Scribd
Upload
35 views3 pages

SAAS Security Best Practices Guide

This document outlines best practices for securing software as a service (SAAS) including input validation, cryptography, secure communications, data confidentiality, accountability and logging, preventing information leakage, system design and architecture, system configuration and operations, and backup/disaster recovery capabilities. Key recommendations include validating all input, using strong cryptography for passwords and sensitive data, encrypting data in transit, logging access and changes, restricting sensitive information exposure, keeping systems patched and behind firewalls, and maintaining backups and a disaster recovery plan.

Uploaded by

TAIBI Nour el islam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
35 views3 pages

SAAS Security Best Practices Guide

This document outlines best practices for securing software as a service (SAAS) including input validation, cryptography, secure communications, data confidentiality, accountability and logging, preventing information leakage, system design and architecture, system configuration and operations, and backup/disaster recovery capabilities. Key recommendations include validating all input, using strong cryptography for passwords and sensitive data, encrypting data in transit, logging access and changes, restricting sensitive information exposure, keeping systems patched and behind firewalls, and maintaining backups and a disaster recovery plan.

Uploaded by

TAIBI Nour el islam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

SAAS service

► Input Validation
o Validate all input at the server and constrain input for length, range, format, and type. Input
consists of any data, parameter, or communication to the system from sources outside the
system, such as an end-user or another information system.
► Cryptography
o Information systems have properly implemented cryptography.
o Digital certificates must be current, issued by a well-known certificate authority, and
associated with the correct hostname.
o Encryption keys, Initialization Vectors (IV), and salts must be randomly generated.
o Encryption keys must be stored separately from the data they encrypt.
o Encryption keys must be protected during transit or in storage.
o Access to encryption keys must be restricted to authorized personnel.
o Self-decrypting archives, private keys, and symmetric key stores must be protected with a
passphrase.
o A salting mechanism must be implemented for data stored using a cryptographic hash.
o Static salt values must be at least eight bytes in length.
o Digital signature verification should be used when implementing asymmetric encryption.
o Information systems that implement encryption should have a documented process for
regenerating encryption keys should they become exposed.
o Internet facing information systems that implement TLS should obtain extended validation
certificates (EV).
► Secure Communications (Data in Transit)
o Require information systems to encrypt passwords, session tokens, confidential information
and PII in transit.
o Insecure and obsolete communication protocols must not be used:
o a. FTP - b. Telnet - c. SSH version 1 - d. RSH (Remote Shell)
o Vulnerable communication protocols are not be used:
o a. SMB version 1 (SMB1)

► Data Confidentiality (Data at Rest)


o Information systems must be designed to encrypt any stored government agency identifiers
(e.g., passport numbers and tax identifiers), financial and confidential information in
accordance

► Accountability & Logging (for at least 6 month)


o All log entries must follow logging best practice. Logs entries must include the following attributes:
(a) The time and date of the event,
(b) The application associated with the event,
(c) The user or process initiating the event and, if applicable, the subject acted upon,
(d) The remote IP address of the initiating user or process,
(e) Success or failure indication,
(f) A detailed description of the event.
 Adding, Granting, revoking, and modification of privileges and roles must be logged.
 Information systems must not log confidential and PII such as government issued IDs and
passwords.
► Information Leakage
o Internal error conditions that reveal detailed information regarding the information system must
not be displayed to users.
o Server-side code must not be sent to an end-user machine other than client-side code used
explicitly for presentation (e.g., HTML and JavaScript).
o Information systems must not be susceptible to directory or file enumeration.
o Information systems must not disclose web service details to unauthenticated users (e.g.:- WSDL
files)
o Information systems must prevent username harvesting by unauthenticated users.
o Sensitive comments embedded within client-side code sent to an end-user machine must be
removed.
o Network services are to be configured to prevent disclose of information about versions of server
software, installed packages, and configured plug-ins.
o Information systems should not unnecessarily disclose lists of usernames to authenticated users.
► System Design & Architecture, System Configuration, Operations

o Network services must be configured to not allow low-grade TLS encryption and should adhere to
SSL and TLS Communications Standard.
o Default system or administrative accounts (e.g., bootstrap accounts) must be disabled.
o Web servers must be configured to disallow directory listing.
o Logging of detailed debugging information to be disabled on production systems.
o Only the current non-debug release of production code should be installed on production servers;
nonproduction code and backup files must be removed.
o Web servers must set folder permissions according to least privilege (e.g., disable unnecessary
access, execute and write permissions).
o All operating systems, network devices, services, and applications must have the most current
security patches installed
o Anti-virus software must be installed, enabled and operational Anti-virus signatures must be
updated as soon as made available from the anti-virus vendor.
o Information systems exposed to the internet must be placed behind a firewall according to the
Information Security guideline DMZ best practice that protects against network-based Denial of
Service (DOS) attacks and restricts both inbound and outbound access to only those network
services which are approved.
o Remote administrative access must be conducted over a secure connection (e.g., SSH-2, VPN,
TLS).
o Intrusion Detection Systems (IDS) must be in place to detect intrusions of production information
systems that are internet facing.
► Backup/restore and DR capabilities
o The data should be backed up and ability to restore as needed
o A BCP\DR solution should be in place

You might also like