Key Points
Cybercriminals will be as busy as ever this year. Stay safe and protect your systems and data by focusing on these key areas to secure your environments and ensure success in 2023, and make sure your company is only in the headlines when you WANT it to be.
1. Web application weaknesses
Web applications are at the core of what SaaS companies do and how they operate, and they can store some of your most sensitive information such as valuable customer data.
SaaS applications are often multi-tenanted, so your applications need to be secure against attacks where one customer could access the data of another customer, such as logic flaws, injection flaws, or access control weaknesses. These are easy to exploit by hackers, and easy mistakes to make when writing code.
Security testing with an automated vulnerability scanner in combination with regular pentesting can help you design and build secure web applications by integrating with your existing environment, catching vulnerabilities as they’re introduced throughout the development cycle.
2. Misconfiguration mistakes
Cloud environments can be complicated. Your CTOs and developers are responsible for securing every setting, user role and permission to ensure they comply with industry and company policy. Misconfigurations can therefore be extremely difficult to detect and manually remediate. According to Gartner, these cause 80% of all data security breaches, and until 2025, up to 99% of cloud environment failures will be attributed to human errors.
To mitigate the risk, external network monitoring will uncover vulnerabilities and misconfigurations and give you visibility across your attack surface so you can spot your own potential errors or things that shouldn't be there, while a pentest of your cloud infrastructure will reveal issues including misconfigured S3 buckets, permissive firewalls within VPCs, and overly permissive cloud accounts.
You can audit it yourself with a manual review in combination with a tool like Scoutsuite. A vulnerability scanner like Intruder can help reduce and monitor your attack surface too by making sure only the services which need to be exposed to the internet are accessible.
3. Vulnerable software and patching
This may sound obvious, but it’s still a major issue that applies to everyone and every business. SaaS companies are no exception. If you’re self-hosting an application, you need to ensure that the operating system and library security patches are applied as they are released. This unfortunately is an on-going process, as security vulnerabilities in operating systems and libraries are constantly being found and fixed.
Using DevOps practices and ephemeral infrastructure can help ensure that your service is always deployed to a fully patched system on each release, but you also need to monitor for any new weaknesses discovered between releases.
An alternative to self-hosting is free (and paid) Serverless and Platform as a Service (PaaS) offerings that run your application in a container, which take care of patching of the operating system for you. However, you still need to ensure that the libraries used by your service are kept up to date with security patches.
4. Weak internal security policies and practices
Many SaaS companies are small and growing, and their security posture can be poor – but hackers don’t discriminate, leaving these businesses especially exposed. A few simple measures such as using a password manager, enabling two-factor authentication and security training can significantly increase your protection.
Cost effective and easy to implement, a password manager will help you maintain secure, unique passwords across all the online services you and your team uses. Make sure everyone in your team uses it – preferably one that isn’t subject to frequent security breaches itself!
Enable two-factor or multi-factor authentication (2FA/MFA) with an app like Authy wherever you can. 2FA requires a second authentication token on top of the correct password. This could be a hardware security key (most secure), a time-based One Time Password (moderately secure) or a One Time Password sent to a mobile device (least secure). Not all services support 2FA, but where it is supported, it should be enabled.
Finally, make sure your team understand how to maintain good cyber hygiene, especially how to recognise and avoid clicking phishing links by providing training, or at least sharing examples within the team when you notice attempts.
Conclusion
Ultimately cyber security is a balance of risk versus resources, and it’s a fine line that needs to be walked especially for start-ups with a thousand competing priorities. But as your business scales, team expands and revenue grows, you need to ramp up your investment in cyber security accordingly.
There are many security specialists that can help you stay secure and discover weaknesses in your systems. Intruder is one of them. We help thousands of small companies stay safe every day. Talk to us today to see how we can support you and your business in 2023.
![How bad is the Cisco IOS XE vulnerability [CVE-2023-20198]?](https://cdn.prod.website-files.com/61dd9339d05701829d0b3241/65300354aed13b674bbc18db_cisco-sq.webp)
