) Terms

Published: 03/30/2024