I provided some background information to Brian Prince about challenges for application developers building systems that rely on and extend SaaS applications for his eWeek article “Application Development Security Considerations for the Cloud” The article highlights a number of critical concerens for organizations developing systems that rely on SaaS providers. I’ve included some expanded information here.
Some security concerns that come up when designing extensions to SaaS applications include:
· Potentially Malicious Data Coming from the SaaS Provider – Interaction between different parts of these distributed systems can be tricky to properly secure. As with any potentially untrusted system, developers should validate data coming from SaaS applications. This can help to prevent injection and other attacks from being propagated between portions of the system.
· Properly Encoding Data Sent to SaaS Providers – In order to be a “good citizen” of the application ecosystem, developers should pay attention to properly encoding data that is sent to SaaS applications to help guard against their applications being used as an attack vector.
· Authentication to SaaS Providers – Depending on the characteristics of the system, some sort of credentials for access to the SaaS provider must be used. If these are provided by the user then proper management might only require them to be encrypted while in transit. However, if all access to the SaaS provider is anonymized behind a single account the credentials for that account must be stored in a secure manner while at rest and proper logging must be maintained in order to determine what users attempted what actions.
· System Availability During SaaS Provider Outages – If your system depends on a SaaS provider to run properly then your system’s uptime is, at best, the same as the SaaS provider’s uptime. If your system depends on multiple SaaS providers then your uptime will suffer when any combination of those providers has an outage. This risk can partially be managed through Service Level Agreements (SLAs) but to avoid actual outages systems must ultimately be built to withstand one or more components going offline. This increases the complexity of the design and the cost required to build.
I especially enjoyed Forrester Research analyst Mike Gualtieri’s characterization of systems including SaaS extensions as SaaS “Franken-apps.” This is new territory for application developers and security folks alike. Personally, I can’t wait for the “Bride of Franken-apps” to show her face.
dan _at_ denimgroup.com