Identifying Vulnerabilities in SaaS: The Guide Updated for 2023

Introduction

SaaS companies are extremely exposed to attacks.

The pressure to ship code fast means that potential vulnerabilities get ignored and fixing them isn’t a priority for the product team… until the worst happens.

Besides, malicious hackers know that they’re an easy target. Exposed vulnerabilities, personal data from users, and high-cash flow businesses make for good prey.

In this guide, we explain everything you need to do to protect your SaaS to avoid data leaks, ransomware, and in general keep your business safe. We’ll touch on:

• When does SaaS become a target for hackers
• The danger of hacking with AI  and how it’ll expose smaller SaaS
• How EASM, SAST, DAST, IAST, SCA, and pentest can help secure SaaS
• How hacking can be used as preventive security

What changed in security after AI?

SaaS companies were always a target for hackers. They’re profitable, have no security processes, and host personal data like emails and payment details, which makes them an easy target. However, despite the threat, CTOs and CEOs postpone protection. We often heard excuses like:

• “We’re not big enough for hackers to care”
• “We don’t store personal data” (Emails, Credit Cards, ... GDPR, anyone?)
• “I know there are vulnerabilities, but we’re prioritizing the product right now”

And while before these products might have been able to roll with it, there will be a time when an attack will come. Fast code deployment from agile development and a focus on “Ship first, fix later” leads to a breeding ground for hackers and the consequences that come from it.

Securing your SaaS: the 8 Big Methods

Hopefully, you’re now on the same page as us: security matters and it shouldn’t be postponed.

Now… how do we go about actually securing our app while considering that we still need to ship features fast and have extremely tight resources?

There are many ways to do so and for each, you have to take into account the specific needs of your company. We’ll break each of them down for you!

Start with External Attack Surface Management (EASM) 

This is always the first thing you should do. EASM identifies all of your assets, including external ones, so you can understand where the attacks come from.

If you start thinking like a military general, it makes sense: if you don’t know the terrain you’re fighting on (your assets), then the enemy (the hackers) has an immediate advantage over you. This gets even more difficult when the external digital footprint of your company can be much larger than the internal network, due to interactions between staff, customers, and third parties.

The goal here is to uncover threats that are difficult to detect, such as shadow IT systems, so you can better understand your organization’s true external attack surface. EASM enables security and IT teams to identify unknowns, prioritize risk, eliminate threats, and extend vulnerability and exposure control beyond the firewall. 

The External Attack Surface Insights are generated by leveraging vulnerability and infrastructure data to showcase the key areas of concern for your organization. For this, a good EASM should identify several exposed assets, such as Domains, Hostnames, Web Pages, IP Blocks, IP Addresses, ASNs, SSL Certificates, and WHOIS Contacts.

The most common use cases for EASM

• Discover and map digital assets: you can use EASM to locate websites, domain names, IPs, cloud services, and SSL certificates across different environments, including clouds, local IT, operational technology (OT), and IoT. This helps maintain a real-time inventory of all identified assets.
• Prioritize and remediate vulnerabilities: EASM prioritizes and addresses various exposures like misconfigurations, unpatched vulnerabilities, and open ports based on risk level and severity. By quickly remediating these issues, organizations can reduce their attack surface and protect against potential cyberattacks.
• Enhance cloud security and governance: this can be improved by using EASM to identify public assets across cloud vendors. EASM helps you discover cloud assets that you might be unaware of and apply appropriate protections to secure them.
• Detect data leakage: EASM monitors for data leakage, including credential leakage and sensitive data exposures occurring through cloud applications and collaboration tools used by third parties and employees. This allows you to prevent data breaches and avoid the associated financial and reputational damage.
• Assess subsidiary risk: Gain visibility into digital assets across various subsidiaries for a more comprehensive risk assessment. By understanding the potential risks associated with subsidiary assets, you can take proactive steps to mitigate those risks.

Now, when it comes to choosing the right EASM, you should take these features into account: 

• Full Inventory Discover: it should attempt to uncover and map the unknown external-facing assets of your organization.
• Continuous Monitoring: it has to be able to continuously monitor your external attack surface for new assets and changes that could introduce new security risks.
• Risk Prioritization: it should help prioritize security risks and vulnerabilities based on the potential impact on your organization.
• Risk Exposure: EASM can help to understand what is the risk of exposure of your business and get a more comprehensive risk assessment.
• Manage and Filter Assets: A good EASM should allow you to select which assets are more important with different tiers. This will allow you to understand better the impact of vulnerabilities in different assets.
• Compatibility with existing systems: your EASM platform should work well with your already existing systems. This should be easy to integrate with your tools, like issue trackers, SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation, and Response), or incident management solutions.

