Call me a cynic, but I’m still skeptical when it comes to these SaaS “solutions” that are nothing more than a traditional Web application with a pretty front-end. You see, with traditional systems come traditional vulnerabilities – namely Web application vulnerabilities like cross-site scripting, SQL injection, cross-site request forgery and so on. These can be big, big problems that create risks for your business. You can’t overlook them and assume that all’s well just because your cloud provider says so.
The question is: How do you know that your cloud providers’ applications are truly secure? All it takes is some input validation weaknesses, some poor login mechanism controls, or a missing patch such as the Microsoft ASP.NET padding oracle exploit. I’ve seen all three in Web applications I’ve been testing this week. So, how do your vendors’ applications stand up? You’ll never know unless you ask. Even then, you’ll likely hear, “Our applications run in a state-of-the-art SAS 70 Type II-certified data center.” Big deal. (More on that in a different post.) I’m talking about true in-depth vulnerability scanning and manual analysis – both are required on a consistent and periodic basis, period.
Security is one of the ongoing concerns surrounding the cloud and SaaS. Read up on the things you need to consider when considering SaaS in the cloud:
Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.