A recent IBM security survey of enterprise tech buyers threw up two very useful insights for SaaS companies. Surveyors asked respondents to identify the factors that affect their purchasing behaviour and the results may surprise you.
Software quality was the number one factor that affects enterprise buyers’ purchasing behaviour, ie. is the solution free from functional bugs?
Software security was the second most important factor during enterprise buying decisions, ie. have all security holes been identified and patched in the software?
Now you might think that’s obvious and simple common sense. After all, everyone wants software that just works and won’t get hacked, right?
Ok, but what are you doing about it?
Effortless & effective AppSec is a combination of habit, hygiene and ultimately, good business sense
Tell me, when you finish eating dinner at home, do you place those plates and cutlery back in the drawer or do you wash them?
To re-frame this for you, your plates are on a regular hygiene schedule where eating from them is the trigger for them to be cleaned.
Let me ask you: what is the trigger that launches the security activities when a new version of your web application is ready for production?
Do you have a “dish washing” process to find and eliminate the security vulnerabilities in your SaaS app?
Think about this: if your plates and spoons were to become unusable, they can be easily replaced with a trip to your closest shopping mall. However, if your SaaS/cloud software is infested with security holes, then you’ll agree that it would take many more $$$’s and even more upheaval for you to manage the damage.
A PriceWaterhouseCoopers study found that 86% of businesses would sever all ties with a solution provider that has been hacked. So whether you have sales in-house or use outsourced sales solutions, you can safeguard your ROI by taking care of your AppSec fundamentals.
But my SaaS app hasn’t been hacked yet
“Yet” is the critical word here. In fact, statistics from the 2019 Vulnerability Statistics Report shows that a vulnerability in web applications is exposed for an average of 69 days before it is discovered.
That means hackers have a 2-month head start on your development team. What they could’ve installed, downloaded, ripped off or stolen from your servers in the last 2 months is mind-boggling:
- Stolen your entire codebase (ie. your valuable IP)
- Downloaded your customers’ sensitive data that they entrusted with you
- Installed crypto mining software maxing out your server resources (have you had to add more capacity recently?)
- Stolen your customers’ payment details if billing is integrated into your SaaS application
- Accessed your secret keys and encryption keys to get back into your system at their leisure
You get the picture – the list really is endless.
But your SaaS app hasn’t been hacked yet, so you might be forgiven for thinking to yourself…
…this Would Never Happen To Me, So Tell Me Something That Will Help Me!
You can take that risk if you want – after all, we live in a (mostly) free world. But what if I gave you an upside to investing in your application security (AppSec) for your cloud software?
Now, as Tony Robbins reminds us, it’s not knowledge that is powerful, but the targeted application of that knowledge. So let me lay out for you what we do to prove our solution as “enterprise ready.”
My company, Audacix, is a SaaS company. Many of the world’s biggest companies use our SaaS test automation software, Qsome. So, like you, we were also keen to figure out how to exploit this information.
We knew that most of our competitors usually focus on pitching their product’s features and benefits throughout the sales process.
Differentiating our solution based on features and benefits was getting harder. After a while, in buyers’ minds, all the features start melding into one massive blob of sales speak.
To get ahead of the pack, we decided to focus on the data and show our prospects a part of us that our competitors were either trying to hide or neglecting altogether.
So, we turned our app’s security into a differentiator. From the start of a sales process right through our customer lifecycle.
This wasn’t just based on a hunch. Enterprise customers have many security-related questions that they may never ask you, But they will have to provide answers to these questions to their internal security teams. So wouldn’t you rather control this narrative rather than leave it to the whims of others.
Now, what consistently gets us through to the final stages (and beyond) of enterprise sales conversations is a clear understanding of our prospect’s priorities. You see, our SaaS app’s features are meaningless to large enterprises if there is even the slightest chance that your app will leak their sensitive data.
We literally show our prospects the lengths we travel to protect their data and their brand, ie. we literally show them our “dishwashing” schedule and its results.
When you start a sales process based on trust, rather than features and benefits, you’re more likely to go further.
Don’t get me wrong, we don’t win deals because of our security resilience alone. But because we have evidence to back up our security claims, our ability to prove our security resilience builds trust fast. This has huge benefits for the other aspects of our pitch.
Ok, what AppSec activities can my team get started on by themselves?
There are definitely things your development team should do before engaging an AppSec company to do an exhaustive web application and API penetration test on your cloud software.
Here’s a quick list of must-do AppSec tasks that will cost you no extra to implement:
- Apply all patches and updates to any open source modules or libraries used in your SaaS app.
- Check for and close any ports that shouldn’t be open after each release.
- Ensure directory permissions are not set to 777 for all folders.
- Ensure your app’s HTTP security headers are securely configured – your team can use the free Cyber Chief service to give them clear, actionable instructions.
- Repeat the above steps for all your environments – dev, test, pre-prod, staging, prod, etc.
Once your team has done all the above for a few consecutive releases, then you’ll know that they’re starting to implement the dishwashing schedule in your app development process.
You should accept that doing application security properly is more like scrubbing heavily soiled pots, as opposed to putting your breakfast bowls in the dishwasher – it will take many cleaning iterations. If a) your team is handling the above steps well and you’re ready to take your AppSec to the next level where it helps your sales process, or b) you want a done-for-you AppSec solution reach out to me on LinkedIn or talk to my team about your options.
About the author: Ayush is the Co-Founder of Audacix. World-class SaaS and digital software teams use Audacix’s automated software testing and AppSec/penetration testing solutions to avoid “oh s**t Monday’s”!