Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Viral Trivedi
Viral Trivedi
Connect Directly
E-Mail vvv

Are Security Attestations a Necessity for SaaS Businesses?

Are security attestations becoming business imperatives, or are they merely token additions on the list of regulatory requirements?

In 2011, Silicon Valley tech gurus predicted that software will eat the world. Today, we are living in that future, as most businesses use cloud-deployed software. It's not just in marketing or finance; IT security is also awash with software-as-a-service (SaaS). For perspective, nearly 90% of organizations use SaaS apps to run their businesses.

Related Content:

11 Security Certifications to Seek Out This Summer

Special Report: Building the SOC of the Future

New From The Edge: An Interesting Approach to Cyber Insurance

SaaS tools are popular because of advantages such as faster deployment time, minimal management hassles, no upfront hardware costs, and easy scalability. However, many business customers have deep concerns regarding the security of cloud apps.

Most organizations ask potential SaaS vendors to provide their compliance credentials, and some companies decline to even sit for a demo call if a SaaS vendor is not ISO certified or SOC 2 compliant.

Vendors, especially startups, have a somewhat different perception. Most bootstrapped startups either completely gloss over security attestations or get certifications as an afterthought. This is primarily because these certifications are expensive. Startups would rather invest money on product development or customer acquisition to make a profit. This got me thinking about a few questions:

  1. Are security attestations becoming business imperatives, or are they merely token additions on the list of regulatory requirements?
  2. If they're becoming the new business norm, which security attestations are a must?
  3. How can you validate SaaS startups that claim they are secure?

To get answers to these questions, I turned to my peers in the cybersecurity industry. I talked to several experts and recently ran a poll on LinkedIn to see what they thought about this topic.

The poll is closed, but you can still add your comments.

Understanding Security Certifications
The most common security certifications are: 

  • ISO 27001 tells which specific processes, services, systems, or departments you want to protect as defined by your information security management system policy.
  • CIS Controls are a prescriptive, prioritized, and simplified set of cybersecurity best practices to help fortify your cybersecurity. You are usually required to map your CIS Controls to ISO 27001.
  • NIST offers a combination of existing standards, guidelines, and best practices. It is a prerequisite for achieving HIPAA or FISMA compliance.
  • Systems and Organizations Controls 2 (SOC 2) are criteria for managing customer data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy.

CIS, NIST, and ISO 27001 are good starting points for most SaaS startups, but they don't give the complete picture of an organization's overall security posture.

For example, if you're considering buying a certified app from a SaaS vendor, you still have to do the due diligence and audit other aspects of their DevSecOps. That kind of double auditing is a little extreme in the fast-moving SaaS world. Also, these certifications are only as good as the enterprise following them outside the audit cycle. Another caution is that some certifications are symbolic of compliance. Many security leaders have been sounding the alarm that compliance doesn't guarantee security.

CIS, NIST, and ISO 27001 are great at the program level and are good, marketable endorsements; however, they often have little impact on an organization's actual security hygiene.

What is the value of being SOC 2 certified? First, it satisfies compliance with many security audits. It also assures that SaaS service providers handle users' private data securely. It's important to know that, unlike ISO 27001, SOC 2 reporting is not a certification. It's an attestation based on the examination service performed under the AICPA standards. SOC 2 offers wider coverage of your security status and meets ISO 27001 criteria by default. However, if you want ISO 27001 certification on top of SOC 2 reporting, you can do so at minimal additional cost.

There's one small catch if you are planning to get SOC 2 reporting for your organization. Most businesses think SOC 2 is the way to go for cloud security platforms. While that's true, I recommend SaaS companies become certified for SOC 2 Type 2. SOC 2 Type 1 is good when undergoing SOC 2 for the first time. But Type 1 certification won't provide the appropriate level of assurance over the operating effectiveness of controls like a SOC 2 Type 2 over the long term.

The SOC 2 Type 2 report covers security, confidentiality, availability, processing integrity, and privacy. It indicates maturity and is great for solution and service-level implementations.

From a client's standpoint, contracting with a SaaS vendor is easy if the latter can prove its SOC 2 readiness. SOC 2 attestation signals that a company is serious about handling customer data, and it attracts more customers and investors.

If you're a SaaS company evaluating SOC 2 certification, consider starting to create a strategy for implementing security controls and invest in your security awareness program. This will help you foster robust security by design without wasting time and resources.

A Final Word of Caution
Compliance is a formidable business driver; it induces trust and confidence and helps you to stand out in the highly competitive SaaS market. However, security attestations only go so far. Many companies victimized by security breaches have multiple security certifications and attestations.

Compliance and attestations alone won't protect you from a security breach if your vendor partners turn out to be the weak links in your SaaS security chain. If you want to assess the security posture of a SaaS company, talk to their security leader. Ask questions, such as:

  • Do they have a dedicated security leader or a virtual chief information security officer (vCISO)?
  • Who owns the security of their SaaS ecosystem?
  • How frequently do they perform penetration testing?
  • What is their incident response plan?

You will probably learn more about the organization's security posture from that conversation than from their SOC 2 or compliance reports.

Viral Trivedi is the Chief Business Officer at Ampcus Cyber Inc—a pure-play cybersecurity service company headquartered in Chantilly, Virginia. As a CBO at Ampcus Cyber, Viral leads many customer-facing initiatives, including market strategy, channel partner programs, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file