What Cybersecurity Attestations Should You Look for in a SaaS Provider?

ISO 27001 is manageable and not out of reach for anyone!

It’s a process made up of things you already know – and things you may already be doing.
Get your ISO 27001 Roadmap – Downloaded over 4,000 times

Download Now!

Last Updated on January 19, 2024

Software-as-a-Service (SaaS) providers need to be alert to a uniquely broad and complex range of information security risks impacting every business area, from their hosted production environments to their application code to their project management tools to their networks to their people.  

As a SaaS consumer, how can you assess a SaaS firm’s security and the vendor risk they present? What cybersecurity attestations, certificates and/or credentials should you be asking for?

On a recent episode of The Virtual CISO Podcast, host John Verry asked that question of our guest Ryan Buckley, a long-time SaaS security consultant and software security expert: “So let’s say Pivot Point is about to go out and license a SaaS, and we’re going to put what we call ‘client confidental’ information in there. If I came to you and asked, ‘Hey, I’ve got Company A and Company B, they offer virtually identical products. Company A says they have an ISO 27001 certificate or a SOC 2 Type 2 report, but I didn’t get a warm and fuzzy about what security tests they do in the application. [Whereas] Company B has an OWASP ASVS Level 2 assessment done that looks fantastic, but they don’t have a SOC 2 report or an ISO certificate. Which way would you lean?”

A big component of software product security, of course, is the security verification and testing methodology (or lack thereof) being used. 

Ryan clarifies: “One of the unfortunate, but normal and natural aspects of a hot, young company is that the quality and security of the software depends on the talent of the people coding.”
“It’s great that every company is young once and every company is without procedures and consistency. But at some point in your growth as a software company, you do need a secure software development lifecycle (SDLC) that establishes a methodology for the developers and the DevOps people, if you have them (or maybe the same guy is wearing both of those hats) where there are rules established on how to quality-check your code,” Ryan adds. “At what stages do you need a peer review by another developer? At what stage do you need to run a code security scan? Under what circumstances can you promote code up the tree or promote something to production?”
“We don’t want single people doing any of those above-average risk type maneuvers, like writing a key piece of code and putting it in a product without getting the approval of a peer and a supervisor,” asserts Ryan. “What I’m talking about is having a documented company policy or team level procedures—some rules of the road. A development methodology and establishing the bumpers on the bowling lane for the developers to stay within. And they need to understand the rights and wrongs of software development.”
If you are concerned with SaaS security (or software security in general) on any level, don’t miss this podcast with Ryan Buckley. 
To hear the complete show, and also get your ears on our growing range of tell-it-like-it-is information security podcasts, you can subscribe to The Virtual CISO Podcast here.  
If you don’t use Apple Podcasts, you can access all our episodes here.  

ISO 27001 is manageable and not out of reach for anyone!

It’s a process made up of things you already know – and things you may already be doing.
Get your ISO 27001 Roadmap – Downloaded over 4,000 times

Download Now!