SaaS and security

@ian just posted this in his twitter stream. I know he’s not going to post it on here, so I will.

Just another thing to worry about when you’re running a SaaS app.

I will clarify this for you fine folks here though as it may be useful. There’s a group of people these days who test apps (mostly XSS in my experience) simple for challenge, credit and sometimes profit. They’re pretty much “white hat” and if you have a security page for you SaaS app they’ll notify you. Generally with the expectation that you’ll at least list them on a wall of fame. You can see ours here: http://www.besnappy.com/security

I did this on the recommendation of @patio11 actually. Now, I will say, it’s pretty stressful when it starts out :smile: as knowing people are trying to hack you is rather scary. It will usually start very heavy. The day it started for us is now forever known as Freakout Friday, named such by my devs. Apparently, I got a little up tight that day!

Anyway, while it’s occasionally annoying and it totally messes up your stats I think overall it’s pretty useful. While nothing was found that was a huge hole they did find things and better someone who’s willing to tell you finds it then someone who’s going to try and abuse it.

3 Likes

@ian only thing I would add to that page is a note saying that while you appreciate any and all attention from security researchers, you really would prefer it if they adhered to a few guidelines. For example:

  • Refraining from using automated scanning tools, as if for example an access control vulnerability is found this might result in a huge loss/modification of other users data.

  • That they make a best effort not to compromise or modify the data of other users.

Etsy provide it a great example of this on their Responsible Disclosure page: http://www.etsy.com/uk/help/article/2463

Hope that helps in some way :smile:

1 Like

Nice! Implementing right now.

wow, that’s quite a list of people in the “Thanks for working with us” section. Scary stuff, how many vulnerabilities just about any site must have, the moment you open the virtual doors for business.

Yeah, well actually we weren’t really running it right early on. I had no idea what I was doing :smile: If we did it again now there would be a lot less as early I put some up for duplicates, etc but since I already put them up I’m leaving them. At least for now. Most were also extremely minor, but I guess better to list than not.

Where did you ask for help from security researchers? Is there a website/forum?
I’d like to implement something like that for my SaaS too.
Many thanks,
Mike

I never asked, if you put up a security page and get any traffic at all they’ll pretty much find you. However, there is a startup around this idea you could list with https://bugcrowd.com/

you might check if there is a OWASP chapter near you:

https://www.owasp.org/

and they’re on freenode.net in the #owasp channel

Hi there,

While attracting security researchers and having a /security page is a first good step, you have to remember that this is just relying on the goodwill of the “security researchers”. It is your responsibility to make sure your app is secure and your user’s data is safe.

I think that information security should be a 1st level concern when it comes to building systems online (but my background is in infosec, so maybe I’m biased). Of course it all depends on the value of the data your app is managing (e.g. stay away from credit cards, do something sensible with your password hashes, etc.), but putting something out there without thinking about security first can be a big problem. And even if you consider that your data / app is not so valuable you can’t minimise the risk of serving as a ‘drive by’ target (somebody compromises your app/server and then attacks someone from there). Or the user-harvesting breaches that we are reading about.

For those wanting to get a lot deeper into the subject, I’d recommend The Web Application Hacker’s Handbook which is focussed on the attack perspective. Back in the day I tried to make a summary from the developer’s perspective in this guide: Development and implementation of secure web applications.

Getting some issue reports by the researcher community is great, having a /security page is indispensable but I think app owners need to be proactive about this.

My 2c,
Daniel

1 Like

This reminded me I saw a good presentation at Monitorama in Berlin earlier this year on penetration testing, lots of actionable stuff: https://vimeo.com/75665772

Second the recommendation for WAHH. There are vulnerabilities in there that developers will be re-implementing decades from now.

Hi all,

I just made an account to reply to this thread. I actually am a full-time security researcher and pentester.
If any of you would like some help with security related issues, some pointers about secure development or you’d like me to have a quick look at your site, just let me know (contact details are in profile).
If there’s enough interest, I could maybe make a small guide on the subject.

I’m glad to help!