What is SaaS penetration testing?
In most cases, a SaaS pentest is a combination of a regular web application pentest and an API pentest. SaaS (short for software as a service) are often relatively complex platforms, often with more than 3 user groups, multi-tenancy and a wealth of complex functions. The increased software complexity often ensures that security vulnerabilities creep in. Another reason for this is that entire teams of developers work on this type of project. A SaaS pentest is designed to test the platform extensively. All user roles and tenants are tested individually. The communication between the individual components is also put through its paces.
Another challenge for operators of SaaS applications is the issue of compliance. A penetration test helps to meet the requirements of, for example, ISO 27001 or SOC2 as well as industry-specific standards.
SaaS Pentest: Real attack scenarios
In our SaaS penetration tests, we make sure to be as close as possible to real attack scenarios. We put ourselves in the role of a hacker who can gain access and primarily try to extend our rights from there, access the data of other users and tenants and/or take over the server and then use this as a starting point for attacks on the internal network.
SaaS Pentest: Does automatic pentesting make sense?
Automatic methods are actually always part of penetration tests. But one thing is clear: a real penetration test is always a manual test - carried out by an experienced pentest provider. Especially with SaaS platforms, the complexity of these platforms means that automatic tools quickly become unable to cope. They are also unable to recognize clear security-relevant connections within the complexity. Automated testing of authentication and authorization is often not possible either. An automatic test can therefore only be a supplement, never a replacement for a manual test.
"DSecured itself operates two SaaS platforms - we know from experience how interesting something like this is for hackers and competitors."
Damian Strobel - Founder of DSecured
Do you want to know if your SaaS platform is really secure?
Related to a SaaS Pentest
Pentest: Services
How much does a SaaS penetration test cost?
SaaS platforms are often very complex software products. The costs for one vary greatly and depend on the following points, among others:
- - Number of user roles
- - Complexity of the platform
- - Number of tenants
- - Number and type of interfaces
A SaaS penetration test is therefore often more expensive than a normal web application penetration test.
It is quite realistic to expect costs starting at 7,500 euros. However, the costs can quickly reach 20,000 euros or more.
We would be happy to give you a much better value for
the costs during a free initial consultation.
Contact us today to protect your SaaS platform!
Focus areas for SaaS penetration testing
From a tester's perspective, it is important to first understand the SaaS platform. This often starts with the official API documentation. We study all documents before we start the actual test. For an efficient SaaS pentest, it is important to understand how many user groups there are and how they differ. The same often happens at tenant and/or admin level. We try to find out - in the case of a black box SaaS pentest - what the architecture behind the system is and whether it is theoretically possible to turn a normal user into an administrator of another tenant.
A structured search is then carried out for classic security gaps (including the Owasp Top 10) - this is done manually and automatically from the perspective of a guest and every available user group. Security gaps and vulnerabilities are documented and evaluated. As a rule, we try to combine security gaps that are not so critical in such a way that we can demonstrate serious impact. Examples of this are XSS, open redirects and CSRF problems.
Most SaaS platforms we see are built on top of Laravel, Django or .Net - we keep this in mind and check framework/language specific issues as well.
Some companies we have been able to help
Further questions and answers on the topic
"SaaS penetration testing"
What problems are found during a SaaS pentest?
In general, you will see all security vulnerabilities that occur during a web pentest - the decisive factor here is rather which or whether a framework was used. SQL injections and code injections are quite rare, but occur time and again. Problems with user rights and IDORs are much more common.
What can we do to prevent our Prod environment from being compromised?
Quite simply: the entire system is mirrored on a test server. There it can be tested extensively without risk. Even better: demo data is used, so the tester has no access to real sensitive data.
We only want to test a specific component of our SaaS - is that possible?
Of course. This can be discussed during scoping.
How long does a complete SaaS penetration test usually take?
SaaS can be very small but also incredibly large and complex. Accordingly, a test can take 3-4 days - or even 2-3 weeks. It depends on the size and complexity.
Get a SaaS Pentest quote