Shifting an organization’s perspective to a place where security creates revenue-generating value is more than an aspirational vision – with each passing quarter, it is evolving into a strategic necessity for SaaS vendors. The increasing frequency and amplitude of adversarial successes have served to move risk closer to the front of every potential customer’s mind.
And as capital markets have tightened, profitability and cash flow have risen to become a top consideration for venture capital. In this climate, security spending must be controlled, and a lack of operational clarity in this area represents a direct risk to new investment. Further, Gartner warns that personal liability for cybersecurity incidents is now an imminent threat for corporate leadership, up to, and including the C-suite. The recent indictment of Solarwinds’ CISO indicates that this momentous development is already in motion.
The need for trust in SaaS security, both real and perceived, is rapidly expanding into every corner of our online world. But moving security into an organization’s top-line strategy is a more complex problem than “shifting left,” that is, systematically integrating security processes into the software development process. Correlating the historical goals and root processes of cybersecurity with the realities of the current threat landscape leads to some important conclusions about the uncertain path to sustainable, effective security operations for SaaS.
Challenge: Uncertainty and Reactive Cybersecurity
Uncertainty is a foundational issue for cybersecurity and risk management in application development. It is pivotal to consider when executing business strategy in SaaS companies, because leaders must effectively balance the revenue that software generates with the costs to secure and manage the risk generated by the same code. Businesses struggle in this area because of the following:
- The belief it is impossible to create an effective countermeasure to mitigate uncertainty, and thus risk.
- A focus on scoring systems that target technical security measurements without defining the business value of those measurements.
- The view of cybersecurity as a cost center, i.e., bottom-line, and therefore a reduced priority, versus other critical top line initiatives
As a result, security has historically been viewed as primarily a response to uncertainty – the additional overhead cost associated with manufacturing the product (software) that is being used to generate revenue. But this reactive interpretation actually increases overall risk because it creates the very blind spots that adversaries, like eCrime groups, are looking for. This status-quo view continues the inefficient systemic separation of development and IT infrastructure from security practices, leading to the following negative outcomes:
- Inefficient operations. In the traditional SaaS paradigm, development is regarded as lacking responsibility for security (an environment of “open permissions”) and security professionals, such as AppSec, are responsible for all security (gatekeepers). This siloed approach increases rework to deploy, delays time to revenue, and the operational expenses just add to the maintenance of inefficient, reactive cybersecurity processes.
- Increased vulnerability. Reactive cybersecurity leaves developers without the required tools to reduce security issues and relies on security teams to own risk reduction with limited influence. The resulting tradeoffs create blind spots that further increase cybersecurity debt from the accumulation of vulnerabilities, that can become a source of risk to the organization. As the security team prioritizes reactive security activities based on business risk, an industry-accepted phase of process maturity, the tradeoffs and blind spots can be magnified. Over time, the struggles to maintain the patchwork results in lost productivity, poor customer experience or in the worst case scenario – lost customer information.
- Lack of accountability. Is it the responsibility of development or security to ensure that the SaaS is secure? Developers without tools to secure their code and security, without influence over the conditions that give rise to vulnerabilities (i.e., without clearly defined security processes at code and ops levels), leaves both teams without the sufficient means of ownership to be accountable to the outcome.
- Human error. A reactive cybersecurity approach is process-heavy, yet often lacks adequate automation, and relies on human planning, action, and review, leading to errors in judgement and execution.
- Lack of flexibility.From a process perspective, as long as security detection and protection measurements are siloed from development and DevOps, security must continue to be both reactive and a cost center. Although more sophisticated tracking and measurements are possible, this rigidity is a competitive disadvantage in today’s business landscape.
- High costs.The collective impact of the above items increases costs to the business that can severely reduce cash flow and profitability – aside from projecting the impact of a security event on your business, which could be an unrecoverable cost.
Although a reactive, siloed approach toward SaaS security is widely accepted practice today, it is the cause of major operational challenges, drives high costs, and impedes a SaaS company’s critical ability to leverage security for revenue-generating advantage. Next, we’ll examine the disadvantages this approach presents for sustainable security.
