Highest Voted 'saas' Questions - IT Security Stack Exchange

5

votes

4 answers

Public API security: authentication vs. rate limiting etc

We are raising a SaaS product that allows businesses to setup and orchestrate selling of a certain class of goods/services. This product has an API in its core and an ecosystem of various apps around it. These include web apps (sites) facing the…

asked Mar 04 '19 at 05:05

Greendrake

669
1
8
17

5

votes

2 answers

How to manage customer-supplied encryption keys in a multi-tenant cloud SaaS?

I'm working at an EU-based company and we'd like to offer business customers some kind of OS-independent cloud-based SaaS platform for processing and storing sensitive (health) data. We'd like to implement our software on the Google Cloud…

encryption cloud-computing saas multi-tenancy

asked Apr 07 '17 at 15:22

Lucas

51
2

5

votes

1 answer

How secure is Slack for sensitive information compared to other alternatives like Mattermost?

Our company is contemplating the benefits of switching from Slack to Mattermost. One of the arguments is that the 'sensitive information should be more secure because it is stored on our servers'. But is it so? Mattermost is open-source and…

instant-messaging saas

asked Jul 05 '16 at 17:56

Harijs Deksnis

169
1
1
6

5

votes

1 answer

Azure AD B2C vs Auth0

I am trying to work on security architecture for our SaaS application. The good finding was Azure AD B2C which is launched recently. And first comparison was with Auth0. Is this is correct comparison? What would be advantages of one over another? We…

authentication sso azure saas

asked May 28 '16 at 21:07

surfnerd

51
1
2

4

votes

1 answer

Does FedRAMP apply to the cloud hosting environment, the software being hosted, or both?

Our company is limited to using products that maintain FedRAMP compliance, and we are looking to implement a new data collection tool. We are interested in a product that utilizes Microsoft Azure, which I understand is FedRAMP compliant. Is…

azure saas

asked Aug 06 '19 at 13:12

KBreton

43
2

4

votes

2 answers

How much information about our Security & Penetration Testing should we share with customers?

We have a B2B Saas service which runs on Microsoft Azure. Microsoft publishes a lot of information about Azure security but occasionally customers ask us about the security testing and audits that have been performed on our own software - rather…

penetration-test azure saas

asked Mar 06 '17 at 12:26

rpg II

71
1

3

votes

1 answer

ISO 27001 compliance for application or hosting?

I received a question as follows: Does the vendor solution need to have the ISO 27001 certification for the application itself, or just for the hosting of the platform? In my understanding, ISO 27001 cert concerns companies/vendors and includes both…

iso27001 saas

asked Nov 18 '19 at 07:01

Elom ETSE

39
2

3

votes

1 answer

Can password based SSO be trivially compromised?

Many cloud SSO providers now offer "password based SSO" (e.g. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-appssoaccess-whatis ), where, even if the SaaS you want to log in to doesn't support SAML or the like, you can…

passwords password-management cloud-computing sso saas

asked Nov 17 '16 at 07:15

SRobertJames

31
1

3

votes

1 answer

Is PCI necessary as a SaaS provider when payments handled on third party site?

We've been asked by one of our clients to complete a SAQ-D. Even though PCI is not a law, we don't want to attest to something that shouldn't apply to us in the first place. We're not sure compliance is necessary because all credit card…

pci-dss saas

asked Sep 07 '16 at 18:08

Gary Cornelisse

31
1

3

votes

2 answers

Is crossdomain policy file required by EVERY web application?

1) If a web application does NOT use any Flash content, does it require crossdomain / clientacess policy file ? 2) If a web application does not host crossdomain / clientaccess policy file, is it vulnerable ?

web-application flash crossdomain saas

asked May 04 '16 at 10:09

Kshitij Desai

31
2

2

votes

0 answers

Patch management for production servers

I'm trying to implement an automated patching program at a small SaaS provider. When a customer signs up for our software, we provision them a Linux VM in our primary datacenter. Each customer also gets a QA and sandbox server in another…

linux patching isolation air-gap saas

asked Oct 03 '19 at 19:42

crab

17
2

2

votes

2 answers

What to do about vulnerability in a SaaS product I buy?

I work for a university, where I am part of the team responsible for integrating a SaaS Learning Management System (eg: Moodle, Canvas) with the rest of the university's systems. Two months ago, I identified a CSRF attack, available to anyone who…

xss javascript csrf disclosure saas

asked Nov 28 '18 at 01:04

Amanda Ellaway

23
3

2

votes

1 answer

Is there any way to verify that an organization operating an open-source SaaS is using an untampered-with version of the software?

Some organizations have begun offering access to servers running open-source software (mail servers, chat servers), operated and maintained by those organizations, for a nominal recurring upkeep fee. Normally, this software's source code is…

audit opensource saas

asked Jul 08 '16 at 17:21

Jules

1,240
1
10
20

1

vote

2 answers

How to make SaaS application accessible only on intranet?

We are a SaaS-based product but one of the client requirement is to make our application accessible only on their intranet. Is that even possible?

saas intranet

asked Jun 11 '21 at 16:38

ChallengeMe

153
1
3
10

1

vote

2 answers

TCP Traffic, SSL or extra Tunnel

I have a situation where we (as a SaaS vendor) are migrating one of our clients away from their local premise to our public SaaS. However as a security concern they want to route all their TCP traffic over an IPSEC Tunnel to our application. Now…

tls ipsec saas

asked May 27 '19 at 13:09

Jdeboer

13
3

Questions tagged [saas]