Pen Testing for SaaS Companies

SaaS companies have fundamentally transformed the enterprise software model and at this point it seems there is no going back.

In his SaaS Manifesto, Peter Levine says, “It doesn’t happen often, every 10 to 15 years or so, but we are in the throes of the reordering of the $4 trillion corporate IT market. And depending on which side of that transformation you sit, this is either the best time to be an enterprise technology company (see: renaissance in enterprise computing), or reason to start looking for a new line of work.”

SaaS-first businesses like Salesforce, Box, Hubspot, Wix, ServiceNow, and Workday are taking over. It’s actually becoming risky for enterprise software companies NOT to adopt the SaaS technology and business model. There’s a real fear of being left behind. Over the next 10–20 years, every software company will be a SaaS company.

SaaS companies don’t necessarily have all the answers, but they are inherently flexible and can easily iterate according to market feedback and business needs. It’s all about speed of innovation, design, and usability. The faster you can go, the less you spend on product development, and the fewer person hours are required to deliver a complete solution. Every iteration is an opportunity to deliver greater business value.

The problem with buying a SaaS solution from someone you don’t know is trust. When you don’t have a long-term, heavily invested relationship with your customers (as in the old-school IT-driven, on-premise local data center implementation model), how do you signal quality? Elements like security and regulatory compliance must be maintained, but the way they are implemented can’t slow the business down.

Here are 5 things you need to know about SaaS companies and pen testing —

Thing 1: Secure software is business critical.

SaaS companies need their customers to trust that they can deliver the software. This business model requires software security up-front, as a strategic business driver. This is a significant departure from the “security as a cost center” thinking by old-school enterprise software. DevOps leaders have referred to application security pen test reports as “candy for sales people” because by showing proof of a technical security test, it often eliminates a whole line of objection and questioning in the SaaS sales cycle. (Security is mentioned as the #1 key adoption challenge on the SaaS wikipedia page.)

Thing 2: Application security is what matters.

When an enterprise software solution requires servers to be deployed and networked in a local data center, network security pen testing is important. Now that on-demand low cost technology is available whenever it’s needed, the security focus has shifted to application security pen testing. Cloud service platforms like AWS provide host and network level security controls that are “recognized as better than on-premises” and the application layer becomes the primary point of control for a SaaS company.

Thing 3: Human powered security testing is necessary.

Web applications are getting more complex, cloud applications are increasingly API-driven, and code is being deployed faster and faster. Application security scanners can’t solve everything (they’re noisy and particularly bad at identifying security problems that have to do with business logic, authorization and session management). It takes creative thinking to find the juiciest security bugs and flaws in an application (read: the types of security issues that might land your company a feature on the front page of the Wall Street Journal, and not in a good way).

Thing 4: On-demand specialization wins.

In the previous era of enterprise software, companies offering suites of complimentary solutions would win because of existing relationships with the CIO and existing investments in IT infrastructure. Going forward, every industry will have a technology component, and this will be delivered by SaaS companies that solve point problems really well.

When it comes to software security, SaaS companies aren’t going to hire full-time application security engineers. They’re going to hire freelancers with the right skills to perform manual penetration tests of their apps on-demand.

Thing 5: Agile companies need agile pen testing.

In the SaaS world, the old school approach of scan-everything-and-pen-test-once-a-year doesn’t fly. Every newly released featured that hasn’t been pen tested has the potential to contain unknown security vulnerabilities.

Agile and continuous software development methodologies result in SaaS solutions constantly being updated. This approach make developers more productive and decreases time to deliver business value. DevOps teams need to be able to identify, prioritize, and remediate software vulnerabilities in pace with their release cycles. The best way to make this happen is — you guessed it, a SaaS pen test platform that integrates with a SaaS company’s existing SDLC. Delivery of validated security bugs needs to be integrated into developer tracking systems like JIRA and GitHub. Engineers need to be able to communicate with pen testers in a continuous fashion in order to get questions answered and fixes validated.

Today’s penetration tests must be agile, actionable, smart, and cost effective. Enterprise software has changed and penetration testing has changed too.

Interested in learning more about crowdsourced pen testing in general? Download the free eBook, Metric models from the AppSec Trenches to learn more.