SaaS Security Has Been Underestimated by Execs

Here’s Why…

Managing Information Technology has always been a fast-paced endeavor. Within the past two decades, the paradigm has shifted from maintaining a strong, on-premise super-structure of installed hardware and software to a much more nimble and demand-responsive interwoven fabric of Cloud Infrastructure and Software-As-A-Service (SaaS). These two modalities have accelerated Digital Transformation across many industries, allowing companies to innovate faster and more cost-efficiently.

Of course, with new approaches there are also new threats. In the old days, system security could be managed with a strong firewall and a methodical approach to software and operating system updates. But today, most companies rely on virtualized hardware that only exists logically in a datacenter and their employees are more likely to consume their software through a browser or a mobile app. 

The providers are the ones that control the network and the software updates, even as the demands for business-specific innovation and customization increase in intensity.

Certainly, there is no going back. 

SaaS and Cloud platforms continue to deliver more flexibility and capability in a world where the workforce is increasingly productive on a global, 24/7, remote and on-premise basis. IT Leaders are leveraging these capabilities to gain competitive advantage even as they scramble to protect their businesses from new threats and dangers.

We’ve all heard the old war stories from the IT Departments that breathlessly upgraded their companies to Windows 95, only to discover that the new operating system didn’t have the right drivers for all of the company printers. It was a disaster. While it might seem quaint in our modern world, the truth is that similar pitfalls exist today. 

DevOps needs to become DevSecOps

Powerful SaaS software often provides flexibility by allowing developers to write and integrate custom code, or modify configuration settings, to extend the software to meet their particular business needs. Assuming those changes were bulletproof at the time they were implemented, they are vulnerable to two things: 

  1. SaaS software is constantly evolving. Old code needs to keep up with the changes. 
  2. Personnel move on. Charging developers with maintaining code they didn’t write and possibly don’t understand becomes technical debt that can’t be easily discharged.

 

Additional Security Support is Needed

Without explicit review, your security depends on your developers’ knowledge and experience. That may not include Salesforce-specific vulnerabilities like SOQL or SOCL injection attacks. These two languages are similar to the more general-use SQL, but there are Salesforce-specific keywords and clauses that are required to guard against injection attacks. 

Developers eager to make progress on the functional side might overlook adding those safeguards during early development and it can be easy for them to slip through the cracks in later testing. Moreover, Salesforce is a web-based platform. Interaction with the system is always in a browser-based context. There are specific Salesforce mechanisms that developers can use to guard against Cross-Site Scripting or Cross-Site Request Forgery attacks, but they need to be in place. With these types of vulnerabilities, the code will functionally work, but it also opens potential exposure.

Using the Right Tools to Address Security

With per-minute and per-seat billing, management has greater control over their Information Technology spending and deployment than at any time in the past. But to keep up with the pace of innovation and business that Cloud Infrastructure and Software-As-A-Service enables, they’ve got to have additional tools that help them address technical debt and security considerations. 

DigitSec’s fast and reliable, automated security scanning service allows management, administrators and developers to collaborate on addressing these issues to secure their environments today and to safeguard them in the future.

Phil Lepanto

Phil Lepanto

Phil Lepanto leads DigitSec's Customer Success Team. His goal is to help developers, administrators and executives to be proactive and engaged on preventing, identifying and remediating security vulnerabilities on SaaS platforms. He is currently lives in Seattle, WA and is formerly of Washington, DC.

DigitSec

DigitSec brings four scans to protect Salesforce: Source Code Analysis, Custom Runtime Testing, Software Composition Analysis, & Cloud Security Configuration Review. #DevOps

Recent Posts

Sign up for our Newsletter

Get security tips sent to your inbox.

Sign up to get updates and security insights from DigitSec