How to Conduct a SaaS Application Security Technical Review

With the popularity of Software as a Service (SaaS) applications, an increasing number of customers are looking for security advice and requesting a SaaS application security technical review. As organizations embrace this technology, many are concerned about the security of both large and smaller SaaS applications, and they are looking for a SaaS application security review that identifies any risks.

This is a smart decision. As SaaS use has evolved, much of the data that once resided in on-premises systems is increasingly stored in the cloud by SaaS vendors on behalf of their customers. This makes it even more important for organizations to evaluate the security strengths and risks of each SaaS application.

In an ideal world, SaaS application security review should be used in conjunction with other components — vendor vetting, IT deployment standards, information security standards and procedures that govern the use of SaaS applications, etc. – for a comprehensive security evaluation. While we certainly recommend a holistic approach, for the purposes of this blog, we will exclusively focus on how to conduct a SaaS security review and tips for translation this information into cybersecurity risk reduction.

Can Organizations Conduct Their Own SaaS Application Security Review?

Yes, a SaaS application security review is designed to identify the strength and gaps of a SaaS application based on information provided by the vendor and other publicly available sources. Typically, there is no direct technical testing involved, although the SaaS vendor may provide technical testing results if requested. If the vendor has not had technical testing performed, you may want to request that they do so.

The more information you can get from the vendor, the better. For these reasons, SaaS application security reviews are the type of assessments that organizations of any size can conduct on their own and use the results to minimize the risks that SaaS applications present.

Five Areas to Evaluate

The first four primary considerations LMG Security looks at when conducting a SaaS application security review are largely related to the planning and approach for conducting the assessment. You should evaluate:

1. What function will the SaaS application be serving?
   1. What teams will use it and what are the use case scenarios for each of the teams?
   2. What are these teams using now?
   3. How critical are these use cases to the business?
   4. What data types will be stored in the application and how sensitive are they?
2. How will the users be accessing the application?
   1. Organization owned and managed devices?
   2. Personal devices?
   3. What browser(s)?
   4. From the organization’s network?
   5. From the user’s home network?
   6. While connected to the organization’s VPN?
   7. Etc.
3. How complete is the information that the vendor has provided regarding its application architecture and security configuration options?
   1. Are you able to clearly understand the way the system has been architected based on this information?
   2. Were diagrams provided that outline the front-end and back-end components of the application and how they communicate with each other?
   3. Do these diagrams and other documentation include information about security controls in place, i.e.:
      1. Web Application Firewall (WAF)?
      2. Available external ports?
      3. Load balancing and DDoS protections?
      4. Access controls?
      5. Encryption of data at rest and in transit?
      6. EDR and AV solutions in use?
      7. In the event penetration test and web application security assessment results were provided, were there any Medium, High, or Critical findings?
         1. If only low or informational findings, are any of those of consequence and if so, how are they being addressed?
         2. Do the results also provide guidance on the vendor’s remediation activities?
         3. It is always a good idea to compare the results with the OWASP top 10 (https://owasp.org/Top10/) to get a better sense of the severity and risk any of the findings may represent.
   4. Do these diagrams and other documentation include specifics regarding the configurable security options available to the customer, specifically with respect to:
      1. IAM considerations like SSO integration and MFA?
      2. API security?
      3. Other application integrations or connected applications?
      4. Data encryption and key management?
      5. Backup and redundancy options?
      6. Logging and monitoring options?
   5. Additionally, when we perform a SaaS application security review at LMG Security, we conduct opens source intelligence gathering to see what we can learn from other reporting and information sharing about the SaaS application in question, feedback from customers and partners, as well as research on any prior security incidents that may have occurred.

4. How does all this information match up to the top threats and risks that SaaS applications present? At this point you should have the information you need to start drawing conclusions regarding the security risks the application presents. Some of the top risks to consider:
   1. Operational risk, e.g., impact to the organization if the application is not available.
   2. Data loss and data leakage
   3. Risks associated with shared security responsibilities
   4. Compliance and regulatory considerations

The fifth consideration pulls together the data collected from the first four and provides insight on how to structure the SaaS application security assessment results based on six primary areas of concern.

5. How does the SaaS application rate with respect to the following primary areas of concern? Based on the above, you should now be able to make determinations on the likelihood and impact of risks based on these primary groupings:
   1. IAM – role-based access controls (RBAC), SSO / MFA
   2. Privacy – encryption of data at rest or in transit, data classification, DLP, API security, etc.
   3. Visibility – Logging, monitoring, alerting
   4. Configuration – Security settings, Access Control Lists (ACL), IP Allow listing, connected third party applications, etc.
   5. Application Security – vulnerability management, penetration testing history and process, WAF, DDoS Protections, shared security responsibilities, etc.
   6. Compliance and /or regulatory considerations – certifications the vendor has or does not have (ISO 27001, SOC 2, CSA STAR, etc.) data considerations (PII, HIPAA, PCI, etc.), and other industry and privacy considerations (GDPR, CCPA, etc.).

A SaaS application security review is a great tool for documenting and evaluating the security risks associated with the use of SaaS applications. Using it in conjunction with third-party vendor vetting, as well as other internal policies that govern the appropriate use and configuration of SaaS applications in your organization, can help to reduce the overall risk from using SaaS applications. This can be done using internal staff, or it can be outsourced. Often, due to the volume of SaaS applications that organizations are considering at any point in time, some organizations opt to get supplemental support. Contact us if you need assistance conducting a SaaS application security review for your organization. We are always happy to assist.