By Jesse Kinser, CISO, Pathwire
The faster a software as a service (SaaS) company grows, and the larger it becomes, the bigger target it is for cybercriminals. Is your security program built on a solid foundation? Taking the right steps in the beginning prepares your organization to face security challenges in the future.
In the startup days, adding users, meeting the needs of the market, and building the product are top priorities. However, as a SaaS company continues to scale, so does the need for stronger security measures. You must protect your customers’ privacy, brand reputation, and the application’s integrity.
Pathwire is a fast-growing MarTech solution with ambitious goals. But we’d never ignore security risks for the sake of meeting those goals. Our team takes a holistic approach to cybersecurity that emerging SaaS companies can follow. It involves five main pillars:
- Product security
- Detection & Response
- Corporate security
- Infrastructure security
These areas are all interconnected. Vulnerabilities in one easily lead to issues in another. In isolation, they may seem insignificant. But when combined, there can be catastrophic consequences. A sophisticated attack on your company will likely consist of a sequence of exploits targeting more than one weakness.
Let’s explore these five pillars to discover ways a modern SaaS company can improve its security across the board.
1. Product security
Without a doubt, your application itself is the most valuable target to attackers. It’s an asset you must protect because it’s where criminals can do the most damage to your organization.
Regular external and internal penetration testing is key. We recommend a three-pronged approach:
- In-house experts on your security team who are continually testing new changes prior to rollout.
- A third-party external pentest performed as a “point-in-time” test of your assets.
- A bug bounty program that invites security researchers from around the world to continually hack against your products.
First and most important, is a strong internal security team that proactively works with your development teams to guide them in building secure product features. Internal security should partner with software developers as they move from the planning stages to release.
Second, hire a pentest firm that can do more than simply conduct a standard security audit and deliver a report. Look for those with engineering backgrounds specific to your tech stack. Due to the time-boxed nature of these tests, it helps to have pentesters who know how to exploit vulnerabilities quickly so you get the most out of the engagement.
Finally, scale your security program with a bug bounty program. These programs come in many forms but we recommend starting with a private program where you control who is invited to hack on your products. Once you have established a good posture for handling the influx of reports you can then expand the program to be public.
Benefits of bug bounty programs include the ability to capitalize on the diverse perspectives of hackers from around the world. Pathwire rewards security researchers with monetary compensation in the same way bounty hunters cash in when they capture outlaws and fugitives. No application is completely secure and bug bounty programs bring unknown security vulnerabilities out of the dark and into the light so you can address them.
2. Detection & response
Having a strong detection and response team is a key component of a mature security program. The ability to aggregate and centralize logs allows an organization to have a view into all activities within the environment. Without this, you lack visibility into what is truly occurring at any given time.
Once you have all the logs flowing to a centralized location, it’s time to start defining meaningful alerts from the data you have. Building detection capabilities is an ongoing process and will evolve as your business grows. Keep in mind, threats change every day. So, your detection and response program should also adapt quickly.
Every organization has security incidents, even if they are unaware something is going on. Prepare your team to respond to the unexpected by proactively building playbooks and automation around incident scenarios.
3. Corporate security
According to the Insider Data Breach Survey 2021, 84% of serious breaches begin with a human error. What can your company do to mitigate these kinds of mistakes among staff?
Your corporate security policy is a critical line of defense against attackers. The expectation your customers place on you to secure their data should translate over to your employees and the way they perform their jobs. We recommend using a third-party identity provider to centralize access to all the business apps in your organization. This allows you to ensure employees are using multi-factor authentication (MFA) across the business.
At Pathwire we use Okta to enforce the use of a hardware MFA device that is specific to each employee. These devices provide an extra layer of security because an attacker would be required to have the physical key to obtain access to our systems.
Growth happens fast and a SaaS company that’s adding users at a fast pace is likely adding employees as well. Over the course of two-and-a-half years, Pathwire’s employee base (including contractors) grew by more than 300%. Solidifying and communicating our cybersecurity policies has been imperative as we’ve grown.
Employee education is key. Providing training to employees on security issues that pertain to their specific roles and responsibilities will help prevent mistakes. Performing routine security checks helps measure the success of that training. Automated phishing emails, office walkthroughs looking for unsecure devices, and random audits reveal how your team can improve.
Corporate security policies should also address the new norm of “always-on” work styles that many employees embrace—especially in the SaaS world. If you have the right controls in place, it is acceptable for employees to use personal devices for work. These controls could include requiring an approved access request before being granted access to production assets or a fully implemented zero-trust architecture.
Proactively defining a “Bring Your Own Device (BYOD)” policy will set precedence on which hardware is acceptable for employees to use.
4. Infrastructure security
SaaS companies can have complex infrastructure to support the data and applications that make up the product. Continually test these assets for misconfigurations and vulnerabilities, just as you would with your application.
Regular proactive scanning catches issues early in the development and testing cycles before something gets released to production. We recommend companies embrace infrastructure as code (IaC) and use automated deployments rather than access cloud assets directly.
Reduce direct employee access to infrastructure as much as possible and encourage the use of code to make any changes to the environment. Follow the principle of least privilege, which essentially states that only those who absolutely need access are granted it.
The concept of defense in depth adds extra layers of protection to infrastructure security. This involves numerous independent methods that defend against an attack. It creates redundancy so that if one method fails, another is there to take its place.
Use a public cloud provider you can trust. Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure are the established leaders in this area, and they are all viable infrastructure solutions. These providers have large security teams that keep their cloud infrastructure safe and they undergo regular audits to ensure there are no issues.
Determine what risks your organization is willing to take in regards to the data you store. Avoid storing anything you don’t actually need for your service to function properly. Things like credit card numbers, social security numbers, and bank account numbers may be unnecessary day-to-day in your application. That’s why Pathwire partners with a third-party payment processor to handle all financial transactions on our behalf, which reduces our risk considerably.
Through acquisitions, Pathwire added two new applications to its product offerings in less than two years. With those acquisitions came a sudden increase in users. As a SaaS company, we are responsible for safeguarding the data and privacy of our customers as well as preventing attacks on the application that start with security weaknesses among users.
Having a dedicated team focused on building features to enhance customer trusts keeps the software ahead of exploits. Empower your customers to be security-minded while using your app. Provide functionality such as the ability to view logs natively in the app, see the locations they last logged in from, and revoke outstanding sessions.
As your customer base grows so does your attack surface. Continually analyze your risks as your customer needs change. This means critically thinking through ways to address specific risks around the use of your platform. Provide options for multi-factor authentication and single sign on (SSO) so customers can select the authentication options that map best to their risk profiles.
Pathwire utilizes login challenges to add an extra layer of security. A 2019 NYU study on Google’s use of login challenges found that device challenges stopped 94% of phishing attempts and 100% of automated attacks.
Privacy, compliance, and anti-abuse
Anti-abuse measures, as well as compliance with privacy laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), should be top of mind. These laws and regulations are always changing so be sure to stay up to date so you can remain in compliance.
Keeping bad actors out is crucial for a communication platform like Pathwire. The core reason our business exists is that SMTP, the protocol used to send email, can be easily exploited and abused. Brands rely on us to support a good sender reputation and maximize email deliverability. Therefore, we must keep spammers at bay. That’s why we’ve built a trustworthy email infrastructure for brands working to create connected experiences.
Pathwire pairs powerful, built-to-scale infrastructure with reliable humans to send more than 240 billion emails for our customers every year. Our experts understand the data privacy and security requirements unique to where you and your subscribers are. Sinch, a global CPaaS leader, entered into an agreement to acquire Pathwire on September 30.