Cloud Security for SaaS Startups Part 2: Application & Platform Security
Application security is an important pillar when planning security foundations. A lack of good application development and deployment methods can result in an inability to adhere to regulations and standards in addition to exposure to application attacks. Neglecting application security practices at the early stages of a startup makes it much harder and more expensive to correct later.
Understand the different aspects of application security and reflect them to your customers and employees. Being transparent and offering your clients useful security insights regarding the best ways to integrate your service into the client’s environment may position you as a trusted advisor. This proactive approach may help you earn your client’s appreciation when they go to evaluate your company’s security risks. Consider providing clients with recommended guidance on security best practices that pertain to the services they seek.
The CSA Guidance For Critical Areas In Cloud Computing provides information on all security domains of cloud computing. Use this guide to predict what your customers will want to know.
When your startup has reached maturity, your customers may ask for external verification of your security. It becomes time for the following actions:
- Test your application with external penetration testing.
- While your development team is growing, provide programmers and quality assurance representatives with security awareness training. All developers should at least be familiar with the OWASP Top 10 Vulnerabilities.
- Start small, but learn from big players such as Amazon and Microsoft.
- Each development environment has its own security implementation and best practice documents. Use them.
- Make sure to authenticate all services and validate all input.
- Explore security solutions for storing your application secrets (API keys, connection strings, etc.), such as AWS Parameter Store, GCE KMS or Azure Key Vault.
- Protect your source code. Make sure you map all access to source code and keep external backups.
More topics related to Application Security are covered in the full publication:
- Authentication and Authorization
- APIs: Do Not Neglect Security
- Secure Software Security Development Lifecycle (SSDLC)
To read more about application security download the full paper Cloud Security for Startups.
The cloud platform is the IaaS/PaaS platform on which the SaaS company is developing. While securing the cloud platform is a responsibility of the cloud provider, securing the running instances and the management dashboard are a cloud consumer’s responsibility.
- Understand the shared responsibility model between you and your provider. Most mature providers have detailed documentation on this topic.
- Ensure you are using secure data backup strategies and processes. Always keep copies of critical backups outside the cloud environment and be sure to run through restore procedures to ensure the integrity of backups. Encrypt backups if they include sensitive data.
- Consider deploying to more than one region in your cloud provider platform in order to increase resilience to region-level failures
Management (Client) Dashboard
The IaaS/PaaS management dashboard is a primary attack vector. Failure to protect it can result in an inability to access, manage or provide your services for good.
The following procedures should be implemented during Phase 1 of the SaaS Startup Lifecycle:
- Follow your service provider’s security best practices checklist.
- Avoid using the Master/Root account on your dashboard. Instead, create and use sub-accounts with relevant and least privileged roles.
- Protect your admins with 2FA. Revoke unused API keys.
- Protect your DNS with a trustable provider. Domain Name registrants and operators have become popular attack vectors.
- Store API keys and other secrets in a safe location.
- Activate management dashboard logging tools (e.g. AWS Cloud-Trail) from the first day of development.
- Create roles for operations admins, and separate account management to different roles.
- Explore cross-account permission to limit blast radius in case of account hijacking.
- Use a designated email address for your master cloud account to protect against phishing.
More topics related to Platform Security are covered in the full publication:
- Management (Client) Dashboard
- Data Flows and Network Separation
- Physical Security
- Protecting Your Instances
- Encryption and Key Management
To read more about platform security download the full paper Cloud Security for Startups.
The content for this blog was created by the Israeli chapter of the Cloud Security Alliance (CSA). The Israeli chapter of the Cloud Security Alliance was founded by security professionals united in a desire to promote responsible cloud adoption in the Israeli market and deliver useful knowledge and global best practices to the Israeli innovation scene.
- Moshe Ferber
- Shahar Geiger Maor
- Yael Nishry
- Marius Aharonovich
- Ron Peled
- Yuval Reut
- Ofer Smadari
- Omer Taran