tag:blogger.com,1999:blog-13756280.post6936423758510460353..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Cloud/SaaS will do for websites what PCI-DSS has notJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-13756280.post-56682446470701664012009-10-07T03:58:06.724-07:002009-10-07T03:58:06.724-07:00Im just listening,thanksIm just listening,thanksDickyhttp://couplehalloween.blogspot.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-87758937037561636982009-10-05T11:18:51.422-07:002009-10-05T11:18:51.422-07:00@jeremiah. You're right in that larger custom...@jeremiah. You're right in that larger customers will be in a position to force good requirements for security into their contract clauses (although requires good engagement between infosec and purchasing which historically may not be good in organisations who are new to this kind of problem)<br /><br />Although when you mention multi-tenancy systems (which a lot of SaaS implementations are), it reminds me of another problem I've encountered several times with testing SaaS. <br /><br />The provider has on many occaisions refused the right to test based on the risk of disclosure of other tenants data and the fact they have no contract with the testing company.<br /><br />Which in a way makes a lot of sense. Say Tenant A hires a group of testers and doesn't do good due diligence on their security/ethical requirements.<br /><br />They test a SaaS vendor with a multi-tenancy implementation in live, get access to customer data through an authZ flaw (one of the more commmon issues in my experience) and then download the database from the system, including the data of other customers.<br /><br />the SaaS vendor is then in a tricky position, as they have no contract with the testers requiring confidentiality.<br /><br />Now in an ideal world they wouldn't have had the flaw in the first place, but then hey, if everyone was good at Web App Sec. there wouldn't be so many jobs for testers!Unknownhttps://www.blogger.com/profile/14256024334330429186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-65849479550335647682009-10-05T08:17:03.720-07:002009-10-05T08:17:03.720-07:00@Matthew, thanks for the comment. Im not confident...@Matthew, thanks for the comment. Im not confident a "Strict criteria" for rating and comparing security through providers will happen, nor will it need to. Customers, at least some, will have their own criteria for testing and security assurance that they'll pay for out of pocket. It is my believe that these efforts will directly lead to increased security, moreso than PCI-DSS.<br /><br />@Roy, sure... we can say most may not have a clue when it comes to security and will play out just as you said -- however there will be other customers on the system who do (have a clue) and will test the systm for themselves. If the SaaS vendors denies a request, they risk losing the business. <br /><br />Secondly, even if testing and control is limited in some way, the effects of this can be tempered by contractual terms (liability and SLA). While not all customers will get the same terms, the bigger and more important ones will. So when the vendors takes these liabilities into consideration of their overall risk models, the benefits will indirectly filter down to the rest of their clients.<br /><br />In a multi-tenancy system, your right the system only has to be as secure as the most demanding customer -- but, that might be good enough and better than what PCI-DSS would provide.<br /><br />@Anony, possibly I should have a said outsourced and you wouldn't be so focused on semantics.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-59811536276571332352009-10-04T21:42:56.447-07:002009-10-04T21:42:56.447-07:00You clearly missed the "cloud" where you...You clearly missed the "cloud" where you only focus on SaaS in the cloud.<br /><br />Consider PaaS and IaaS when making "informed" security presentations such as what you have blogged. <br /><br />Possibly, you haven't heard of PaaS or IaaS, or did you just neglect the most two difficult security implementations to protect in the cloud?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-37406767846562329892009-10-04T09:06:25.972-07:002009-10-04T09:06:25.972-07:00Actually, in some ways I'd suggest that the op...Actually, in some ways I'd suggest that the opposite is true. SaaS has the potential to make a application security worse not better.<br /><br />First off a couple of comments on your points. I'd agree that customers will mention that they want "security" from their SaaS providers, but in my experience they rarely know specifically what they want and it could well pass as <br /><br />Customer : "are you secure"<br /><br />SaaS vendor : "of course we are we use 'military grade' encryption"<br /><br />Customer : " great, now back to this cheap service you're telling me about"<br /><br />What's needed to help this is an accepted definition of what a secure web service looks like and for that to get integrated into the contract, but I'd guess that the SaaS vendors won't be hugely in favour of that, as it would impose costs onto them.<br /><br />One reason I think SaaS could actually reduce security is accessibility to testing. Where a customer has control of their environment they can allow appropriate security testing/code review. Where they're using SaaS, they almost definitely can't insist on code review, and in many cases I've seen their contract won't allow for them to request a pen. test of the live site. <br /><br />The best they can hope for is sight of the SaaS vendors report from their testing (if they ask) and even then my experience is that many third party service providers don't like handing those out <br /><br />Of course, all this depends on how large a customer you are of course, or how good your contract is, but for small companies who don't have good expertise in web app. security the likelihood is that they'll just accept what the vendor offers in the way of security assurances and leave it at that, which leaves little incentive for the vendor to improve security beyond the bare minimum of buzzword compliance...Rory McCunehttps://www.blogger.com/profile/02041778936182391744noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-27187237469614440492009-10-02T19:50:31.171-07:002009-10-02T19:50:31.171-07:00IMHO application security will only become a compe...IMHO application security will only become a compettitive advantage when there is some way of comparing the security of cloud providers. Strict criteria needs to be established in order to compare providers and retained centrally so that a google search for provider + security + incident is not the only way of comparison.Matthew Hacklinghttps://www.blogger.com/profile/12211732838162218259noreply@blogger.com