SaaS & pentest

Security is one of the main concerns of SaaS application publishers. Security is essential for users to trust the solution and to ensure that data is protected.

Authentication security, data compartmentalisation, data encryption, but also user journey security, service continuity and third-party integrations… The security issues of SaaS applications are multiple. A pentest allows you to assess the robustness of a SaaS platform in order to test and strengthen its security level. Here is a list of subjects that deserve special attention during a pentest. 

Contents:

Main security challenges during a SaaS application penetration testing

SaaS applications represent a very wide range of solutions: human resources, sales, accounting, marketing … but they share the same main security issues. Here are the priorities during a penetration test, according to our experience.

Testing data security for a SaaS application

Authentication security

User authentication represents a particularly sensitive step. It determines whether the user has legitimate access and grants the corresponding authorisations (role and access level). 

As an interface visible from outside the application, it faces numerous attacks and must be resistant. The robustness and resistance of the connection interface are a challenge for any SaaS software.

Authentication can either be managed by the SaaS platform or by a SSO (Single Sign On). In both cases, the implementation must be rigorous so that it is not possible to bypass any mechanism. A penetration test can check access controls, identification policies, access storage, access keys … for example.

Vertical privilege escalation

SaaS applications typically work by offering different roles for users, for example: user, manager, administrator.

The implementation of different privilege levels should be based on functionality to enforce the separation of privileges between different users, groups or client bases within an organisation. It is important to ensure the principle of least privilege, i.e. to give each role only the rights it needs. This is a first precaution to limit the possibilities of elevating rights.

We frequently encounter problems of rights between users during pentests. These are vulnerabilities that allow a standard user to grant themselves additional functionality to which they should not have access (for example, a standard user account gets the rights of a manager to validate an expense account in an HR application).

Horizontal privilege escalation

The specificity of a SaaS platform is that it hosts all its customers on the same infrastructure, the same servers, the same database. The separation of data according to accounts is done at the application layer, by authentication and rights controls.

Multi-tenant hosting is the most common offer, because it allows to reduce the costs of the proposed service by sharing hardware, instances…

Data confidentiality requires that customer accounts be kept separate from each other. Configuration problems and right vulnerabilities regularly create opportunities to access an account other than the one normally provided. A penetration test can verify that data separation is done properly.

For their customers who have strong security constraints, some publishers offer dedicated hosting, to reduce the risks of unauthorised access to data.

Data encryption

Data encryption is a fundamental measure to guarantee the confidentiality of data in a SaaS software. It must be implemented for data storage, but also for data in transit. This way, if a data breach occurs or if attackers intercept data, it will be unreadable and unusable.

Encryption at rest means that the elements in the database are stored encrypted. Encryption in transit means that during imports, exports or transfers, the data remains encrypted from end to end. The protocol for accessing the database must allow encryption.

The encryption keys are very sensitive information. It is advised to store them in a separate location from the data they encrypt. Frequently, the customer can manage the encryption keys (service and storage) themselves.

When choosing a SaaS platform, data encryption can be a decisive criterion, that’s why it is an important subject to test during a security audit. A penetration test will check for example if the encryption is suitable and configured well, if the encryption keys are stored and called securely, etc. 

Testing the user journey’s security on SaaS applications

SaaS platforms are often business software with complex processes. The nature of the activities requires taking into account the risks of fraud and manipulation of the steps.

The challenge is to ensure that an attacker cannot bypass the customer journey and the planned workflows, either through technical or logic flaws.

Technical vulnerabilities are errors in the code, implementation or configuration, while logic vulnerabilities are not errors as such, but vulnerabilities related to the working of the software. Unintended behaviour may have been obtained.

Logic flaws are more difficult to detect than technical flaws, because the pentesters have to understand the complete functioning of the platform before they can try to bypass it. 

Vulnerabilities are frequently found in the numerous requests with multiple parameters that SaaS applications send. During a pentest, it consists of analysing requests, file validation, access controls, etc. to ensure that there are no flaws.

Ensuring service continuity for SaaS applications

Many SaaS software publishers are particularly careful to protect themselves from denial of service, as the core of their business model is to be a service that is available all the time. Publishers cannot afford to have a degraded or worse, totally unavailable, service.

This is why SaaS application publishers are looking to strengthen their infrastructure against these attacks. During a penetration test, the tests carried out check the resistance of the system to attacks by session saturation, packet flooding, application denial (linked to the functionalities of the SaaS software being tested)…

Vulnerabilities detected are at the configuration or application level, for which remediation is possible (and which does not depend on your hosting provider).

Validating the security of third-party integrations

SaaS applications are becoming more and more integrated with each other, as they regularly need additional data to perform their tasks. Third-party integrations are increasingly based on APIs. But this integration can be a source of security flaws.

Integrations actually create new entry or exit points to the SaaS application, which are potentially less included in the security tests. It is important to ensure that the same controls are in place at these points. Data exchanges must be secured against interception and modification, and more generally against attacks attempts through these channels.

Performing a penetration test on a SaaS application

Penetration testing of a SaaS platform places the application under realistic attacks, using the same tools and techniques that a malicious attacker would use. This gives visibility on where the software is already strong and where it needs to be strengthened.

Testing server configurations and cloud hosting

Hosting is a key factor in the security of a SaaS platform. During a SaaS pentest, tests are carried out in particular on the hosting configuration, identity and session management rules, traffic restrictions, open services, etc.

Instances can be tested in black box, to simulate an external attacker, or in grey box, with limited rights on the application.

You can also conduct a white box audit. This technical audit allows for an in-depth review of cloud server configurations, in order to detect errors and to recommend best practices of the different environments. Our consultants have specific knowledge of cloud environments (for example: AWS). 

The white box ensures that the entire SaaS application is tested in detail. You provide the pentesters admin access to the infrastructure for testing.

Testing the application layer of SaaS platforms

Like any web applications, SaaS applications deliver a service via the web. During a penetration test, a large volume of tests are focused on the application layer, where technical and logic flaws exist.

An application pentest can be conducted in black box, grey box or white box.

In black box, the tests target the attack surface available from the outside, in order to test all risks on the scope accessible to an external attacker. You do not provide any information or accounts in advance of the tests. 

Tests can also be performed in grey box. We carry tests using a standard user account, generally provided before the tests. The aim is to test in particular privilege escalation and account separation.

In white box, the analysis is taken even further by giving access to the source code of the SaaS software.

Performing social engineering tests during a SaaS application pentest

To go further, a SaaS application pentest can also test the human factor. Social engineering attacks are a frequent vector of attacks, because they are very effective when teams are not aware of these risks. For an attacker, social engineering allows bypassing technical protections when they are strong.

Social engineering attacks rely on human behaviour to trick staff into making mistakes: clicking on a phishing email, giving out a password, exciting a payload, etc.

A social engineering audit raises awareness among your teams. It involves testing and training the reflexes of employees in the face of realistic attacks, adapted to your context. The pentest can include scenarios of progressive difficulty, to train employees to detect increasingly sophisticated threats.


How to define the scope of a pentest - Download