Enterprise IT Watch Blog

Oct 13 2010   8:23AM GMT

A flaw in the cloud is still a flaw: How do your SaaS apps stand up?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Call me a cynic, but I’m still skeptical when it comes to these SaaS “solutions” that are nothing more than a traditional Web application with a pretty front-end. You see, with traditional systems come traditional vulnerabilities – namely Web application vulnerabilities like cross-site scripting, SQL injection, cross-site request forgery and so on. These can be big, big problems that create risks for your business. You can’t overlook them and assume that all’s well just because your cloud provider says so.

The question is: How do you know that your cloud providers’ applications are truly secure? All it takes is some input validation weaknesses, some poor login mechanism controls, or a missing patch such as the Microsoft ASP.NET padding oracle exploit. I’ve seen all three in Web applications I’ve been testing this week. So, how do your vendors’ applications stand up? You’ll never know unless you ask. Even then, you’ll likely hear, “Our applications run in a state-of-the-art SAS 70 Type II-certified data center.” Big deal. (More on that in a different post.) I’m talking about true in-depth vulnerability scanning and manual analysis – both are required on a consistent and periodic basis, period.

Security is one of the ongoing concerns surrounding the cloud and SaaS. Read up on the things you need to consider when considering SaaS in the cloud:

Find unexpected vulnerabilities to ensure cloud compliance

Cloud computing and application security: Issues and risks

What you should know about cloud backup security

Data security concerns with online backup

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: