Saturday, June 06, 2009

eWeek hypes "secure" SaaS without checking the facts

In an article called SaaS Proof Points, eWeek put on the blinders and jumped on the bandwagon declaring such SaaS wisdom as "not only have modern SAAS applications assuaged security concerns, but the SAAS model itself is seen by some as the most secure approach to handling data".
What!? Wow.
Add to that the well-intended declaration of SaaS neophyte Kimberly Rogers of Santander Consumer USA, while detailing her company's use of Service-now.com. Rogers, who had never worked with a SaaS-based application before, added that "security can be as tight as you want it to be." Noting such blind faith from a Service-now.com user I was motivated to take a closer look at the provider.
Kimberly, respectfully, you are making a dangerous assumption.
Putting on my bad guy hat for a second, if I can entice you to click a link in a targeted, specially crafted email (phishing), that in turn executes JavaScript in the context of Service-now.com (cross-site scripting) and returns the cookie you use for authentication to Service-now.com (credential theft), is it still reasonable to assume that "security can be as tight as you want it to be"?
I think not.
Service-now.com suffered from a cross-site scripting (XSS) vulnerability that allowed cookie theft and other XSS fun such as frame defacement.

Before XSS:


After XSS:


Please note that Service-now.com responded to my advisory and made repairs in a reasonable amount of time, all the while communicating admirably.
That said, if SaaS providers don't ratchet down hard on their basic web application security, silly yet valuable data spills such as described above will continue to prevail unabated.
If trade publications continue to publish hype rather than balanced facts I must assume that data breaches and provider shortcomings will continue to be commonplace as said providers won't be held to a higher standard.

When StrongWebmail fell so readily to an XSS vulnerability this past week (well done Lance, Mike, and Aviv), I simply shook my head in dismay. Are service providers so blind as to not consider the holistic security view before putting 10k on the line?
That was a rhetorical question.
Answer? Obviously.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

No comments: