There’s no debate on this one: Penetration testing is crucial for SaaS companies. It’s only in the details that arguments arise: How often should you test your app? What should be in scope? Which vendor should you use? How much should you spend?
It is those questions that we will seek to answer in this article; an ultimate, practical guide to penetration testing for SaaS companies from an experienced CISO. It will assist with your firm’s decision-making, and make the business value of this important security measure clear.
- Common Cybersecurity Risks for SaaS Companies
- Why Pentest Your SaaS App?
- Does Pentesting Help a SaaS Company Meet Compliance Requirements?
- Which Pentest Type for a SaaS Company?
- Tips on Scoping Your SaaS Pentest
- Cost of Penetration Testing for SaaS Companies
- Vendors for SaaS Penetration Testing
- Final Thoughts
- Find the Right Pentest Provider Fast
Common Cybersecurity Risks for SaaS Companies
For Software as a Service (SaaS) solution providers, there are many security-related concerns that must be taken into account. One of the largest is how to protect the application and API endpoints. This could include complex vulnerabilities or easily exploitable vulnerabilities that expose data, allow escalation of permissions, and a host of additional breach risks. The reality is that as soon as you are a SaaS solution provider, whether consumer or business-driven, your application, and services become a target for attack.
As for the most common issues with SaaS applications, these are typically on the OWASP Top 10. While they may be any one of the top 10 vulnerabilities, access control, injection flaws, and data security are the most critical for your application to protect against.
Allowing for an account takeover or horizontal access to an account not owned by a customer could be an unrecoverable event.
Many of these vulnerabilities can be identified in code review but often require penetration testing to fully understand and mitigate.
(NOTE: If you’re considering a penetration test of your SaaS application, our free tool below matches your firm with a top-rated pentest vendor that suits your needs and budget.)
Why Pentest Your SaaS App?
For a SaaS solution provider that is operating in a B2B model, a large chunk of potential customers will ask for a penetration test. In some cases, they are fine with being provided an attestation of penetration testing with high-level information, like the number of findings and current status. But most of these customers’ security teams will want to know that the application and infrastructure have been tested to understand if there are any risks posed to the company and its data. Keep in mind, as a SaaS solution provider, your company is taking on the work, risk, and security of the application and supporting infrastructure on behalf of your clients.
If used correctly, additional value can be attained from a penetration test to help guide development work, development priorities, and even investments in security controls (Web Application Firewall (WAF), secure configs, etc.). A penetration test will allow the company to better understand maturity, weak controls, and common recurring issues in an application or service (for instance multiple injection-related vulnerabilities would indicate a need for better sanitization standards). All of these only help to guide the business priorities to help with meeting customer requirements and needs.
Does Pentesting Help a SaaS Company Meet Compliance Requirements?
Beyond the benefit of identifying potential vulnerabilities and improving defensive controls, the final reason a company would be looking for a penetration test is usually compliance driving. Many of the largest compliance frameworks and certifications require some sort of penetration test to help assess and improve the security of the application and defensive controls.
Some SaaS companies will engage a vendor that can help them check the box by providing a low-cost quick penetration test. Pending that there are additional internal security controls and processes in place, this could be a fine approach but is not recommended, as this may not provide much value other than checking the box.
Beyond being a requirement of many compliance frameworks, a penetration test is not often geared to certifying or identifying control gaps in the framework chosen. It’s a common requirement or control to help better protect the data and services from potential attacks and to be proactive in improving the overall security posture of the company.
There are several compliance frameworks that require a pentest to be conducted in one form or another. If your company works with credit card numbers, it will be required by PCI DSS for the environment and systems that come in contact with those cards.
ISO 27001 is an optional framework that is widely adopted and asked for outside the US, which does have requirements or guidance to implement penetration testing.
HIPAA compliance is greatly assisted by the use of penetration testing to help validate important security controls for the protection of healthcare data.
GDPR and many of the data privacy regulations have sections that require the validation of security controls through the use of penetration testing or vulnerability scanning. In general, it is considered a best practice to do for nearly any framework or certification that your company may be looking to attain.
Which Pentest Type for a SaaS Company?
SaaS companies will first need to consider whether an external or internal penetration test of the application has more value; testing either the external attack surface (how can a malicious actor get in) and/or the internal surface (how much damage can an attacker do once inside). External penetration tests are typically lower in cost, but internal tests provide more comprehensive guidance.
In my personal view, there is another, quite underrated type of pentest that every company, especially SaaS solution providers, should be taking advantage of: purple team penetration testing. There are many ways to conduct a purple team test but in general, the core goal is to have the red team (penetration tester) working with a blue team (a defensive security team, either from inside the company, or also working with the external pentest consultant) to identify how they are bypassing security controls or exploiting vulnerabilities. More advanced techniques may involve the blue team communicating what they are seeing to allow the red team member to better understand how they may bypass or evade detection. In general, this kind of test will involve the internal blue team working with the consultancy to improve detection and prevention techniques.
