How to Conduct a SaaS Application Security Assessment

With the popularity of Software as a Service (SaaS) applications, an increasing number of customers are looking for security advice and requesting a SaaS application security assessment. As organizations embrace this technology, many are concerned about the security of both large and smaller SaaS applications, and they are looking for a SaaS application security assessment that identifies any risks.

This is a smart decision. As SaaS use has evolved, much of the data that once resided in on-premises systems is increasingly stored in the cloud by SaaS vendors on behalf of their customers. This makes it even more important for organizations to evaluate the security strengths and risks of each SaaS application.

In an ideal world, a SaaS application security assessment should be used in conjunction with other components—vendor vetting, IT deployment standards, information security standards and procedures that govern the use of SaaS applications, etc.—for a comprehensive security evaluation. While we certainly recommend a holistic approach, for the purposes of this blog, we will exclusively focus on how to conduct a SaaS security review and tips for translating this information into cybersecurity risk reduction. For more guidance on a broader security assessment, watch our one-hour video on securing your attack surface or get some of the highlights in our four-minute video, Quick Tips for Attack Surface Management.

Can Organizations Conduct Their Own SaaS Application Security Assessment?

Yes, a SaaS application security review is designed to identify the strengths and gaps of a SaaS application based on information provided by the vendor and other publicly available sources. Typically, there is no direct technical testing involved, although the SaaS vendor may provide technical testing results if requested. If the vendor has not had technical testing performed, you may want to request that they do so.

The more information you can get from the vendor, the better. For these reasons, SaaS application security assessments can be conducted in-house, and you can use the results to minimize the risks that SaaS applications present. If you don’t have the time or would prefer a SaaS security expert to conduct the review, contact us and our team will be happy to help. If you’re ready to get started, download our fillable SaaS Application Security Assessment Checklist and read on to get started!

Five Areas to Evaluate

The first four primary considerations LMG Security looks at when conducting a SaaS application security assessment are largely related to the planning and approach for conducting the assessment. If you download our fillable SaaS Application Security Assessment Excel Checklist, we have already entered these fields so you can gather and enter the information outlined below. You should evaluate:

1. What function will the SaaS application be serving?
   1. What teams will use it and what are the use case scenarios for each of the teams?
   2. What are these teams using now?
   3. How critical are these use cases to the business?
   4. What data types will be stored in the application and how sensitive are they?
2. How will the users be accessing the application?
   1. Organization owned and managed devices?
   2. Personal devices?
   3. What browser(s)?
   4. From the organization’s network?
   5. From the user’s home network?
   6. While connected to the organization’s VPN?
   7. Etc.
3. How complete is the information that the vendor has provided regarding its application architecture and security configuration options?
   1. Are you able to clearly understand the way the system has been architected based on this information?
   2. Were diagrams provided that outline the front-end and back-end components of the application and how they communicate with each other?
   3. Do these diagrams and other documentation include information about security controls in place, i.e.:
      1. Web Application Firewall (WAF)?
      2. Available external ports?
      3. Load balancing and DDoS protections?
      4. Access controls?
      5. Encryption of data at rest and in transit?
      6. EDR and AV solutions in use?
      7. In the event penetration test and web application security assessment results were provided, were there any Medium, High, or Critical findings?
         1. If only low or informational findings, are any of those of consequence and if so, how are they being addressed?
         2. Do the results also provide guidance on the vendor’s remediation activities?
         3. It is always a good idea to compare the results with the OWASP top 10 (https://owasp.org/Top10/) to get a better sense of the severity and risk any of the findings may represent.
   4. Do these diagrams and other documentation include specifics regarding the configurable security options available to the customer, specifically with respect to:
      1. IAM considerations like SSO integration and MFA?
      2. API security?
      3. Other application integrations or connected applications?
      4. Data encryption and key management?
      5. Backup and redundancy options?
      6. Logging and monitoring options?
   5. Additionally, when we perform a SaaS application security assessment at LMG Security, we conduct open-source intelligence gathering to see what we can learn from other reporting and information sharing about the SaaS application in question, feedback from customers and partners, as well as research on any prior security incidents that may have occurred.
4. How does all this information match up to the top threats and risks that SaaS applications present? At this point you should have the information you need to start drawing conclusions regarding the security risks the application presents. Some of the top risks to consider:
   1. Operational risk, e.g., impact to the organization if the application is not available
   2. Data loss and data leakage
   3. Risks associated with shared security responsibilities
   4. Compliance and regulatory considerations

The fifth consideration pulls together the data collected from the first four sections and provides insight on how to structure the SaaS application security assessment results based on six primary areas of concern.

5. How does the SaaS application rate with respect to the following primary areas of concern? Based on the above, you should now be able to make determinations on the likelihood and impact of risks based on these primary groupings:
   1. IAM – Role-based access controls (RBAC), SSO / MFA
   2. Privacy – Encryption of data at rest or in transit, data classification, DLP, API security, etc.
   3. Visibility – Logging, monitoring, alerting
   4. Configuration – Security settings, Access Control Lists (ACL), IP Allow listing, connected third-party applications, etc.
   5. Application Security – Vulnerability management, penetration testing history and process, WAF, DDoS Protections, shared security responsibilities, etc.
   6. Compliance and/or regulatory considerations – Certifications the vendor has or does not have (ISO 27001, SOC 2, CSA STAR, etc.) data considerations (PII, HIPAA, PCI, etc.), and other industry and privacy considerations (GDPR, CCPA, etc.).

A SaaS application security assessment is a great tool for documenting and evaluating the security risks associated with the use of SaaS applications. Using it in conjunction with third-party vendor vetting, as well as other internal policies that govern the appropriate use and configuration of SaaS applications in your organization, can help to reduce the overall risk from using SaaS applications. This can be done using internal staff, or it can be outsourced. Often, due to the volume of SaaS applications that organizations are considering at any point in time, some organizations opt to get supplemental support. Contact us if you need assistance conducting a SaaS application security review for your organization. We are always happy to assist.