SaaS is cool. You get up and running quickly, and get tremendous new capabilities in just a few clicks. Dozens of SaaS products have become popular, and new solutions are emerging every day. Adoption is growing very fast.
The drawback: Data is propagated to various vendors. Evaluating the security of third-party SaaS solutions is one of the top criteria when choosing a solution. Because protecting your data is critical, getting visibility about security measures in place before choosing a SaaS product is now mandatory.
We released OpenDoor to help discover, evaluate, and compare the level of security of popular SaaS products and provide transparency about the security measures in place. You can now quickly evaluate the robustness of the SaaS solutions you use, and make informed decisions about which SaaS solutions to adopt.
OpenDoor collects and compares a dozen of technical and non-intrusive security indicators. Each security indicator is assessed from hundreds of data points collected automatically. A security grade is computed from those indicators.
Getting an A+ grade doesn’t mean that the service is 100% safe, but it does provide an overview about how the security is being handled.
Not all SaaS products handle security the same
Not all SaaS products are equal. Unsurprisingly, the payment industry (18 SaaS products tested) has an average security grade of B+. The e-commerce SaaS solutions (11 solutions evaluated) have an average grade of C. Devtools SaaS solutions also show a concentration of A-B security grades.
Browsing the data, it is clear that there are tendencies for each category.
Also, unsurprisingly, SaaS champions are often on the top of the rankings. Salesforce, Intercom, Buffer, and Zendesk are all ranked A. They all offer a Security Policy detailing measures in place to protect your data. In particular, Zendesk’s Security page is a great example.
As SaaS products hold sensitive user data, it is not a surprise that most of them disclose a security policy. Bug bounty programs and security pages can be set up fast and do not require technical expertise. They often are a good starting point. 80% of the tested products have a public security policy available and only 37% of them have a bug bounty (or responsible disclosure program).
The security indicators are technical facts and have been collected automatically. Here are the different evaluated criteria.
HTTP security headers can be implemented by the website to protect against different kinds of attack or abuse, such as cross-site scripting attacks, clickjacking attacks, and content injections. OpenDoor checks the implementation of 9 different security headers.
Encrypting communications is not only about privacy, but is also about users’ safety, since it will prevent most attempts at tampering with data. OpenDoor checks the level and quality of encryption used by the service with an algorithm forked from SSLLabs.
Web application protection block major attacks performed against websites. They provide monitoring capabilities and defenses against attacks such as SQL injections, XSS attacks, account takeovers, or code injections. They can also detect user accounts performing attacks against the website.
Critical network resources, such as remote administration services, should not be exposed to the public. They can provide critical information to attackers, expose vulnerabilities, or be misconfigured. The use of Bastion host is usually recommended to isolate such critical network resources.
Domain Naming System (DNS) is the Internet standard for matching a name to an IP address. Insecure DNS configurations can help attackers redirect users to a malicious website. This attack can compromise the traffic integrity and confidentiality.
Two-factor authentication helps to protect user accounts from account takeover attacks. If login details are stolen, an attacker will not be able to connect without the second factor.
Even if the website uses SSL encryption to protect users data in transit, some information might still be sent in clear. Mixed content occurs when part of the website data is loaded over a secure connection (encrypted with SSL), but other data (images, videos, stylesheets, scripts, etc.) are loaded over an insecure connection.
A risk score is computed with information such as the use of a Proxy, VPN, or TOR and whether the IP address was a part of previously detected attacks. Spam detection
Spam blacklists (also known as Domain Name System Blacklists) are lists of domains used in spam campaigns.
A public security policy is a page, usually hosted on the company website, describing how the company protects its data and customers. It can also contain information, such as a security contact (or Data Office), or how to report security bugs. They can also be used to notify about internal bug bounty program.
A bug bounty program allows external security researchers to report vulnerabilities. Most bug bounty programs provide a reward or recognition for reporting security vulnerabilities. These programs allow engineering teams to fix security vulnerabilities before security breaches are exploited by malicious attackers.
OpenDoor shows a great disparity between the way SaaS companies deal with security. As an optimistic note, most of the SaaS companies now have an important focus on security questions and care about their customer’s data privacy. We will update OpenDoor to show the improvements made over time, which will be a great indicator.
We will soon release thousands of new SaaS vendors and will update OpenDoor. If you want to challenge us on the criteria we chose, we’d love to have your feedback. Don’t hesitate to contact us.
Stay tuned. Stay safe!