Cloud based Multi-Tenant SaaS applications are the major targets for the Hackers and potential threats. Application Hardware and Software Security is one of the key pointers which makes potential customer to be reluctant on any cloud based product, but given the maturity and development in the areas of Hardware/Network/Datacentre security proves that the environment where the applications are hosted and deployed are highly secured and tamper proof, but analysis say the majority of the Security threats lies only at the Application level.
Over 70 % of Security Vulnerabilities exists in the application layer, not the network layer. -Gartner
92% of reported vulnerabilities are in applications not it network- NIST
In a typical fully shared elastic multi-tenant application where the same instance of the application is consumed by all the customers, the risk is huge for both the tenants and user data if the application’s security architecture doesn’t handle the security with at most care. The application should consider all possible Security attacks during the development time and build the application to handle all security threats which can come from both external world and from the internal malicious tenants and users.
While using RBAC (Role based Access Control), it is important to grant minimum and required privileges to users and validate to make sure, and they do not get access to other users/tenants data accidentally or permanently. Inappropriate authorizing users occur when the access control in a web application is incorrect or missing, allowing unauthorized access to other user’s data. A typical example is, when a less privileged user gets access to secured data or resources of other tenants and users.
Common Security threats
- CRLF injection
- Cross-site Request Forgery
- Cross-site Scripting
- Directory Traversal
- Failure to Restrict URL Access
- Insecure Cryptographic Storage
- Insufficient Transport Layer Protection
- LDAP Injection
- Malicious Code
- SQL Injection
The authentication and authorization model must be reﬁned and more secured in the multitenant cloud computing environment. The Authorization system must be based on a model deﬁning a 5-parts (Issuer, Subject, Privilege, Interface, Object), which is generally incorporated with role-based access control (RBAC). During an authorization request, the application must use all of this information to determine if the request is authorized and valid.
What are the all the effective mechanism to avoid Security Threats
Developing Multi-Tenant Secured applications requires expertise and experience in order to build a highly secured and yet customizable and Configurable SaaS Applications. The Application architecture should be equipped with techniques to counter attack all the major threats. Some of these techniques are
- Continuous Code Reviews during and post production
- Security Audit Log & Security Scanner
- Process Isolation(Do not mix one user’s data with another user data)
- Tenant Data Isolation
- Access control Validation
- Client/Server Validation
- URL Security
- Service Level Security
- Data Encryption (Encrypting secured data in rest &transit)
If only 50% of Software vulnerabilities were removed prior to production…. Costs would be reduced by 75%.-Gartner
The Cost of fixing a bug in the field is $ 30,000 vs $ 5,000 during Coding – NIST
How Techcello Security is highly secured
Techcello, a .net based Multi-tenant application development framework built with all the these core techniques in mind to make sure applications built/migrated using Techcello is not compromised with any of the security issues. To prove the statement, Techcello has been rigorously tested with Veracode, a pioneer in Web Application Security including static code analysis on compiled binary executables, dynamic web application analysis, and manual penetration testing and source code review. This security analysis confirms that techcello’s Security framework adheres to OWASP Top 10 Security threats and NSIT Security Guidelines and received 98 Points Score for the application tier.
Click here to request for the Veracode Security audit Report.