So if you want to get started with EASM, follow the steps below:

1. Pick a tool that follows the criteria mentioned above.
2. Configure the tool to scan your assets either daily or weekly
3. Check what assets and technologies are exposed and remediate the identified risks
4. Continuously monitor and update your EASM platform to ensure the ongoing security of your external assets.

• Ethiack
• Detectify
• ShockWave
• Crowdstrike Falcon Surface
• RandorI
• HackerOne Assets
  
  

Implement Static Application Security Testing (SAST)

This is the most basic DevSecOps process you can implement and that’s why we think every SaaS should get started with it. In short, it detects vulnerabilities in your source code before you ship it to prod.

This is completely automatic. There are many tools out there that just scan your code and let you know about the vulnerabilities. It mostly prevents SQL injections, cross-site scripting (XSS) attacks, and buffer overflows. But it lacks the depth to prevent every kind of vulnerability. It’s not a silver bullet.

Pros of SAST

• It’s as basic as you can get. Any DevSecOps routine should start with this. It also scales very easily across multiple applications/assets. Besides, it’s easily incorporated into the SDLC with a CI/CD pipeline. 
• Fully automated. You just set up the scans and it’ll start running. Once it’s done, you evaluate the results.
• A white-box approach in such an embryonic process of software design is a very big pro of SAST. The sooner a non-conformity is detected in the code, the sooner it can be fixed.

Cons of SAST:

• Well… it’s as basic as it can get. It’ll explore the most basic vulnerabilities and that’s it. Skilled malicious hackers will find more creative ways to break through. Still, it’s good for a small organization to get started.
• High rate of False positives. This is arguably the biggest drawback. You have to review every reported vulnerability. If even 20% of them are false positives, you just wasted a massive amount of time.
• No prioritization. This is related to the point above. Since SAST tools work in isolation, they struggle in determining the true impact of a vulnerability.

“So why should I do this? 

Because it’s still effective! It’s the starting point to keep ANY SaaS app secure. Teams ship code at least every 15 days. You need to make sure you’re not adding vulnerabilities every time you release to production.

If you think this is the right tool for you, here are some guidelines on where to start:

1. Choose a suitable SAST tool that meets your organization's needs in terms of language support, integration capabilities, and reporting features.
2. Use SAST as early in the SDLC as possible by integrating it with your CI/CD pipeline. Set up project-specific settings, such as coding standards and security rules. 
3. Initiate SAST scans on your application's source code or compiled binaries to analyze it for potential security vulnerabilities, coding flaws, and weaknesses. 
4. Review the scan results and prioritize the identified issues based on severity and potential impact.

If you want to get started, here are some recommendations for SAST tools. They’re in no particular order:

• Veracode
• Checkmarx
• SonarQube
• Fortify
• CodeSonar
• ESLint (free, open-source option)
• Bandit (for Python, open-source and free)
• Snyk

Do keep in mind that the SAST is not a fully-fledged security test. It’ll highlight the most easily exploitable vulnerabilities… and that’s it. It won’t hold off highly skilled hackers. Still, if you’re starting out, do this. It’s the first step to having secure software.

Run Dynamic Application Security Testing (DAST)

DAST is a method of evaluating the security of a web application by analyzing its behavior in real-time. It involves sending simulated attacks to the application and observing how it responds. DAST can identify vulnerabilities that are difficult to detect with other methods, such as injection attacks and cross-site scripting (XSS) attacks.

DAST is important because developers don’t have to rely solely on their own knowledge when building applications. By conducting DAST during the SDLC (Software Development Lifecycle), you can catch vulnerabilities in an application before it’s deployed to the public. If these vulnerabilities are left unchecked and the app is deployed as such, this could lead to a data breach, resulting in major financial loss and damage to your brand reputation. 

Humans make mistakes and errors will inevitably contribute to some stage in the Software Development Life Cycle (SDLC), and the sooner a vulnerability is caught during the SDLC, the cheaper it is to fix. 

Since DAST works by simulating automated attacks on an application, it doesn’t have internal information about it or the source code, they attack just as a malicious hacker would, with only a certain amount of knowledge and information. After a DAST scanner performs these attacks, it looks for results that are not part of the expected result set and identifies security vulnerabilities.

