We continue to discover that for SaaS and Blockchain startups, one of the topmost security priorities is a penetration test. This is due to two primary reasons... 1) Penetration tests are arguably the best-known software security solution for non-security professionals, and 2) Penetration tests are usually required to achieve business-critical compliance certifications like SOC2 Type 2.
Why Penetration Tests Alone are Not Sufficient
As we mentioned in a previous article, penetration testing involves engaging people or firms with advanced security testing skills to find bugs that break the security model of the application under test. But as useful as they are, performing only Penetration Tests is insufficient for two reasons:
Penetration tests occur as external audits that provide a security health snapshot that becomes out of date as soon as any further software development occurs on the product.
Startups usually obtain penetration tests after months or years of software development, which leads to a considerable amount of re-work in the software stack to fix the issues found.
The cost associated with addressing software problems increases as the lifecycle of a project matures
Some innovative security companies provide an agile approach to penetration testing, where security experts are essentially on call and can test a specific software feature when required i.e. without waiting till the product or release candidate is done. But, there's still the overhead of a mostly manual engagement with a third-party, every single time.
With modern tools, you can automate continuous security testing of any SaaS app and it's cloud infrastructure.
4 Ways To Implement Continous Security Testing
You can improve your app's security while reducing the overall cost of security, by implementing automated security tests into your product development flow. In each of the areas called out below, there are free or startup-budget-friendly tools that you can use to achieve continuous security testing:
1. Software Code: This involves using tools to automate the discovery of coding flaws as your engineers create in their editor and/or as they commit code to a central repository. Good tools will identify issues, describe why they are problematic, and give recommendations for fixing them. Giving your developers the capability to catch security bugs as they code, and empowering your team to configure rules that block buggy code from getting to production is a game-changer. You'll be training your engineers, producing more secure software, and generating evidence of security compliance.
2. App and API: In this case, specialized tools can be used to automate the execution of known exploit techniques against your web apps and or API, once a new version is published to your staging environment. With effective scripting i.e. in python, those tools can be used to record bugs in a central bug management tool.
3. Cloud Infrastructure Configuration: Virtually every SaaS startup uses the public cloud, AWS, Azure, or GCP. Those platforms provide lots of security features, but it's always up to users to create a well-secured infrastructure, within those platforms, using the features available. For instance, it's up to the startup to define the right network boundaries, firewalls, access controls, user authentication etc. If that's not done right, the entire SaaS platform is at risk of being compromised. Hence, it's important to test that your cloud instance is securely designed and configured.
A free tool that you can use to automate this security test is: Steampipe.
4. Cloud Infrastructure Vulnerabilities: Any cloud infrastructure backend will include lots of 3rd-party software in the VMs and containers. You can expect that they will have vulnerabilities from time to time. Those vulnerabilities are a loophole through which attackers can compromise the SaaS platform. Infrastructure vulnerability scanning can be used to detect vulnerabilities in the 3rd-party software in your cloud backend.
A free tool that you can use to automate this security test is: ThreatMapper
Combining Automated Testing and External Audits
The choice of either externally run penetration tests or internally automated security tests is not mutually exclusive. Ideally, security-savvy SaaS companies should do both. Most of the low, medium, and even some higher-hanging fruits should be caught by your internal tests. External audits should run with the assumption that such internal tests are in place so that you can deploy the advanced semi-manual testers to root out the harder-to-discover security bugs that are often missed by automated tools.
If you can any questions about either of these, please feel free to schedule a 15-minute chat here.
The 5-Minute Security Assessment for Startups
You may be unsure about how to best fit security testing into your SaaS startup's product development flow. In that case, please I want to invite you to take our Free 5-Minute security assessment, designed specifically for software startups. And yes, it really does take only 5 minutes, then we do the rest.
Once you complete the short assessment form, we craft two confidential reports - A Security Assessment report that show what your major software security gaps and risks are, as well as A Security Recommendations Report with custom solutions and priorities that your team can either begin implementing or add to your roadmap.