SaaS and Penetration Testing

Delivering software as a service carries with it a range of complexities and responsibilities.  There are questions of reliability, of confidentiality, and critically, of security, all of which we are expertly placed to answer.

Reliability can be mitigated by using cloud-based solutions and having failover servers ready to take up the load should a primary server fail.  You can store data across RAID, replicating it across geographical regions.

Confidentiality is delivered through understood procedures and quality employees who don’t leave unencrypted laptops on trains as well as the fundamental respect for another’s data that is the hallmark of good systems administration.

Security is the great unknown, however.  Recently publicised breaches in computer systems mean that what once was a rarity is now all too common.  So how do we mitigate this?

The answer (at least in part) is penetration testing your production and staging systems with tools like the excellent ScanMyServer.  Products like ScanMyServer look for any vulnerabilities in your code (both existing and newly developed) and test to see if they can be exploited.

Cross-scripting, escalation, and overflow attacks should be conducted across every element of the product, giving you a complete understanding of where the potential danger points are, and how to close up these vectors by which a malicious agent may try and gain access.

Once you start scanning your code it can become quite gratifying, to see the green responses on existing code and know what needs to be fixed on the developmental code before it’s ready to be used in the production environment with that most precious of items, client data.