Not all penetration testing companies will offer up this service in conjunction with their penetration testing, but that does not mean that your company cannot still do it. If a purple team is not provided or is cost-prohibitive for your company, you can still utilize the test to do purple teamwork. You don’t need to have the tester tell you exactly what they are doing; you should take the time to have your tech team and security team review logs, alerts, and tools to make sure you can see the pentester’s activity. A great way to better review the logs is to ask for the penetration tester origination IP address so that your internal team can more efficiently review the logs to understand where detections or prevention controls are missing. This allows for building blocking and alerting rules to help further strengthen the application, even if the vulnerabilities are being remediated.
Finally, a great service to consider for many SaaS solutions providers would be a bug bounty program. This may seem scary, but there are many providers that manage reputable penetration testers that can be engaged to help identify vulnerabilities and issues in your application on an ongoing basis. The main benefit of this service over a point-in-time penetration test is that you only pay for the finding. You can let it run continuously, which will decrease the time to identify a vulnerability, and it works extremely well with an application that is constantly changing. With these services, you can focus on an application, API, or underlying infrastructure, one at a time, or all together.
Tips on Scoping Your SaaS Pentest
When it comes to scoping your company’s penetration test, there are a couple of areas that are always good to focus on for the initial few penetration tests. Of course, it is critical to test the application and API methods that are exposed, so the first type of test that should be considered is an application penetration test.
The other, which is most common for SaaS solutions, is a cloud penetration test (if your company is using cloud service providers). There are a fair few configurations and services that can be used with a cloud service provider that could expose your company to leaking data on accident.
Within those areas, there are a few key elements that should be in scope for a Saas app pentest. These are as follows:
· Authentication Controls – validating and understanding how the authentication component works and is kept secure is critical. A custom-built or weak implementation of authentication could lead to account takeover, leaking of valid accounts, social engineering, and a whole host of other issues.
· Access Control – There are two separate access control cases that should be focused on: Vertical is the act of escalating or directly accessing privileged components or functions in an application that could result in the loss of data, destruction of data, or other major issues because a user is able to elevate to admin functions or rights. Horizontal is just as important to test, as it can result in a user gaining access to another user’s account or data.
· API Security – This last recommended area of focus is very large. Initially, the focus should be on the authentication methods used to secure the API, what type of data could be exposed on the API, and the proper authorization of actions taken by users of the API.
Cost of Penetration Testing for SaaS Companies
As is the case with all security services, there is a wide range of costs for penetration testing services. Most SaaS solution providers have a complex application that requires multiple user roles and many APIs that need to be tested. Because of this, it is not uncommon for penetration tests for SaaS companies to cost 6 figures to conduct. While this is what the test can cost, it is still possible to engage a vendor for closer to $25,000 per test, especially if you focus on core functionality and rotate per test. With a test in this price range, it is likely that it would take around 2 weeks to complete the test for a company. As the costs go up, the total effort time will continue to increase too.
Vendors for SaaS Penetration Testing
When it comes to vendors to engage for penetration testing, nearly any that provide penetration testing will be capable. However, if your company is looking for a test focused more on cloud, it will be critical to find a partner that is experienced in cloud services, as these are difficult to test and understand with no experience. It is highly recommended that you attain references from your potential vendor and, as part of those references, look for companies similar to yours. Talking to peers is another great way to identify and find a partner to provide your penetration testing services.
Beyond discussing the types of tests that the vendor has provided, another great way to assess is to ask for the certifications of the testers. Looking for CEH, OSCP, and cloud certifications are great ways to find a company that has the right skills to provide a quality test for your company. These certifications will sit with individual testers and not with the company itself, so ideally they have multiple consultants that are certified with one or multiple of these certifications.
NOTE: NetworkAssured can match you for free with a vendor with SaaS experience that fits your needs and budget.
As we have covered in the article above, when it comes to penetration testing, there are more benefits to it than just identifying vulnerabilities. If used correctly, regardless of if vulnerabilities are discovered, a penetration test can be used to help determine the efficacy of security controls to detect, block, and alert on potential or actual malicious activity. Knowing if the detective controls are operational can drastically help with limiting the time a malicious actor is in your services and how much data or damage is done.
An additional benefit to penetration testing is that the tests can help to identify pervasive issues with your application or environment. Multiple injection issues or multiple open S3 buckets might show that additional training and security best practices are needed to help prevent these from continuing to be introduced into your environment.
Finally, one of the biggest benefits of conducting these tests is the ability to build trust and strengthen relationships with your customers. Having a report to provide and show that it is conducted on a regular basis shows your customers that you take security seriously. It shows that your company is looking to continuously improve its security controls and capabilities.