Software as a Service (SaaS) Risks
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Now we've already established that you use
00:00
software as a service applications nearly every day.
00:00
But let's consider some of the risks that occur
00:00
when using software as a service and
00:00
how they impact the business case.
00:00
In this module, we're going to talk about
00:00
those common risks that are associated
00:00
with using software as a service,
00:00
identify the key risks
00:00
to software as a service business case,
00:00
and then also talk about some general common threats
00:00
to cloud platforms.
00:00
All right, what are
00:00
the common software as a service risks?
00:00
Proprietary data formats are
00:00
a really significant one that are often overlooked.
00:00
If a vendor uses a unique data format,
00:00
the data that the customer provides to the software as
00:00
a service vendor maybe is
00:00
a sword and displayed in a unique way.
00:00
Now, this may be useful, efficient,
00:00
the app may provide all kinds of great functionality to
00:00
the customer but it may prevent
00:00
the customer from leaving or
00:00
switching vendors in the long-term.
00:00
Now, this is a very important thing to consider
00:00
before utilizing a software as a service vendor.
00:00
Can your data come out of the app
00:00
easily once it's gone in?
00:00
This is referred to as data portability.
00:00
The ability to easily remove
00:00
your information and switch apps,
00:00
whether or not this is really a deal breaker when
00:00
you choose your SaaS vendor.
00:00
The other important thing is
00:00
that the vendor uses a proprietary format.
00:00
If this vendor were to change
00:00
their business practices or
00:00
significantly increase their prices
00:00
and you couldn't get out,
00:00
you might experience what's referred
00:00
to as vendor lock-in.
00:00
The inability to switch from
00:00
your vendor once you've started
00:00
because of that proprietary format.
00:00
One of the other key aspects that's
00:00
a risk with software as a service vendor
00:00
are web application attacks.
00:00
Web application security is
00:00
a very important topic and there are
00:00
many lessons on it exclusively in later chapters.
00:00
But now we're going to just talk about some of
00:00
the large aspect high-level threats
00:00
associated with web application security.
00:00
First, when using software as a service,
00:00
if you're an individual, a customer,
00:00
you're probably going to be using
00:00
a web-based browser to
00:00
connect to that software as a service.
00:00
That exposes a whole host of
00:00
potential threats that use browsers,
00:00
browser-based threats.
00:00
Many browser-based attacks are based on
00:00
stealing a user's credentials to get access to
00:00
their information and login to impersonate them
00:00
on a software service platform or potentially
00:00
even injecting code into the platform itself
00:00
by using vulnerabilities in web-based browsers.
00:00
We've also already talked
00:00
about application programming interfaces.
00:00
We've talked about it at
00:00
the infrastructures as a service level,
00:00
as well as the software as a service level.
00:00
Basically, these APIs are going to be used
00:00
so that applications can talk to each other.
00:00
Now, those APIs, if not properly maintained,
00:00
they open up a whole host of risks themselves such as
00:00
security misconfigurations potentially allow
00:00
malicious threat actor to manipulate things.
00:00
There could be data exposure as a result.
00:00
If the API isn't properly maintained,
00:00
there's maybe insufficient logging and monitoring to
00:00
capture threats that occur or
00:00
suspicious activity that's being
00:00
done on the API and how it's being abused.
00:00
As we talked about before, virtualization,
00:00
now we are just about to get
00:00
into a whole lesson on virtualization and the threats.
00:00
But just remember, when using virtual environments,
00:00
there are risks of information bleed inside
00:00
channel attacks where changes on
00:00
the hardware cache can
00:00
provide hints to privilege information
00:00
that attackers can infer using this kind of attack.
00:00
But we are about to get into that in
00:00
much more detail in our next lesson.
00:00
Let's go to a quiz question.
00:00
What data risk should be addressed
00:00
before using software as a service vendor?
00:00
One, yearly cost increases.
00:00
Two, proprietary data formats.
00:00
Three, the update schedule.
00:00
If you said two,
00:00
proprietary data formats, you're correct.
00:00
Now, although yearly cost increases
00:00
and the update schedule,
00:00
may be a risk themselves,
00:00
this is one that particular to the data risks.
00:00
Yearly cost increase, maybe an
00:00
operational risk or something to keep in mind
00:00
to ensure that the business use case
00:00
still work for software as a service.
00:00
The update schedule may impact your application.
00:00
As we said, one of the risks is that
00:00
for a Platform as a Service was that changes
00:00
in the operating system when updates
00:00
were applied could cause your application to break.
00:00
It's always good to understand
00:00
the update schedule and how it
00:00
may affect your use to the application.
00:00
But in terms of data risks,
00:00
proprietary data formats are
00:00
the key risk to focus on in this context.
00:00
[NOISE] In summary,
00:00
we talked about the common risks of
00:00
Software as a Service.
00:00
We talked briefly about some of
00:00
the high level countermeasures.
00:00
We talked about how when using software as a service,
00:00
you really have to make sure that
00:00
your securing browsers as well as APIs that are used to
00:00
connect to the service to prevent
00:00
all those web application
00:00
>> attacks from being successful.
00:00
>> We also talked about
00:00
the problems that are associated with
00:00
proprietary data formats ensuring
00:00
you're not locked into a vendor.
00:00
Of course, virtualization threats are
00:00
still present when using software as a service.
00:00
All right, I'll see you in the next module.
Up Next
Instructed By
Similar Content
