# SaaS Security ## Potential Risks and Threats * Access risk * SaaS apps are always on that is why anyone can reach them on internet * Credential stuffing & password spraying are common attacks * Misconfiguration risk * Too many administrators * Lack of visibility into SaaS security settings and changes * Shadow SaaS * deployed application in the same cloud account as the main SaaS application * the deployed service was done without the security approval ## Evaluation of SaaS Security (SANDPIT) * **S** - Scalability and Resiliency * Provider's ability to scale and recover from failure * **A** - Access Control * Who has access to the app? * Authentication and Authorization * **N** - Network and Boundary Controls * North-South traffic * ingress and egress controls * control traffic in and out of the network * East-West traffic * segmentation * Understanding how data isolated or commingled * **D** - Data Protection * Encryption * Managed certificates and keys * Use unique keys for each instance * **P** - Privacy * The infrastructure should be compliant with any laws are important for your business * **I** - Incident Response * When something is happened, the monitoring tools should be able to detect it and show to customers when and what happened * **T** - Third-Party Attestation * Annual assessment and report of cloud service provider * Conducted by an external auditor (e.g. SOC2) ## Links * [LinkedIn Learning - Securing SaaS](https://www.linkedin.com/learning-login/share?forceAccount=false\&redirect=https%3A%2F%2Fwww.linkedin.com%2Flearning%2Fsecuring-software-as-a-service-saas%3Ftrk%3Dshare_ent_url%26shareId%3D8fj613EJQMmPlYGFLCd%252B9A%253D%253D) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wiki.dmmax.me/security/saas-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.