SaaS Startup Security 101 - A quick guide for building secure SaaS
Why should you care about security in a SaaS Startup?
1) To avoid expensive Data Leaks 🥷
A common misconception among startups is that only big corporations, or large scale-ups, are targeted by cyberattacks. Unfortunately, startups of all sizes can be targeted: from the 139 Million records leaked by Canva in 2020 to the 70 000 records leaked by start-up Mercato in 2019 before its Series A.
According to a study by IBM, the average cost of a leak is 150$ per record. One can quickly imagine the tremendous amounts that represent to a young company. At such a point that no less than 60% of small businesses fall within 6 months of being hacked according to the SEC.
2) To comply with regulations 👩⚖️
State and Industry-wide regulations enforce a certain level of security for customers’ data and corporate operations.
In Europe, the famous GDPR enforces any company dealing with the personal data of European citizens to declare any data breach to competent authorities. Sanctions in case of non-compliance can be tremendous: up to 4% of global revenue.
In the US, no federal law enforces cybersecurity actions, however industry-wide norms, like SOC II, or PCI-DSS for payment processing applications, impose a strict cybersecurity policy. Also, most companies selling internationally have to comply with GDPR anyway.
3) To acquire more customers 🤑
More than an expense, cybersecurity can also be a marketing perk, enabling access to larger B2B customers or to privacy-aware B2C niches. Security is a standard part of SaaS Vendor Assessment methods, including for Gartner.
How to integrate Cybersecurity in a SaaS Startup?
Our advice is divided into two main categories:
- Organizational, related to securing the company’s operations
- Technical, related to securing the SaaS product itself
1) At the organization level
- Activate 2FA for all employees 📲
2-Factor Auth or Multi-Factor Auth is a technique enforcing users to confirm their login by giving a code they receive on their mobile phone as an additional security step to having the right password. It significantly reduces the risk of an account takeover and should be activated by default.
Examples set-ups: Google, Microsoft, Github, Gitlab - Have a proper offboarding process 👋
Past employees should never have remnant access to company accounts and data.
If possible, use Google or Microsoft Suite’s Single-Sign-On capability to allow employees to connect to all your company tools with only one account. Once an employee gets offboarded, removing his access will prevent him from logging into any company account.
If Single-Sign-On is not an option, keep a list of all tools where employees have corporate accounts and delete them manually when outboarding. - Backup important data 💽
Having a backup of your data is absolutely critical, as the consequences of losing your user’s data can be disastrous. Most cloud providers have in-house solutions for data backup and restoration. Try to also keep copies of your data separate from your main application to avoid a single attacker taking over your backup after having compromised your main app. - Train your employees 🏋️♀️
A common cybersecurity saying is “Vulnerability Exists Between Chair And Keyboard”. Untrained employees are a privileged attack vector: 44% of data breaches involved phishing in the attack process. A common way to train your employees against phishing is phishing simulation.
2) On a technical level (DevSecOps)
- Snyk: Scan your dependencies (SCA - Software Component Analysis) 📡
The libraries and packages you use often end up containing vulnerabilities. Tools like Snyk can scan your dependencies and tell you which to update for security reasons. - Semgrep: Scan your source code (SAST - Static Application Security Testing) 👩💻
You probably know about linters. Like linters but for security, Static Application Security Testing Tools analyze your source code to find and highlight vulnerabilities directly in your IDE or inside your CI/CD. Notably, Semgrep is a nice, free, open-source SAST tool that supports finding security flaws in various languages. It has a wide range of community-maintained rulesets that cover numerous use cases. - Klair: Scan your containers 🐳
Just like external dependencies can contain security flaws, container images also can contain outdated programs and dependencies subject to security issues. Klair is an open-source tool that can help you find outdated dependencies and security flaws in your docker images. - Nuclei: Scan your web applications (DAST - Dynamic Application Security Testing) 🕸
Contrary to SAST tools, Dynamic Application Security Tools test your application while it is running. The free and open-source tool Nuclei can scan your web application to find various security flaws. If your application relies on GraphQL, you might want to check Escape’s in-house GraphQL Security Testing tool. - ELK Stack: Monitor Security Activity (Hard) (SIEM - Security Information and Event Management) 📈
Apart from building a secure application by design, monitoring your live app for security issues is also a key to avoiding data leaks. Unfortunately, we found no production-grade and easy-to-use open-source tool for this purpose. However, regular monitoring tools like the ELK Stack or Datadog have options for security monitoring. If you know better alternatives, do not hesitate to lend me a message!
Going further 🛰
Here are a few links to go further:
- TL;DR Sec, the security newsletter inspired by Dan's TL;DR
- Awesome DevSecOps on GitHub
- Wanna know more about Security? Check out our blog post "9 GraphQL Security Best Practices" and learn how to build safe GraphQL APIs.
Follow Escape on Twitter, or check our website
for more human-readable application security content!