Challenge: Reactive Cybersecurity in Today’s Security Landscape
Like any business, eCrime groups are driven by revenue, making decisions based on cost, margin, and risk. And, like any business, eCrime groups focus on maximizing revenue potential by keeping overhead low and executing repeatable acquisition models. Fortunately for them, and unfortunately for most organizations, the traditional, reactive cyber risk mitigation methods are well known, error prone, and offer eCrime repeatable success.
The traditional method for mitigating cyber risk is to use large teams of security experts and costly technology, best of breed tooling, and the design, integration, operation, updating, and lifecycle management of the selected security technologies. This approach is costly and labor intensive, and for many it has been a failed strategy. Evidence of failure is not difficult to find in either Verizon DBIR or Mandiant Global Threat Reports over the past few years.
Moreover, industry and enterprises have been trying to tackle reactive identity and vulnerability management for decades, and it simply does not work. According to the 2023 Mandiant global threat report, there has been a continued shift away from malware use with malware-free activity being 71% of all their detections in 2022 (up from 62% in 2021). This was attributed to two causes:
- Adversaries’ prolific abuse of valid credentials to facilitate access and persistence in victim environments.
- The rate at which new vulnerabilities were disclosed and the speed with which adversaries were able to operationalize exploits.
These Living off the Land (LOTL) attacks have become the go-to strategy for adversaries, due largely to the simplicity of leveraging that which is already present, rather than downloading something new, and it can be difficult to identify behavioral deviations when adversaries are using the same products used by valid users (e.g., PowerShell, WMI, Scheduled Tasks, BITS Admin, Putty).
As a product strategist, it is important to weigh the risks and benefits of designing and building your products and services the same way everyone in the past has built them, configuring your stack exactly in the manner that adversaries have optimized their business models to breach, and continuing to invest in reactive security processes that have suffered so much failure.
Solution: Moving Security to the Top Line
Now, more than ever, it’s clearly critical to shift your organization’s strategy to a new paradigm – one that recognizes security’s revenue-generating value, considers security as a strategic priority, and changes operational behavior from reaction to informed proaction. A shift from reactive, repeatable patterns into the automation of informed and purposeful analysis that balances risk with speed and flexibility, results in significant competitive advantage.
This intentional proaction considers risk levels at every step in the DevOps lifecycle to determine where protective or detective controls are needed, predetermines how the desired response increases business value and reduces risk, and then iterates on properly automating that desired response. This method puts the “Sec” in DevOps, and it impacts your top line by reducing the internal opposition within those different internal operational groups and redirects them from opposition to alignment – becoming a force multiplier in the organization.
These first steps combine to change the mindset of development and security teams to start generating new security-related features that differentiate your product from its competition. They become talking points for sales and business development teams that lead to winning highly competitive deals, because the new security features designed for your product offer a higher level of comfort and trust that you can reduce their risk compared to other vendors.
Shifting this perspective on security internally is not easy. Its scale rivals that of the shift from Waterfall to Agile. But an integrated, proactive, security-first approach to SaaS development effectively resolves nearly all the major challenges inherent in reactive security practices:
- Optimized operational effectiveness. This paradigm shift unites the development and security teams in a shared goal where development is no longer the Department of Open Permissions and security is no longer the Department of “No.” Instead, it provides a shared experience for a new SecDevOps Department to effectively decide today what tomorrow looks like. For example, prioritizing secure coding in this unified team is a baseline activity to achieve desired business outcomes.
- Reduced vulnerability. A purposeful, proactive, shared approach integrates security practices into every development and deployment decision. The resulting shared view and ownership of security prioritizes the consideration and discovery of potential vulnerabilities and helps all team members contribute to the desired business outcomes. Empowering team members with the tools and processes to contribute to this outcome reduces cybersecurity debt, as well as potential risks to your organization.
- Increased accountability.A proactive approach defines processes that distribute the ownership of security across the teams and individuals that have control over the potential vulnerabilities, thereby providing broader and deeper opportunities to prevent incidents.
- Reduced human error.Within a SecDevOps culture, proactive security measures begin much earlier in the development process, greatly reducing the number of unknown variables present upon deployment. This results in more streamlined detection and protection measurements and allows for more effective use of automation, gets releases to market faster, and improves time-to-revenue.
- Increased flexibility. With a security-first approach, organizations can expand on core security capabilities to create differentiation, plan efficient operations that will provide strategic value, and reduce friction. This results in winning competitive bids, opening new markets with streamlined paths to compliance (including FedRAMP), all serving to accelerate potential revenue growth.
- Reduced costs.By consolidating expensive and complex resources and tooling into automated, business-aligned pipelines, integrated SecDevOps both mitigates critical risk and reduces many areas of cost that emerge when fixing these issues in production.
A unified, proactive SecDevOps (i.e., security-first) model begins with a response to market conditions – the recognition that security has become a primary SaaS business driver, alongside functionality, user experience, scalability, performance, and other traditional metrics. It is also a response to today’s security landscape, in which meaningful advances are not possible without aligning development, DevOps, and security operations to proactively disrupt adversaries’ expectations – rendering your organization a difficult, and thereby unattractive, target.
Although difficult to execute, the resulting gains in both revenue and risk reduction make this transition a sound investment in your business, both for the present and into the future.
Introducing NXT1 LaunchIT: 100% Serverless, Cloud-Native Security-First Platform for Rapid SaaS Deployment and Management
NXT1 brings a new way of thinking about this problem. Learning from business drivers, uncertainty, blind spots, and the last decade of cybercrime and breach reports, we saw the need for a low touch, low-risk, security-focused enterprise SaaS delivery platform, at SMB/SME pricing.
We decided that serverless computing offers a direct path to this critical outcome. Serverless computing is not a new model. Early on, there was limited support, only a few serverless services, and the shared security model for serverless was different, resulting in misunderstandings and customer misconfigurations. Until recently, serverless services were generally considered slower and less scalable than other more traditional cloud services, and there were few example configurations and architectures to learn from and build on.
Today, serverless computing has reached a tipping point. The NXT1 team saw the game-changing value available to software vendors and created a new company to leverage the power of automated, secure, serverless cloud computing. NXT1’s LaunchIT application platform inherits and curates as many security capabilities from AWS as possible – allowing the transfer of a vast majority of risk and blind spots, plus extensive human capital, OPEX, and cyber tooling costs to AWS – automating and streamlining a vast majority of traditional, inefficient, reactive security management processes. AWS’ teams of highly skilled security engineers secure services that are regularly audited and validated by third-party auditing companies to support many compliance requirements (e.g., FedRAMP, PCI, HIPAA, SOC).
The LaunchIT Security-First Approach
LaunchIT was purpose-built to change the entire landscape of the adversary. It closes the typical gaps they exploit to compromise and breach a system. It reduces blind spots and requires adversaries to change their patterns of behavior, processes, and tooling, which increases their cyber economic cost – the money they must spend and the risk they must absorb to breach without getting caught.
LaunchIT aggregates industry and AWS documented best practices* to strategically architect simplicity, automation, availability, scalability, resiliency, protection, detection, and response capabilities directly into our PaaS and SaaS development models. The LaunchIT platform manages the following:
- Zero trust policies and policy enforcement points
- Separation of duties
- Blast radius
- Validated least privilege
- Tenant isolation
- Data discovery
- Classification and protection
- Full security and SecDevOps observability
- Semi-automated detection and response (because we don’t believe everything should be fully automated)
- Integrated threat model driven attack path analysis
- Penetration testing
- Breach and attack simulation
Each SaaS product deployed on LaunchIT simply plugs into all these tenant-specific protection, detection, and response capabilities in a serverless, cloud-native manner – and can scale across the globe in minutes with the push of a button in the LaunchIT Console. The included tenant-specific helpdesk and SOC monitoring capability can be integrated into existing systems with APIs.
