Monday, January 17, 2011

Are SaaS Software Products Secure?

Software delivered over the Internet is exposed to increasing threats to confidentiality, integrity, and availability. SaaS implementations have an even greater exposure than single-customer deployments. Some analysts have estimated that as many as 90% of all Web-accessible commercial applications have security vulnerabilities. What can and should be done to minimize security vulnerabilities of a SaaS software product?

Security for SaaS software products must be addressed along the following dimensions.

  • Threat sources, both intentional (malicious probes, floods, spoofing, etc.) and inadvertent (identification, authorization, boundary violations, etc.). In a SaaS environment, an intentional threat can wreak great havoc because multiple customers are sharing the same code and database. Additionally, inadvertent threats become much more likely, such as one customer gaining access to another customer’s data.
  • Phase of vulnerability introduction, the steps in a software development lifecycle, including requirements, design, source code development, object code creation, deployment, operations, and maintenance. SaaS development requires re-thinking an application’s and database’s architecture from the ground up to insure isolation and confidentiality. Ongoing operations and maintenance processes must be designed to ensure new vulnerabilities are not introduced.
  • Target of threat, including account information, application processes, data, code modules, and infrastructure. Each component of an application is more at risk in a SaaS deployment because of its shared-use nature.

This means that security must be “built in” to a SaaS software product from the beginning. Threats and vulnerabilities must be understood and be the basis of the security requirements of a SaaS software product. The development process must ensure that the product is architected and designed to meet the security requirements, that development and testing practices and tools ensure the security requirements are met, and that the execution environment has been designed and implemented to meet security requirements.

Are you developing a secure SaaS software product?

2 comments:

  1. This review is nice. Thank you for news. To protect yourself from future losses try comparing homeowners insurance by state to save more on homeowners insurance coverage.

    ReplyDelete
  2. Thank you for the info. It sounds pretty user friendly. I guess I’ll pick one up for fun. thank u.

    Outsource Product Development

    ReplyDelete