CelloSaaS Security Architecture Tested with

Veracode and adheres OWASP & NIST Web

Application Security Guidelines
blog.techcello.com/2014/03/cellosaas-security-architecture-tested-with-veracode-and-adheres-
owasp-nist-web-application-security-guidelines/
Cloud based Multi-Tenant SaaS applications are the major targets for the Hackers and potential
threats. Application Hardware and Software Security is one of the key pointers which makes potential
customer to be reluctant on any cloud based product, but given the maturity and development in the
areas of Hardware/Network/Datacentre security proves that the environment where the applications
are hosted and deployed are highly secured and tamper proof, but analysis say the majority of the
Security threats lies only at the Application level.
Over 70 % of Security Vulnerabilities exists in the application layer, not the network
layer. -Gartner
92% of reported vulnerabilities are in applications not it network- NIST
In a typical fully shared elastic multi-tenant application where the same instance of the application is
consumed by all the customers, the risk is huge for both the tenants and user data if the applications
security architecture doesnt handle the security with at most care. The application should consider all
possible Security attacks during the development time and build the application to handle all security
threats which can come from both external world and from the internal malicious tenants and users.
While using RBAC (Role based Access Control ), it is important to grant minimum and required
privileges to users and validate to make sure, and they do not get access to other users/tenants data
accidentally or permanently. Inappropriate authorizing users occur when the access control in a web
application is incorrect or missing, allowing unauthorized access to other users data. A typical example
is, when a less privileged user gets access to secured data or resources of other tenants and users.
Common Security threats
CRLF injection
Cross-site Request Forgery
Cross-site Scripting
Directory Traversal
Failure to Restrict URL Access
Insecure Cryptographic Storage
Insufficient Transport Layer Protection
LDAP Injection
Malicious Code
SQL Injection
The authentication and authorization model must be rened and more secured in the multitenant cloud
computing environment. The Authorization system must be based on a model dening a 5-parts
(Issuer, Subject, Privilege, Interface, Object), which is generally incorporated with role-based access
control (RBAC). During an authorization request, the application must use all of this information to
determine if the request is authorized and valid.
What are the all the effective mechanism to avoid Security Threats
Developing Multi-Tenant Secured applications requires expertise and experience in order to build a
highly secured and yet customizable and Configurable SaaS Applications. The Application architecture
should be equipped with techniques to counter attack all the major threats. Some of these techniques
are
Continuous Code Reviews during and post production
Security Audit Log & Security Scanner
Process Isolation(Do not mix one users data with another user data)
Tenant Data Isolation
Access control Validation
Client/Server Validation
URL Security
Service Level Security
Data Encryption (Encrypting secured data in rest &transit)
If only 50% of Software vulnerabilities were removed prior to production. Costs would
be reduced by 75%.-Gartner
The Cost of fixing a bug in the field is $ 30,000 vs $ 5,000 during Coding NIST
How Techcello Security is highly secured
Techcello, a .net based Multi-tenant application development framework built with all the these core
techniques in mind to make sure applications built/migrated using Techcello is not compromised with
any of the security issues. To prove the statement, Techcello has been rigorously tested with Veracode,
a pioneer in Web Application Security including static code analysis on compiled binary executables,
dynamic web application analysis, and manual penetration testing and source code review. This
security analysis confirms that techcellos Security framework adheres to OWASP Top 10 Security
threats and NSIT Security Guidelines and received 98 Points Score for the application tier.
Click here to request for the Veracode Security audit Report.