Industry adoption of Software as a Service (SaaS) has gained significant momentum during the past several years.  As a result, more and more critical user data is being managed by SaaS offerings, and their data must be secured via non-traditional measures.  In return, this means that SaaS providers are becoming the gatekeeper for sensitive information, whether it is in the form of personal data or corporate data.  Security breaches can therefore be potentially devastating for both users and SaaS providers.

The challenge with SaaS security isn’t any different than with any other Web application technology, however one of the problems is that traditional network security solutions, such as network firewalls, network intrusion detection and prevention systems (IDS & IPS), don’t adequately address the problem.  Web applications introduce new security risks that can’t effectively be defended against at the network level, and do require application level defenses.

While manual pen testing and automated testing are important, SaaS providers must also ensure security improvements are implemented throughout the SDLC.

There are various stages in the SDLC at which developers, QA, infoSec and operations should ensure the implementation of up-to-date security tests and assessments, and there are a number of software solutions available.  But with a large majority of existing Web applications in deployment, it’s just as important to test production applications—due to the ever-evolving list of known attack vectors—on a regular and continuous basis.  The challenge with testing production applications is that any deep testing can result in data corruption or even service failure.  It’s therefore quite understandable that many SaaS providers are reluctant to test deployed production applications and focus solely on the security of new applications (or applications that are on staging by QA) before deployment.

With the assessment of Web applications in the development or QA phase of the SDLC being addressed by existing security solutions, how does one go about testing already deployed production applications?  There are really three different approaches.  The first is to use very careful manual assessments, and the second is to use scaled-back automated attacks.  The third option is fairly new and involves creating a copy of the production application in a staging environment.

To improve the process for regularly staging copies of your production applications, virtualization comes into play.  Imagine a process that regularly creates virtual copies of your production environment—by the use of physical to virtual (P2V) conversion technologies, such as VMware’s Converter (http://www.vmware.com/products/converter/) or PlateSpin’s PowerConvert (http://www.platespin.com/products/powerconvert/).  These copies are then stored in a central VM image repository.  Once the virtual application copies are in place, you can regularly deploy/stage these virtualized copies on a virtualized server farm for application vulnerability testing, therefore creating a safe environment to test your data without corrupting your data. 

No matter what testing method you choose, whether it’s automated and/or manual pen testing, you have the peace of mind that you are testing your production environment without the risk of data corruption or service failure.  Continuous testing will ensure that your organization will mitigate risks in the increasingly popular SaaS offerings, while still enjoying the ease and effectiveness that these offerings provide.  At the same time, you are providing regular and extensive test coverage of your production applications, allowing you to stay ahead of the hacker curve.

Myth Buster Series on Application Security

The Web application Myth Busters™ series has been created by Cenzic to provide security insight and education on a massive scale by sharing knowledge and tips from top security professionals regarding issues and trends that are most prominent across the enterprise.  The security industry is teeming with misconceptions, and through this series, Cenzic will share knowledge and expertise from some of the most respected and innovative security leaders and researchers.  These experts will debunk common myths and provide best practice insight around Web application security and how not to get trapped in common misbeliefs.

In the first part of the series, several interviews were conducted at the Black Hat conference in Las Vegas, with the first interviewee being Jason Lam, a SANS instructor and a Senior Security Analyst at a large financial institution in North America.  Mandeep Khera, a Cenzic executive interviewed Jason to capture his thoughts and insights regarding the application security landscape and the top myths believed by many IT and security professionals.  The ongoing coverage will include additional podcasts, white papers, videos and articles to help companies understand issues around Web application security better.

Click on the link (http://blog.cenzic.com/public/item/212740) to listen to the podcast and get answers addressing:

1. Do SSL and Network security tools protect your Web sites against hacker attacks?
2. Can you get away with testing your applications only in QA and Dev?
3. Are commercial Web applications like SAP and Oracle safe to use or do you need to test them for vulnerabilities?
4. Is attaining PCI compliance enough to secure you against hacker attacks?

And, if you have any other questions or topic suggestions send an email to .

Comments:

If you need an all in one solution then I would look at something like unified threat managment also known as a UTM.Cyberoam firewall is the only UTM firewall that embeds user identity in firewall rule matching criteria, enabling enterprises to configure policies and identify users directly by the username rather than through IP addresses. Cyberoam’s powerful hardware firewall provides stateful and deep packet inspection, access control, user authentication, network and application-level protection.

The ICSA-certified Cyberoam firewall is available along with VPN, gateway anti-virus and anti-spyware, gateway anti-spam, intrusion prevention system, content filtering, bandwidth management and multiple link management, providing comprehensive security to small, medium and large enterprises, including remote and branch offices. Cyberoam is a Check Mark Level 5 certified UTM solution.

Key Features

1.Stateful Inspection Firewall
2.Centralized management for multiple security features
3.Embeds user identity in rule-matching criteria
4.Multiple zone security
5.Granular IM, P2P controls
6.ICSA certified

SaaS(Software as a Serviceofferings),and their data must be secured via non-traditional measures.In return, this means that SaaS providers are becoming the gatekeeper for sensitive information,whether it is in the form of personal data or corporate data.Security breaches can therefore be potentially devastating for both users and SaaS providers.

Add Your Comment

Name: Company name:

Email:

(We will never sell your name or e-mail address to anyone)

Comment:

Remember my personal information
Notify me of follow-up comments?

Please enter the word you see in the image below: