2

If my manager asked me to rank how secure/vulnerable our SaaS system is, what methods are available to do so?

I know there are certifications available but I'm looking for something which can be done in house.

Also, looking for a system of evaluation that is somewhat formalized.

Blaze
  • 322
  • 3
  • 13
  • Is this a duplicate of your [post about SaaS security metrics](http://security.stackexchange.com/q/122073/96204)? – Castaglia May 04 '16 at 00:23

3 Answers3

2

First of all you need to understand what threats and vulnerabilities you protect from and measure your security level against identified risks (e.g., it's useless to have an ability to encrypt sensitive data if you don't have such data). So you need to complete the following steps:

  1. Identify risks and possible threat vectors. NIST SP 800-53 with its risk assessment approach would be helpful to start with that.
  2. Define applicable security controls. Cloud Security Matrix and Self-Asessment Questionnaire from Cloud Security Alliance would be helpful.
  3. Map security controls to the risks you identified on step 1. As a result you will recieve a matrix with information what your solution is protected from and existing security gaps.

These steps are applicable to a new service or to the existing one. Of course, other secure SDLC techniqes such as penetration testing, static code analysis, dynamic scanning etc. should also be in place and should be performed on regular basis.

Salamander
  • 490
  • 1
  • 3
  • 9
1

This is a key issue with using cloud services. Since you do not own the equipment you cannot simply run your own penetration testing without the cloud provider giving consent, and most likely support. Therefore you will likely have to use softer, more qualitative measures.

  1. Ensure that if you are deploying your own software via a cloud provider to operate as SaaS that you have done every kind of security check you can in house, since you are not likely to get free access to the provider's systems.
  2. Work with the provider before you sign a contract to ensure that you know what security testing methods either they use or you will be able to use. This would be an indicator of the level of trust and support you will have with them.
  3. If you do not have a pre-existing agreement through the contract you will need to work directly with the provider. They may offer information from their own vulnerability scans, or some other testing. It is likely they will highly object to you trying to run vulnerability scans yourself since there may be other business' applications or data on the systems you scan.
  4. Evaluate which of the cloud certifications you believe best shows you the right level of trust. Many of these certs are granted only after independent review, so they do offer some assurance.

The CSA's STAR Registry may help with some level of quantification, but you also should look for others such as, ISO 27000 series, SSAE, and PCI certifications.

Straight forward quantification of security levels is much harder than it sounds, and unfortunately there aren't many options.

Polymath
  • 121
  • 2
0

You can run a nessus scan on the system.(http://www.tenable.com/products/nessus-vulnerability-scanner)

Also, it is a good practice to have a rest api testing framework. It would help you automate and audit the software against known vulnerabilities.

Limit
  • 3,191
  • 1
  • 16
  • 35