The goal here is to find outcomes or results that were not expected and could therefore be used by attackers to compromise an application. 

Pros of DAST: 

• It can identify security vulnerabilities in web applications that could be exploited by attackers.
• Tests an application in its operational state, allowing it to identify vulnerabilities that may not be caught by other types of security testing.
• DAST tools can quickly scan an application to identify vulnerabilities, allowing security teams to prioritize remediation efforts based on risk severity.
• This tool can test the entire application, providing a more comprehensive evaluation of an application's security posture.
• It’s a cost-effective way to evaluate the security of web applications, as it does not require access to the application's source code or specialized security expertise.
• It’s a way to help ensure that web applications comply with industry standards and regulations.
• DAST tools are equipped to function in a dynamic environment, they can detect runtime flaws that SAST tools can’t identify. This way, it actively attempts to find vulnerabilities in a running environment so the DevOps team knows where and how to fix them.

• DAST tools only test an application’s external behavior, such as its user interface and web services, and do not assess its internal workings. This limits their ability to identify certain types of vulnerabilities, such as those that occur in the back-end components of an application.
• Traditional DAST tools can generate false positives, which can result in wasted time and effort, as well as lead to potential security gaps if real vulnerabilities are ignored due to too many false positives.
• The limited context of DAST tools, since they operate without full knowledge of the application, such as business logic or the intended user experience, can result in a lack of accuracy in identifying vulnerabilities and their potential impact on the application.
• It may not detect all types of vulnerabilities, with also not finding the exact location of a vulnerability in the code.

Now, if you want to properly integrate DAST, you need to make sure you have the right processes in order:

1. Integrate your DAST tool with ticketing and bug-tracking systems. There’s no point in finding vulnerabilities if you can pass the information on to developers to fix them on time.
2. Adopt defensive coding practices. Learn from each vulnerability highlighted by the tool to improve the code you write in the future.
3. Use DAST as early in the SDLC as possible.
4. Integrate DAST with your CI/CD pipeline.

• Invicti (formerly Netsparker)
• Indusface WAS
• Acunetix
• Intruder
• Astra Pentest
• OWASP ZAP (open source)
  

Run Interactive Application Security Testing (IAST) 

IAST stands for Interactive Application Security Testing. It is a modern approach to application security testing that combines elements of both DAST and SAST techniques. In IAST, security testing is performed dynamically during application runtime by instrumenting the application code and monitoring its behavior for potential vulnerabilities.

The goal of using IAST is to provide a real-time, in-depth security analysis of running applications. This helps identify vulnerabilities that may be missed by traditional testing methods and provides accurate results by analyzing the actual code execution paths.

Pros of using IAST:

• Accurate Results: IAST provides precise identification of vulnerabilities by analyzing the runtime behavior of the application.
• Reduced False Positives: The dynamic nature of IAST reduces false positives compared to static analysis tools.
• Real-time Testing: IAST offers continuous security testing during application runtime, allowing for immediate detection of vulnerabilities.
• Minimal Impact on Performance: IAST has a low impact on application performance compared to other security testing techniques.
• Comprehensive Coverage: IAST can analyze the entire application stack, including third-party libraries and frameworks.

Cons of using IAST:

• Limited Language Support: Some IAST tools may have limited language support, potentially restricting their use for certain applications.
• Instrumentation Overhead: Instrumenting the application code for IAST can introduce additional complexity and overhead during deployment.
• Limited Detection of Configuration Issues: IAST is primarily focused on identifying code-level vulnerabilities and may have limitations in detecting configuration-related issues.

Here are some of the most common cases of IAST

• Real-Time Vulnerability Detection: IAST excels in identifying vulnerabilities in real-time as the application is running, allowing for immediate detection and response to potential threats.
• Agile and DevOps Environments: IAST integrates well with Agile development methodologies and DevOps practices, providing continuous security testing throughout the software development lifecycle.
• Complex Web Applications: IAST is particularly effective for securing complex web applications with intricate interactions and dynamic behaviors, where static analysis tools may struggle to provide accurate results.
• Security Testing of Third-Party Components: IAST can help assess the security of third-party libraries, frameworks, and components integrated into your application, offering visibility into potential vulnerabilities within these dependencies.
• Patch Validation and Verification: After applying security patches or making code changes, IAST can be used to validate the effectiveness of the fixes and ensure that the vulnerabilities have been successfully addressed.
• Compliance and Audit Requirements: IAST aids in meeting compliance standards by providing runtime security analysis, which is often required by regulations such as PCI DSS, HIPAA, and GDPR.
• Continuous Monitoring of Applications: IAST allows for continuous monitoring of applications in production, providing ongoing security assessments to identify vulnerabilities that may have arisen due to changes or updates.

Integrating IAST into your organization can be simplified into the following five steps:

1. Research and choose an IAST tool that aligns with your organization's requirements, considering factors such as language support, compatibility, and reporting capabilities.
2. Set up a suitable testing environment that replicates your production environment to ensure accurate testing.
3. Install and configure the selected IAST tool, and instrument your application code to enable runtime monitoring. 
4. Run the application with the IAST tool in place, allowing it to analyze the runtime behavior and detect vulnerabilities in real-time. 
5. Analyze the results generated by the IAST tool, prioritize the identified vulnerabilities based on severity, and remediate the issues effectively.

For using this testing mechanism, here are some suggestions that you can start with:

• Contrast Security Assess
• Hdiv
• Quotium Seeker
• Waratek AppSecurity for Java
• RIPS Technologies RIPS
• Contrast Security Protect

Perform Software Component Analysis (SCA)

Software Component Analysis (SCA) is a technique used to identify and track open-source software components used in an application's codebase. SCA helps detect known vulnerabilities, license compliance issues, and other risks associated with using open-source components. It is an essential part of any organization's security and compliance efforts.

SCA is important because nowadays everyone is using open-source code, and it’s hard to keep track of what each of these tools - including their vulnerabilities.

A weak point in their code is a weak point in your infrastructure. Not only does SCA help you find vulnerabilities, but it also helps you keep track of usage licenses. And all of this is done automatically! 

But do not forget that it also faces some drawbacks. For example, false positives. They’re a common issue, and it’s bad because every false positive steals time away from your team. In addition, you also need to keep an eye out, as the SCA doesn’t always detect new vulnerabilities, or vulnerabilities from subcomponents or dynamically loaded libraries.

You can check out the following SCA tools:

• Black Duck
• Snyk
• WhiteSource
• FOSSA
• OWASP Dependency-Check (open source)

Start doing Pentests

Penetration Testing (pentesting) is a vulnerability assessment method that involves simulating a real-world attack on a web application or network to identify and potentially exploit vulnerabilities. A pentest typically involves a series of manual and automated tests to evaluate an application's security posture and identify potential attack vectors.

Pentests are great as they use more complex attack vectors, something that automated tools struggle with. They usually also go over the whole application, while tools focus on a specific part of it.

By the way, if you want to be fully compliant with certain regulations like PCI DSS or GDPR, then we recommend doing pentests. But do keep in mind that pentesting is not a silver bullet. We’ll show you some drawbacks and some ways to turn the situation around. For example:

Limited Scope
While pentesting focuses on specific targets or applications, potentially leaving other parts of the infrastructure or technology stack unexplored, you can conduct comprehensive scoping exercises to identify critical assets and potential attack surfaces beyond specific targets.

Trusting the Pentesters
A pentest requires placing trust in outside employees to conduct legal activities on your behalf and finding trustworthy pentesting companies can be challenging. To make this easier, you should research and engage with pentesting companies that have a proven track record and positive customer reviews. Not only that but you should also request references and ask for certifications such as OSCP (Offensive Security Certified Professional) to validate their expertise.

Damage and Disruption
Penetration tests may unintentionally cause server crashes, network slowdowns, data corruption, or other negative impacts on the tested systems. In this case, you should implement thorough planning and coordination with the pentesting team to minimize potential disruptions or impacts on production systems. You can also conduct this type of testing in controlled environments, such as staging or isolated test environments, to mitigate the risk of unintended consequences.

Rigid Methodologies
Usually pentesting follow rules and frameworks such as OWASP, PTED, PCI OSSTMM, SANS Top 25, and WASC. This can be automated 90% of the time and, it also limits pentesters creativity. It’s ok if you look to cybersecurity, as a requirement and not as a facilitator. If you want to reach the extra mile you should allow some type of flexibility within the testing methodologies to encourage creative and unconventional approaches. Another option could be hiring ethical hackers. 

Limited Vulnerabilities
Penetration testing has a finite testing period, limiting the number of vulnerabilities that can be discovered. For this, you should consider periodic vulnerability assessments and continuous security monitoring to complement pentesting efforts and identify vulnerabilities that may emerge after a test. In this case, you can also search for continuous pentesting tools. 

Time Intensive and Costly
Penetration tests are expensive, especially when hiring reputable consulting firms, and they require a significant time commitment from your own team to analyze the results and address any identified issues. To make the most of the pentest, prioritize critical assets and focus on high-risk areas to optimize testing efforts and cost-effectiveness.

Timing and Frequency
Pentesting is typically performed periodically, such as annually or biannually. However, cyber threats and attack techniques evolve rapidly. Vulnerabilities discovered after a pentest may remain unaddressed until the next scheduled test, leaving the system exposed to potential attacks during that time. For this part, you can adopt a more agile and continuous approach to security testing by integrating security into the development lifecycle. This can be done with techniques like secure coding practices, security testing automation, and regular security updates.

Human Factor
Pentesting relies on the skills and expertise of the testers. The effectiveness of a pentest heavily depends on the experience, knowledge, and creativity of the individuals performing it. Human errors, biases, or limited knowledge in specific areas can impact the comprehensiveness and accuracy of the tests.
However, humans are the ones making this possible and your team can stay updated on the latest attack techniques and emerging threats by sharing knowledge with the pentesters. 

If you want to start with pentesting, check out some of the platforms below:

• Nmap
• Metasploit- Burp Suite
• WPSCAN
• DirSearch
• Subfinder
• SQLMap
• FFUF
• Hydra
• Netcat
• Sublist3r
• Aircrack-ng
• Nuclei
• Ethiack

Go deeper and do Ethical Hacking

This is a little bit different than pentesting because it puts real ethical hackers doing vulnerability assessment. As we said, pentesting depends a lot on the quality of the pentester. The problem with pentesting is that it’s usually very checklist based.

Ethical hacking is more impact-focused because hackers usually earn depending on the impact of the vulnerability and not on the number of hours of testing.

This will allow you to go deeper and find vulnerabilities with greater impact.

The advantage is that you let hackers do what they do best, be creative, and think outside the box, without being limited by a checklist. On the other hand, you’ll be letting go of control of the process.

Here are some options to get started with Ethical Hacking:

• Intigriti
• Ethiack
• Hackerone
• BugCrowd
  
  

Do third-party vulnerability assessments

Third-party vulnerability assessments involves an external security company or consultant performing security tests. The goal is to find vulnerabilities that could be exploited by malicious hackers.

This, however, is not for your company. It’s for your suppliers and vendors. They will be the ones getting audited to ensure they’re compliant and thus can keep doing business with you.

If your security depended solely on you, everything would be easier. Unfortunately, it is not. You need to make sure all the companies you interact with are compliant. And while this can get pricy, it’s still needed if you want full protection.

We don’t recommend doing this assessment for smaller SaaS. They should be focused on the other recommendations outlined above, as they’re much more impactful.

Consider the following options for running an assessment:

• Qualys
• Tenable
• Rapid7
• Acunetix
  
  

Test API connections

You work in a SaaS, so you already know what an API is. Not going to dive into that!

However, you should be aware that APIs are a common way for hackers to gain access. Take a look at Twitter. In 2023 the data of over 200 million profiles were leaked thanks to API abuse. If Twitter is on the line, so can you. Make sure you pick the right tool. It should have:

• Support for different types of APIs, including REST, SOAP, and GraphQL.
• Integration with other security tools, such as DAST and SAST.
• Automation for continuous testing and integration with DevOps pipelines.

And as before, we recommend some tools to get the job done:

• Postman
• SoapUI
• JMeter
• Swagger
• Insomnia
• REST Assured
  
  

What’s Next

And that’s it!

This is the complete guide for keeping your SaaS safe. In short, you should:

1. Review your current security measures and identify areas that need improvement.
2. Implement testing tools like EASM, SAST, DAST, and IAST, as part of your regular security testing process.
3. Schedule regular pentesting and third-party vulnerability assessments to identify vulnerabilities that may have been missed (one/two pentests per year isn’t enough). Step in deeper and add ethical hacking to your list if you really want to stay secure.
4. Test the security of your API connections and ensure proper authentication and authorization mechanisms are in place.
5. Stay informed about new threats and vulnerabilities and update your security measures accordingly.

The importance of cybersecurity just keeps growing by the day. Make sure you stay safe out there!