Security for SaaS software products must be addressed along the following dimensions.
- Threat sources, both intentional (malicious probes, floods, spoofing, etc.) and inadvertent (identification, authorization, boundary violations, etc.). In a SaaS environment, an intentional threat can wreak great havoc because multiple customers are sharing the same code and database. Additionally, inadvertent threats become much more likely, such as one customer gaining access to another customer’s data.
- Phase of vulnerability introduction, the steps in a software development lifecycle, including requirements, design, source code development, object code creation, deployment, operations, and maintenance. SaaS development requires re-thinking an application’s and database’s architecture from the ground up to insure isolation and confidentiality. Ongoing operations and maintenance processes must be designed to ensure new vulnerabilities are not introduced.
- Target of threat, including account information, application processes, data, code modules, and infrastructure. Each component of an application is more at risk in a SaaS deployment because of its shared-use nature.
This means that security must be “built in” to a SaaS software product from the beginning. Threats and vulnerabilities must be understood and be the basis of the security requirements of a SaaS software product. The development process must ensure that the product is architected and designed to meet the security requirements, that development and testing practices and tools ensure the security requirements are met, and that the execution environment has been designed and implemented to meet security requirements.
Are you developing a secure SaaS software product?