Technology adoption is revolutionizing all industry verticals and has led to the emergence of newer domains like Health-tech, Retail-tech, Insurance-tech, and so on. Many digital solutions developed as part of this technology revolution are subscription-based software as a service (SaaS) applications. The global software as a service (SaaS) market is booming and expected to reach a staggering 400 billion by 2025. Founders and stakeholders of the SaaS solutions, while focusing on product areas like use cases, features, scalability, look and feel, etc., needed to win contracts, cyber security is often considered a low priority requirement.

Why should you invest in security though your app is cloud hosted?

Most SaaS providers do not consider security investments at the build phase. They believe that as their solution is cloud hosted, necessary level of security needed for infrastructure and deployed environment is by default provided by the cloud service provider.

It is important to note that most SaaS service providers consume IaaS or PaaS from a CSP like AWS, Azure, or GCP for developing and hosting the applications and, in that sense, a customer of the CSP. Other than the physical security responsibilities of the hosts, networks, and data center, the security responsibilities of all different service types are shared between CSP and SaaS provider or are entire with the SaaS provider. Security responsibilities of information and data, devices used for access (mobiles and PCs), and accounts and identities are always with the CSP customer.

Why can the decision to invest in security later be too costly?

SaaS providers might decide to live with the bare minimum-security features. They may choose to invest in proper security solutions and practices at a later stage. This decision can be very perilous as a single hack, or privacy violation can result in loss of customer trust, legal issues, penalization by regulators, etc., which can challenge the business's existence itself.

Why annual penetration testing to meet compliance requirements is not adequate?

Depending on the type of the SaaS solution and the industry vertical it is serving, there may be several compliance requirements to meet like HIPAA, ISO/IEC-27001, SOC 2, PCI DSS, etc. These compliance regulations demand only annual, biannual, or quarterly penetration testing. SaaS products or solutions are developed with agile software development practices. While agile development methodology offers numerous benefits like automated configuration and software deployment in minutes instead of days, continuous and repeatable process, consistency, minimum downtime, and continuous collaboration, it comes with the risk of shared security responsibility between Information Security teams, and third parties like CASB. The rapid changes introduced to meet business requirements may result in security flaws that attackers can misuse. Waiting for the following penetration testing iteration to identify security problems in this scenario can be risky.

SaaS and the risk from third-party integrations

Digital Transformation with SaaS solutions of any tech vertical is heavily dependent on integrations with several 3rd party solutions that could be inbound, outbound, or bidirectional with several applications and infrastructure components in the ecosystem. Most of the time, this is achieved by API integrations that liaise third-party systems or services with internal and sensitive systems. With the availability of detailed documentation guides related to 3rd party APIs for development and deployment, an attacker can perform reverse engineering attacks with great ease and accuracy. Hence the security assessments of SaaS environments should extend beyond penetration testing against API attacks like Credential Stuffing, Stolen Tokens, Data Exfiltration, Broken Authentication, Partner Breaches, and Account Takeover.

For SaaS security assessments, it is highly recommended that incorporating native measures of validation, existence, and effectiveness of compensatory security controls like the ones listed below are verified.

• Application Delivery Controllers (ADC) or Gateways
• Content Delivery Networks for prevention of volumetric attacks
• Web Application Firewalls (WAF) for prevention of well-known API attacks
• Identity and Access Management solutions (IAM) for session-based attack prevention
• API Gateway level controls for input validation.

Continuously and precisely gauging the security risks of Saas environments from various third-party integrations, including and beyond SOAP Web Services (WS), Representational state transfer (REST), GraphQL, etc., requires the existence of a security assessment program that is continuous and attack surface driven.

Security assessment of Saas solutions should be comprehensive in terms of coverage to detect threats from various aspects, including authorization misuses, improper resource consumption bypassing security controls in place for rate-limiting/policing, improper consent management or reuse, and content violation, application workflow or business logic alterations, etc.

How can we help?

NST Cyber pioneers proactive, AI-driven Continuous Threat Exposure Management (CTEM). Our flagship NST Assure CTEM delivers rapid threat assessment, continuous vulnerability prioritization, and automated responses while maintaining compliance. In a dynamic cyber landscape, we're dedicated to safeguarding digital assets and the operational integrity of our customers.

In an era where cyber-attacks are increasingly driven by sophisticated algorithms, more than relying solely on human-centric defense mechanisms is required.NST Assure Continuous Threat Exposure Management (CTEM) platform is uniquely positioned to fill this gap. Built on a cloud-based architecture, it utilizes artificial intelligence (AI) and machine learning (ML) to automate threat detection and response. Unlike traditional security solutions, the NST Assure CTEM platform evolves in real-time by learning from vast data, delivering dynamic insights into potential cyber threats, and enhancing organizational resilience.

With NST Assure, changes in your external attack surface are continuously monitored with an AI/ML-powered discovery process, and observations are validated near real-time and de-duplicated. Against the prioritized most relevant and essential observations from threat surface discovery, penetration testing is auto-triggered to validate the possibility of exploitation.

NST Assure's in-depth and comprehensive discovery process covers all channels like the Internet, Deepweb, and Darkweb.NST Assure also comes with vulnerability risk prioritization support and the ability to convert security assessment observations to Machine Readable Threat Intelligence (MRTI) bundles, which your SOC and network security team can use for proactive monitoring and defense of exploitation attempts.

NST Cyber helps enterprises across the globe actively discover and manage external security risks continuously with the NST Assure CTEM platform.