Tag Archives: SaaS

How to convert a web application to a multi-tenant SaaS solution

Data leakage, Risk management, Technology, , ,

Of course, putting an application into a cloud data center is not enough. You have to think about application security, data security and compliance such as PCI DSS 2.0 or HIPAA if you are in the life science space.

But – in addition to cloud security, you need to make sure that your Web application is multi-tenant, i.e. that  you can support multiple customers in the same application, otherwise, the entire model is not going to scale very well.

You’ve built a single-tenant web-enabled application, but need to make it compatible with and effective in a cloud environment. What steps do you need to take to convert your application to a full-fledged, multi-tenant, cloud-ready SaaS application?

This article from IBM is a good checklist on How to convert a web application to a multi-tenant SaaS solution

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Securing Web services in the cloud

Data leakage, Technology, , , , , , , ,

Almost every SaaS (software as a service) is based on REST or XML Web services.  In this post, I’d like to provide a brief introduction to some typical threats and security countermeasures to protect Web services;

Malicious Attack on the message

The beauty of  HTTP Web Services is that traffic flows through port 80 and port 443 and it uses a human-readable format (XML or JSON). This is also the key vulnerability.  A typical IT / system administration approach that relies on protecting Web service providers with a firewall/IPS setup is not very effective.  We will explain why.

Firewalls do a good job of port monitoring and recognizing brute force malicious attack but are not good at being able to view the content of messages in order to detect and prevent more sophisticated security compromises. While most firewalls can recognize SOAP as well-formed HTTP traffic they cannot inspect the actual content of the SOAP message or JSON data. Web Services interfaces are much more complex than Web site interfaces which exchange HTML pages and forms. Web service interfaces are like software API’s and expose database functionality. In addition, an attacker has more information available to them. The message is often self-describing and clearly shows the data elements.

A Web service provider is a juicy, self-describing target.

Replay Attack
Similar to Denial of Service, replay attacks involve copying valid messages and repeatedly sending them to a service. Similar techniques for detecting and handling Denial of Service can be applied towards replay attacks. In some ways, replay attacks are easier to detect with Web Services because payload information is more readily available. With the right tools, patterns can be detected more easily even if the same or similar payload is being sent across multiple mediums like HTTP, HTTPS, SMTP, etc.

Buffer Overflow
An attacker can send a parameter that is longer than the program can handle, causing the service to crash or for the system to execute undesired code supplied by the attacker. A typical method of attack is to send an overly long request, for instance, a password with many more characters than expected. Similar to buffer overflow attacks; hackers often send malformed content to produce a similar effect. Sending in strings such as quotes, open parentheses and wildcards can often confuse a Web Service interface.

Dictionary Attack
Dictionary attacks are common where a hacker may either manually or programmatically guess passwords to gain entry into the system. Administrators should ensure that passwords are difficult to guess and are changed often.

Intrusion Detection of attacks by malicious outsiders
Proactively securing all of the possible misuses of Web Services is almost impossible. Security policies and strict access control management should help reduce the occurrence of intrusion. An IPS will detect anomalous attack behavior and if monitored may help the security team mitigate the threat.

Extrusion detection of attacks by trusted insiders
Attackers are usually thought to be outside of the organization. However, most security breaches occur from within the organization. With Web Services, more functionality is available to a more people. Access to confidential information or embezzlement of funds is just some of the possible internal security breaches that can be performed by employees or former employees. Because employees are the most familiar with internal systems, detection can be made extremely difficult. Unintentional compromises are also possible. If an interface is unsecured, an employee may accidentally access information that they are not intended to view. Since Firewalls are insufficient for data breach, we would require use of a DLP –  Data loss  prevention system such as Fidelis XPS or WebSense DLP.

Threat containment
Once a security breach is detected, being able to shut down systems and reject traffic from specific sources are important for handling a compromise.  A DLP system provides real-time detection, forensics recording and  the ability to drop traffic from specific IP source addresses in order to properly mitigate the threat.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Why Rich Web 2.0 may break the cloud

Anti-Fraud, Compliance, Data leakage, Information security, , ,

There are some good reasons why cloud computing is growing so rapidly.

First of all there are  the technology enablers: Bandwidth and computing power is cheap. Software development is more accessible than ever. Small software teams can develop great products and distribute it world wide instantly.

But cloud computing goes beyond supply-side economics and directly to the heart of the demand-side – the customer who consumes IT.

Consuming  computing as a utility simplifies life for a business. It’s easy to understand (unlike data security technology) and it’s easy to measure economic benefit (unlike governance, risk and compliance activities).

Cloud computing is more than an economic option; it’s also a personal option. Cloud computing is an interesting, almost revolutionary consumer alternative to internal IT systems due to it’s low cost and service utility model.

Current corporate IT  operations provide services to  captive “users” and empower management (historically, information technology has its roots in MIS – management information systems).  When IT vendors go to market, they go to the CxO executives. All the IT sales training and CIO strategies are based on empowering management and being peers in the boardroom. Sell high, don’t sell low. After all, employees don’t sign checks.

But cloud computing is changing the paradigm of top-down, management-board decision-based IT. If you are a sales professional and need a new application for your business unit,  you can acquire the application like a smart phone and a package of minutes. Cloud computing is a service you can buy without a corporate signature loop.

An employee in a remote sales office can sign up for Salesforce.com ($50/month for 5 sales people) or Google Apps (free up to 50 users) and manage software development on github.com (free for Open Source).

So far – that’s the good news. But – in the Cloud of rich Web 2.0 application services, we are not in Kansas anymore.  There is a very very good reason to be worried. With all the expertise of cloud security providers – the Web 2.0 service they provide is only as secure as the application software itself.

The current rich Web 2.0 application development and execution model is broken.

Consider that a Web 2.0 application has to serve browsers and smart phones. It’s based on a heterogeneous server stack with 5-7 layers (database, database connectors, middleware, scripting languages like PHP, Java and C#, application servers, web servers, caching servers and proxy servers.  On the client-side there is an additional  heterogeneous stack of HTML, XML, Javascript, CSS and Flash.

On the server-side, we have

  • 2-5 languages (PHP, SQL, tcsh, Java, C/C++, PL/SQL)
  • Lots of interface methods (hidden fields, query strings, JSON)
  • Server-side database management (MySQL, MS SQL Server, Oracle, PostgreSQL)

On the client side, we have

  • 2-5 languages ((Javascript, XML, HTML, CSS, Java, ActionScript)
  • Lots of interface methods (hidden fields, query strings, JSON)
  • Local data storage – often duplicating session and application data stored on the server data tier.

A minimum of 2 languages on the server side (PHP, SQL) and 3 on the client side (Javascript, HTML, CSS) turns developers into frequent searchers for answers on the Internet (many of which are incorrect)  driving up the frequency of software defects relative to a single language development platform where the development team has a better chance of attaining maturity and proficiency. More bugs means more security vulnerabilities.

Back end data base servers interfaced to front end scripting languages like C# and PHP comes built-in with vulnerabilities to attacks on the data tier via the interface.

But the biggest vulnerability of rich Web 2.0 applications is that  message passing is performed in the UI in clear text – literally inviting exploits and data leakage.

The multiple interfaces,  clear text message passing and the lack of a solid understanding of how  the application will actually work in the wild guarantee that SQL injection, Web server exploits, JSON exploits, CSS exploits and application design flaws that enable attackers to steal data will continue to star in today’s headlines.

Passing messages between remote processes on the UI is a really bad idea, but the entire rich We 2.0 execution model is based on this really bad idea.

Ask a simple question: How many ways are there to pass an array of search strings from a browser client to a Web server? Let’s say at least two – comma-delimited strings or JSON-encoded arrays.  Then ask another question – do Mozilla (Firefox), Webkit (Chrome) and Microsoft IE8 treat client data transfer in a uniform, vendor-neutral standard way?  Of course not.   The list of Microsoft IE incompatibilities or different interpretations of W3C standards is endless.   Mozilla and Webkit  transmit UTF-8 url-encoded data as-is in a query string sent to the server. But, Microsoft IE8 takes UTF-8 data in the query string and converts it to ? (yes question marks) in an XHR transaction unless the data has been previously uri-encoded.   Are browser incompatibilities a source of of application bugs? Do these bugs lead to software security vulnerabilities?  Definitely.

