5 Ways SaaS Solutions Lead to Security Vulnerabilities
SaaS is the new normal. Companies use Zoom, Slack, JIRA, New Relic, Google Workspace, GitHub, and many other services. At Resmo, we use more than 20 services that are critical for our daily operations. Service categories range from collaboration to accounting to security to DevOps.
Having experienced the sheer number of tools we must use, we can see how hard for DevOps and security teams to get visibility. Cloud is the first security concern many teams need to address but it is definitely not the only one. We started seeing SaaS breaches and most importantly configuration mistakes that can lead to serious security and compliance threads. For example, two years ago, Avinash Jain reported a serious misconfiguration issue found in JIRA that affected Fortune 500 companies including NASA. A misconfiguration in global permission settings in JIRA caused this breach. We also see many vulnerabilities that can lead to exposed code repositories, access to critical chatbots or dashboards with sensitive information, all because of lack of visibility in SaaS assets. Gartner supports this claim and adds SaaS Security Posture management in a recent report on Cloud security.
We know an increasing number of SaaS services play a critical role in our companies. That means we must ensure these tools remain secure and compliant. But where do you start? At Resmo, we are bringing you security best practices rules and packs out of the box. We offer hundreds of queries written in SQL and out-of-the-box rule checks. Given our experience bringing all these resources in one place, here are common concerns in SaaS Security.
Account security policies
Accounts have specific configurations like in the JIRA incident mentioned above. Admins can configure global settings that could potentially create security vulnerabilities. For example, many SaaS solutions can assign a default role for new users and if someone changes this option to an admin or owner role, unauthorized access may be given to users. In another example, changing the default visibility of projects or adding users automatically to a channel can lead to a security or compliance violation.
Authentication and authorization preferences
Compliance frameworks often require some good practices for user authentication like SSO login and two-factor authentication. Many SaaS solutions offer social login and 2fa but you get an email if you are lucky if someone changes this option. Real-time notifications are critical for password policy changes and additional authentication security measures. Authorization is also an integral part as we don’t want unauthorized access to certain resources from users.
Secret key management
Secrets as the name implies should remain secret :) Often tools miss critical practices to onboard users faster but that can lead to secrets to lead. For instance, an API key maybe not be used for a long time and not rotated for years, no one would even know. The best practice is to keep an eye on not-used ones and rotate them every 6 months or so.
Privacy status of your resources
Many resources can be public or private to the outside world. In the cloud environment, every year we hear S3 bucket leaks. But these public status change issues are not strictly related to the cloud. For example, GitHub or GitLab offer ways to change the public status of repositories. If someone changes them, all users get is an email. The timely response and audit logs of who made these changes matter a lot for a proactive and timely response.
Data encryption status
When you look at the security pages of many leading tech companies, you’ll see they state their resources are encrypted at rest and usually in transit. These are also required for SOC2 compliance. For example, if you are using a queue service or a database as SaaS, usually encryption status is an option you pay for. Engineers can easily forget to enable this on production or change the settings unknowingly. Keeping an eye on encryption settings requires checks in a lot of addresses you may not even be aware of.
SaaS Security is too important to ignore
At Resmo, we are building a complete Cloud and SaaS asset visibility, security, and compliance solution that is well integrated and easy to use. We have already integrated with many tools mentioned in this article and even more. We currently collect more than 300 resources and the number is increasing day by day. We are right now in private beta and would love to show you how easy it is to avoid these breaches and get alerted right away!