Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Viral Trivedi
Viral Trivedi
Connect Directly
E-Mail vvv

Are Security Attestations a Necessity for SaaS Businesses?

Are security attestations becoming business imperatives, or are they merely token additions on the list of regulatory requirements?

In 2011, Silicon Valley tech gurus predicted that software will eat the world. Today, we are living in that future, as most businesses use cloud-deployed software. It's not just in marketing or finance; IT security is also awash with software-as-a-service (SaaS). For perspective, nearly 90% of organizations use SaaS apps to run their businesses.

Related Content:

11 Security Certifications to Seek Out This Summer

Special Report: Building the SOC of the Future

New From The Edge: An Interesting Approach to Cyber Insurance

SaaS tools are popular because of advantages such as faster deployment time, minimal management hassles, no upfront hardware costs, and easy scalability. However, many business customers have deep concerns regarding the security of cloud apps.

Most organizations ask potential SaaS vendors to provide their compliance credentials, and some companies decline to even sit for a demo call if a SaaS vendor is not ISO certified or SOC 2 compliant.

Vendors, especially startups, have a somewhat different perception. Most bootstrapped startups either completely gloss over security attestations or get certifications as an afterthought. This is primarily because these certifications are expensive. Startups would rather invest money on product development or customer acquisition to make a profit. This got me thinking about a few questions:

  1. Are security attestations becoming business imperatives, or are they merely token additions on the list of regulatory requirements?
  2. If they're becoming the new business norm, which security attestations are a must?
  3. How can you validate SaaS startups that claim they are secure?

To get answers to these questions, I turned to my peers in the cybersecurity industry. I talked to several experts and recently ran a poll on LinkedIn to see what they thought about this topic.

The poll is closed, but you can still add your comments.

Understanding Security Certifications
The most common security certifications are: 

  • ISO 27001 tells which specific processes, services, systems, or departments you want to protect as defined by your information security management system policy.
  • CIS Controls are a prescriptive, prioritized, and simplified set of cybersecurity best practices to help fortify your cybersecurity. You are usually required to map your CIS Controls to ISO 27001.
  • NIST offers a combination of existing standards, guidelines, and best practices. It is a prerequisite for achieving HIPAA or FISMA compliance.
  • Systems and Organizations Controls 2 (SOC 2) are criteria for managing customer data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy.

CIS, NIST, and ISO 27001 are good starting points for most SaaS startups, but they don't give the complete picture of an organization's overall security posture.

For example, if you're considering buying a certified app from a SaaS vendor, you still have to do the due diligence and audit other aspects of their DevSecOps. That kind of double auditing is a little extreme in the fast-moving SaaS world. Also, these certifications are only as good as the enterprise following them outside the audit cycle. Another caution is that some certifications are symbolic of compliance. Many security leaders have been sounding the alarm that compliance doesn't guarantee security.

CIS, NIST, and ISO 27001 are great at the program level and are good, marketable endorsements; however, they often have little impact on an organization's actual security hygiene.

What is the value of being SOC 2 certified? First, it satisfies compliance with many security audits. It also assures that SaaS service providers handle users' private data securely. It's important to know that, unlike ISO 27001, SOC 2 reporting is not a certification. It's an attestation based on the examination service performed under the AICPA standards. SOC 2 offers wider coverage of your security status and meets ISO 27001 criteria by default. However, if you want ISO 27001 certification on top of SOC 2 reporting, you can do so at minimal additional cost.

There's one small catch if you are planning to get SOC 2 reporting for your organization. Most businesses think SOC 2 is the way to go for cloud security platforms. While that's true, I recommend SaaS companies become certified for SOC 2 Type 2. SOC 2 Type 1 is good when undergoing SOC 2 for the first time. But Type 1 certification won't provide the appropriate level of assurance over the operating effectiveness of controls like a SOC 2 Type 2 over the long term.

The SOC 2 Type 2 report covers security, confidentiality, availability, processing integrity, and privacy. It indicates maturity and is great for solution and service-level implementations.

From a client's standpoint, contracting with a SaaS vendor is easy if the latter can prove its SOC 2 readiness. SOC 2 attestation signals that a company is serious about handling customer data, and it attracts more customers and investors.

If you're a SaaS company evaluating SOC 2 certification, consider starting to create a strategy for implementing security controls and invest in your security awareness program. This will help you foster robust security by design without wasting time and resources.

A Final Word of Caution
Compliance is a formidable business driver; it induces trust and confidence and helps you to stand out in the highly competitive SaaS market. However, security attestations only go so far. Many companies victimized by security breaches have multiple security certifications and attestations.

Compliance and attestations alone won't protect you from a security breach if your vendor partners turn out to be the weak links in your SaaS security chain. If you want to assess the security posture of a SaaS company, talk to their security leader. Ask questions, such as:

  • Do they have a dedicated security leader or a virtual chief information security officer (vCISO)?
  • Who owns the security of their SaaS ecosystem?
  • How frequently do they perform penetration testing?
  • What is their incident response plan?

You will probably learn more about the organization's security posture from that conversation than from their SOC 2 or compliance reports.

Viral Trivedi is the Chief Business Officer at Ampcus Cyber Inc—a pure-play cybersecurity service company headquartered in Chantilly, Virginia. As a CBO at Ampcus Cyber, Viral leads many customer-facing initiatives, including market strategy, channel partner programs, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-01-27
Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user sub...
PUBLISHED: 2023-01-27
Phicomm K2 v22.6.534.263 was discovered to contain a command injection vulnerability via the autoUpTime parameter in the automatic upgrade function.
PUBLISHED: 2023-01-27
Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext.
PUBLISHED: 2023-01-27
Phicomm K2G v22.6.3.20 was discovered to contain a command injection vulnerability via the autoUpTime parameter in the automatic upgrade function.
PUBLISHED: 2023-01-27
Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext.