- Former CISA and NCSC Heads Warn Against Glamorizing Threat Actor Names
- Some apps are battery vampires - how to root them out and shut them down
- Your Android phone just got a major feature upgrade for free - including these Pixel models
- I found a Linux distro that combines the best parts of other operating systems (and it works)
- Why I'm leaving Firefox for good - here's the browser I'm using now instead
Penetration Testing for SaaS Providers: Building Trust and Security – IT Governance Blog
In today’s rapidly evolving digital landscape, SaaS (software as a service) providers face increasing scrutiny regarding the security of their platforms. And with increasing numbers of customers entrusting sensitive data to Cloud-based solutions, penetration testing has become an essential component of a comprehensive security strategy.
In a recent webinar, Penetration Testing for SaaS Providers, our head of security testing, James Pickard, discussed:
- SaaS providers: Building trust internally and externally
- To test or to tolerate: The drivers behind penetration testing
- The service suite: Web app, API, mobile app, infrastructure
- Fireside chat: Our experiences of testing SaaS platforms
This blog post provides an overview of what was discussed.
What is a SaaS platform?
SaaS platforms are Internet-accessible products that can be accessed across multiple devices or platforms. They are typically hosted in the Cloud to facilitate scalability and generally operate on a pay-as-you-go or subscription-based model. These platforms can serve B2B (business-to-business) or B2C (business-to-consumer) markets, providing a wide range of services.
The data at stake
SaaS platforms typically store various types of sensitive information:
- Customer data (emails, accounts, addresses, names, personal details)
- HR information
- Financial information
- Healthcare information
- Operational and business data
- User behaviour data
- Application-specific data
Building external trust
Trust from end users, customers and other businesses is the backbone of any SaaS product. Users are entrusting you with their data and expect you to protect it. A security breach doesn’t just impact your platform – it has significant knock-on effects for your clients.
Companies are increasingly enhancing their due diligence through:
- More thorough supply chain questionnaires
- Validating security through testing
- Requiring compliance with standards like ISO 27001 and Cyber Essentials
Building internal trust
Internal trust is equally important. Your sales team needs confidence in the security of the product they’re selling, and robust security measures prevent customer complaints and help maintain SLAs (service level agreements).
Threat actors typically target one of three aspects of data:
- Confidentiality (accessing data they shouldn’t)
- Integrity (manipulating data to make it unusable or incorrect)
- Availability (making services inaccessible through attacks like DDoS)
Drivers behind penetration testing
Multi-tenancy concerns
Most SaaS applications are multi-tenant, meaning multiple clients share one database with access controls preventing unauthorised data access. Penetration testing verifies these controls work correctly, ensuring one client can’t access other clients’ data.
Supply chain requirements
Suppliers’ technical requirements are increasing in intensity, including:
- Multi-factor authentication
- Strong password policies
- Flexibility to adjust security measures based on client requirements
Evolving applications
SaaS platforms constantly evolve with new functionality. Each update could potentially introduce vulnerabilities, making regular testing crucial.
Compliance requirements
SaaS providers must comply with numerous regulations, including:
- The GDPR
- ISO 27001
- DORA (Digital Operational Resilience Act)
- The PCI DSS (Payment Card Industry Data Security Standard)
Risks to SaaS businesses
- Defacement
Attackers changing content or uploading malicious content - Service unavailability
Not just through DDoS attacks, but also by exploiting application functionality - Data breaches
These incur costs beyond fines, including investigation expenses, customer loss and reputational damage
Listen to the free webinar
Want to know more about penetration testing for SaaS providers? Download the webinar recording to hear how penetration testing protects your organisation’s sensitive data and reinforces stakeholder confidence in your security posture.
Comprehensive testing approach
Web application testing
This involves testing from various user privilege levels, following the OWASP methodology to identify vulnerabilities like:
- Cross-site scripting
- SQL injection
- Insecure direct object references
- File upload vulnerabilities
API testing
API testing follows a similar methodology but focuses on the backend. Common findings include:
- Unauthenticated API endpoints
- Insecure direct object references
- Missing sanitisation of inputs
- Authentication bypass vulnerabilities
Mobile application testing
For SaaS platforms with mobile apps, testing examines:
- Local data storage and encryption
- API communications
- Input validation
- Access controls between the app and backend systems
Infrastructure testing
This looks at what hosts the SaaS platform:
- Cloud security configurations (AWS, Azure, etc.)
- Multi-factor authentication implementation
- Secure patching
- Proper encryption
Strategic testing approaches
Bulk day purchases
For clients with regular updates, buying a block of testing days provides flexibility and cost benefits:
- Annual comprehensive tests
- Smaller tests for feature releases
- Option for abbreviated reporting for minor changes
- Better discount on day rates
Phased testing programmes
Instead of testing everything simultaneously, which can overwhelm internal teams:
- Separate tests into manageable stages
- Focus on the web application first, then API testing
- Allow time for remediation between stages
- Avoid flooding teams with too many issues at once
The engagement process
- Collaborative scoping
Technical experts join scoping calls to provide expertise - Technical and business alignment
Looking at broader risks and taking a holistic view - Pre-engagement consultation
Tester discusses the upcoming test, addressing any last-minute changes - Testing notification
Email confirmation on the day testing begins - Vulnerability identification
Using both automated scanners and manual testing - Immediate notification
Critical or high vulnerabilities are reported immediately - Debrief
Discussion of findings and business impact - Reporting
Three-section report including executive summary, testing details and technical findings - Quality assurance
Report undergoes peer review, copy editing and management review
Vulnerability scanning vs penetration testing
Vulnerability scanning:
- Automated tools that check for known vulnerabilities
- Limited to their database of known issues
- Cannot identify context-specific vulnerabilities
- Cannot chain multiple vulnerabilities together
- May produce false positives or negatives
Penetration testing:
- Human testers who can understand application context
- Combines automated tools with manual testing
- Can identify complex vulnerability chains
- Validates findings to eliminate false positives
- Provides practical remediation advice
Implementing security risk management
For SaaS providers looking to enhance their security posture, IT Governance recommends:
- Annual comprehensive penetration testing
- Additional testing after major releases
- Supplemental vulnerability scanning between penetration tests
- Building security into development processes
- Considering all interfaces (web, mobile, API) in testing scope
- Focusing resources on your highest risk areas
- Tailoring testing to your specific application’s needs and budget constraints
Strengthening your governance, risk and compliance position
Penetration testing is a critical component of a comprehensive GRC strategy for SaaS providers. Regular testing not only identifies vulnerabilities but also demonstrates your commitment to security to stakeholders, clients, and regulatory bodies.
By implementing a strategic approach to testing that aligns with your development cycles and budget constraints, you can effectively manage security risks while building trust in your platform both internally and externally.
Contact our penetration testing experts today to discuss your security needs.