Increasing Adversaries’ Cyber Economic Cost
Beyond that, LaunchIT provides features that further impede or block adversaries’ efforts, including:
- A CASB design that protects SaaS apps from common attack patterns for recon, discovery and initial access.
- Removing the current asymmetry in cyber security by implementing strong isolation and separation of duties, meaning that adversaries will have to work much harder to exploit SaaS apps than is required for LaunchIT to detect and mitigate their attempts.
- A highly available and secured digital identity management system that reduces the risk of credential theft and increases detection of adversaries using external stolen credentials to access services.
- A secure vault where developers are required to put sensitive secrets, ensuring those secrets are not revealed even in the unlikely event an adversary uses a day zero to access a Lambda runtime.
- Finally, AWS is responsible for all traditional vulnerability management and patching services for the underlying infrastructure supporting serverless services. LaunchIT provides services to scan, manage, and remediate your app dependencies and their vulnerabilities. It also generates a software bill of materials (SBOM) to help track and audit the dependency risk.
In short, the LaunchIT approach is to proactively remove each SaaS environment as an attractive target and thereby eliminating threats at their source. Adversaries are simply unable to live off the land in LaunchIT’s serverless environment, in which:
- Microservices spin up for a time to handle requests, then shut down.
- Lambda Functions are secured and scanned, but the underlying infrastructure is managed and secured by AWS, who has a vested interest in making sure their control plane is never breached.
- AWS provides the patching of all the underlying infrastructure, so LaunchIT customers only need to patch libraries and dependencies – and those patches and post patch testing can be automated.
- Containers do not have privileged access to the underlying hardware and is configured for read only (RO) root file system and the configuration only allows data to persist where you want it to, so you can manage and monitor it, reducing your attack surface because the container’s file system can’t be written to unless permissions are specifically granted.
This approach thwarts many common threats and vulnerabilities, including:
- Stolen tokens and credentials
- TTPs that rely on LOTL (e.g., lateral movement techniques that rely on RDP, SSH, and SMB)
- Windows patch Tuesday
- Most typical vulnerability management and patching tasks
- Risks from common exploits to web interfaces running on common web server that can be vulnerable to web shells or reverse shells and credential theft, as well as the risk of malicious EC2s running crypto mining in your SaaS solution.
LaunchIT empowers you to build your new (or migrate your existing) product or service in a way that will take eCrime groups years to fully transition their business models, tooling, and resources to attack.
Additional Key Capabilities of LaunchIT
There’s more to the world’s first 100% serverless, cloud-native platform for secure SaaS launch and management. LaunchIT:
- Adds powerful, intuitive controls, automations, alerting, and response capabilities on top of the already impressive security capabilities of AWS.
- Manages and measures granular business costs and utilization at any point in time, enabling your team to easily optimize AWS hosting costs.
- RevOps automation for subscription management, financial transactions and renewals.
- Application and infrastructure observability and monitoring.
- Requires a strategically minimal amount of human involvement and protects you from costs increases in market downturns, creating harmony between top and bottom lines.
- Has a very small attack surface, but it can scale globally.
- Offers a vast number of Zero Trust policy enforcement points, but is highly scalable and performant.
- Is highly secure and easy to deploy, manage, monitor, and report.
- Provides a tremendous feature set with a simplified architecture and few resources.
- Makes enterprise deployment and management features available at SMB/SME pricing.
NXT1 LaunchIT is the developer’s platform to build and operate secure SaaS, enabling instant availability by automating cloud infrastructure management – simply code and deploy. With government-level security, comprehensive operational controls, and integrated ecommerce, LaunchIT accelerates time to revenue and reduces costs for technology startups, legacy application migrations, and more. Get started with a free trial at nxt1.cloud/go.
*For more information on AWS-documented best practices, please refer to the following external resources:
AWS Foundational Security Best Practices (FSBP) standard (v5)
AWS Well Architected Serverless SaaS lens
Best Practices for Multi-Account Management
Summary of CI/CD Best Practices
CodePipeline Best Practices and Use Cases