So, it’s really easy to develop cool Web 2.0 applications for seeing who’s hot and who’s not. It’s also cheap to deploy your totally-cool social networking application on a shoestring budget. Facebook started with a budget of $9,000 and so can you.

But, it’s also totally easy to hack that really cool rich Web 2.0 application, steal personal data and crash the system.

A standard answer to the cloud security challenge is writing the security into the contract with the cloud service provider.

Consider however,who is the customer of that cool social media application running in the cloud on some IaaS (infrastructure as a service). If you are a user of a cool new free application, you cannot negotiate or RFP the security issues away, because you are not the customer.  You generate content for the advertisers, who are the real customers.

With a broken development and execution model for rich Web 2.0 applications, the cloud computing model of software as a service utility is not sustainable for all but the largest providers like Facebook and Salesforce.com.   The cost of security is too high for the application provider and the risk of entrusting valuable business IP  and sensitive customer data to the cloud is unreasonable. Your best option is to hope that your cool Web application will succeed small-time, make you some cash and enable you to fly under the radar with a minimal attack surface.

Like your first girl friend told you – it’s not you, it’s me.

It’s not the IT infrastructure, it’s the software.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Host your own SaaS with Open Source – the potential of Mosso

Open Source, Technology, , , ,

Show me a profitable business application-as-a-Service (SaaS) company.

There is a lot of trade talk about the success of Salesforce.com. Here is a company with a $3.2BN market cap as of Oct 26, 2008 currently trading at 24 down from 72, 5 months ago.

In 2007 – SF.com  posted a net income of $480K on revenue of $497M. Compare this to BMC Software,  a software vendor that provides system and service management solutions for the enterprise. BMC has a current market cap of $4.2BN, trading at 23 down from 39, 3 months ago. In 2007 – BMC Software posted $215M net income on $1.5BN in sales.

In plain language – Salesforce.com does not or cannot charge high enough prices for their services to sustain long-term profitability and growth.   At low price points; Free Open Source on inexpensive hosting becomes a highly-competitive alternative, especially for an SME.

Five years ago – the barrier to entry was application functionality but today, Free Open Source line of business applications like Sugar CRM Community edition are mature, full-featured applications with very little, if any, missing features and some unique advantages that Open Source offers.  Salesforce.com imposes a unique IP address/user constraint which can be very annoying. In SugarCRM, if you get User logged out when IP dynamically changed, just change 1 line in config.php

‘verify_client_ip’ => true, to false

Suppose you need a CRM system (if you’re a large shop, you already have one – like Siebel). We’re a small group of 5 guys – and we were using Salesforce.com with one of our business partners and wanted to use SF.com for our own business. The cost is $325/month or almost $4,000/year for 5 users. You can get 90% of the functionality from Sugar CRM for the cost of a onetime installation (which will take less than an hour of your time or about $150 if you pay someone) and $15/month for the hosting (if you use dreamhost.com, like we do). That’s a net savings of $3,000 / year.  dreamhost give us 700GB – more than SF.com, and the response/time is at least as good.

I know you’re saying that dreamhost.com at $15/month can’t compete with the scalability, reliability and service levels of SF.com. Maybe,  maybe not – but if you want muscle – consider Mosso.

For $100 per month, Mosso will sell you 80 GB of SAN storage, 2000 GB of bandwidth, a control panel to create sites, email accounts, databases, etc. and customer support.

Mosso says it takes radically different approach to Web hosting, using enterprise-level architecture. It deploys each website across clusters of servers, so when a server crashes or a hard drive fails, the other servers in the cluster pick up the slack without downtime. Their promise: for every 1 hour of downtime, they will reimburse you for 1 day off your bill.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow