@CloudExpo Authors: Liz McMillan, Elizabeth White, Yeshim Deniz, Kevin Benedict, Dana Gardner

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Article

Cloud Security Series | SQL Injection and SaaS

Avoiding Common Security Attacks In SaaS Applications

Security #1 Concern for Cloud Adoption
An analysis of several CIO Surveys about cloud adoption reveals two things:

  1. There is a growing adoption of cloud computing
  2. But Security Concerns remains on top of CIO's minds

So either as a SaaS provider or a IT services provider who develops applications on PaaS platform, we should address the security concerns,  and this series of  article aims at  addressing various security concerns.

This concern is aptly shown in the study,  Courtesy ‘Microsoft : The Economics Of Cloud'.

SaaS and SQL Injection
Like other web-based systems, cloud applications are prone to most of the common web attacks ranging from:

  • Cross-Site Scripting (XSS)
  • Injection Flaws
  • Information Leakage and Improper Error Handling
  • Broken Authentication and Session Management
  • Failure to Restrict URL Access
  • Improper Data Validation
  • Insecure Communications
  • Malicious File Execution

While  most of these are common vulnerabilities found in web applications, a SQL Injection is one of the highest possibilities in a SaaS application.

SQL injection is a method of attack where an attacker can exploit vulnerable code and the type of data an application will accept, and can be exploited in any application parameter that influences a database query.

Examples include parameters within the url itself, post data, or cookie values. If successful, SQL Injection can give an attacker access to backend database contents, the ability to remotely execute system commands, or in some circumstances the means to take control of the server hosting the database.

SQL Injection In Multi Tenant Database Design
We have seen in some of the earlier posts about  multi tenant database design, that  storing the multi tenant database in the same table  segregated by the Tenant ID acting as a primary key is a valid design pattern.

For example if there is a Retail SaaS applications that allows multiple  retailers to host their products and sell them through the online SaaS Application, then the possible multi tenant table design for table that hosts all the orders could be.

Column Name


Tenant ID

Unique ID that distinguishes each tenant

Order ID

Unique Order ID per tenant

Order Total Price

Total Price Of the Order

Order Currency

Currency  in which the order is done

.... Other Order related parameters like Customer Information, Shipping Address Etc.



If the SaaS application is prone to  SQL Injection, then it is very easy for  some one logging on behalf of  One Tenant can view the orders belonging to another Client, let us see with an example.

As explained in this simple example.

  • Front end application sends the tenant id to the database calls, so that the orders belonging to that tenant can be retrieved
  • However the dynamic SQL written simply attaches the ‘tenant Id' Supplied, and returns the results
  • This could potentially lead to a situation, where a hacker who could create a dummy tenant id' with the SaaS application can pass on random tenant ID values and could view orders belong to other tenants

Common Steps to Avoid SQL Injection
Below are some generic best practices that could be utilized by any application to avoid SQL Injection.

  • Parameterized Queries: SQL Injection arises from an attacker's manipulation of query data to modify query logic. The best method of preventing SQL Injection attacks is thereby to separate the logic of a query from its data. This will prevent commands inserted from user input from being executed.
  • Validate input: The vast majority of SQL Injection checks can be prevented by properly validating user input for both type and format.
  • Stored Procedures: Consider using stored procedures. They require a very specific parameter format, which makes them less susceptible to SQL Injection attacks.

Additional Steps for SaaS Applications
Below are some additional steps  on top of  the common steps mentioned above, which could be used to prevent SQL Injection specific to SaaS cloud application.

  • Never pass the Tenant ID as a parameter to the back end queries in a open form, which will enable hackers to guess and manipulate the same, keep the Tenant ID as a hidden or internal value from the eyes of the user.
  • Do not display the internal values of Tenant ID or the Table names involved when database errors happen, rather mask the errors with generic text
  • Validate that the Tenant ID indeed belong to the particular User who has logged on before executing the query. For example if a particular user say John Doe logged on and use the SaaS application for the Tenant A, then any queries by John Doe should only retrieve records from Tenant A and should not include other tenants , this cross reference between the users and tenants are maintained in the system and should be used in all queries.
  • Enable additional controls at the database level like Virtual Private Database feature of Oracle 11g or equivalent so that even with the Injection we cannot view the values of other tenants.

Protecting tenant specific data is the ultimate goal  of the SaaS application and  hackers can use SQL Injection among all techniques  to penetrate the same and the above mentioned  techniques will prevent the SQL Injection and make the application secure and speed up the Cloud Enablement in the minds of CIOs.

More Stories By Srinivasan Sundara Rajan

Highly passionate about utilizing Digital Technologies to enable next generation enterprise. Believes in enterprise transformation through the Natives (Cloud Native & Mobile Native).

@CloudExpo Stories
SYS-CON Events announced today that Cloudbric, a leading website security provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Cloudbric is an elite full service website protection solution specifically designed for IT novices, entrepreneurs, and small and medium businesses. First launched in 2015, Cloudbric is based on the enterprise level Web Application Firewall by Penta Security Sys...
SYS-CON Events announced today that Impiger Technologies will exhibit in Booth #109 at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Impiger Technologies is a world-class, enterprise software product engineering company specializing in Mobile Application Development, Cloud Applications, Microsoft Technology Solutions, Web Technology and Telecom Services. Impiger Technologies helps enterprises improve busi...
Virgil consists of an open-source encryption library, which implements Cryptographic Message Syntax (CMS) and Elliptic Curve Integrated Encryption Scheme (ECIES) (including RSA schema), a Key Management API, and a cloud-based Key Management Service (Virgil Keys). The Virgil Keys Service consists of a public key service and a private key escrow service. 

SYS-CON Events announced today that Cemware will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Use MATLAB functions by just visiting website mathfreeon.com. MATLAB compatible, freely usable, online platform services. As of October 2016, 80,000 users from 180 countries are enjoying our platform service.
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, will discuss the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
Digitization is driving a fundamental change in society that is transforming the way businesses work with their customers, their supply chains and their people. Digital transformation leverages DevOps best practices, such as Agile Parallel Development, Continuous Delivery and Agile Operations to capitalize on opportunities and create competitive differentiation in the application economy. However, information security has been notably absent from the DevOps movement. Speed doesn’t have to negat...
SYS-CON Events announced today that eCube Systems, the leading provider of modern development tools and best practices for Continuous Integration on OpenVMS, will exhibit at SYS-CON's @DevOpsSummit at Cloud Expo New York, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. eCube Systems offers a family of middleware products and development tools that maximize return on technology investment by leveraging existing technical equity to meet evolving business needs. ...
SYS-CON Events announced today that MathFreeOn will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. MathFreeOn is Software as a Service (SaaS) used in Engineering and Math education. Write scripts and solve math problems online. MathFreeOn provides online courses for beginners or amateurs who have difficulties in writing scripts. In accordance with various mathematical topics, there are more tha...
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost and risk of entering new markets has leveled the playing field for business. Today, any ambitious innovator can easily introduce a new application or product that can reinvent business models and transform the client experience. In their Day 2 Keynote at 19th Cloud Expo, Mercer Rowe, IBM Vice President of Strategic Alliances, and Raejeanne Skillern, Intel Vice President of Data Center Group and ...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
In the 21st century, security on the Internet has become one of the most important issues. We hear more and more about cyber-attacks on the websites of large corporations, banks and even small businesses. When online we’re concerned not only for our own safety but also our privacy. We have to know that hackers usually start their preparation by investigating the private information of admins – the habits, interests, visited websites and so on. On the other hand, our own security is in danger bec...
@ThingsExpo has been named the Top 5 Most Influential Internet of Things Brand by Onalytica in the ‘The Internet of Things Landscape 2015: Top 100 Individuals and Brands.' Onalytica analyzed Twitter conversations around the #IoT debate to uncover the most influential brands and individuals driving the conversation. Onalytica captured data from 56,224 users. The PageRank based methodology they use to extract influencers on a particular topic (tweets mentioning #InternetofThings or #IoT in this ...
There is growing need for data-driven applications and the need for digital platforms to build these apps. In his session at 19th Cloud Expo, Muddu Sudhakar, VP and GM of Security & IoT at Splunk, will cover different PaaS solutions and Big Data platforms that are available to build applications. In addition, AI and machine learning are creating new requirements that developers need in the building of next-gen apps. The next-generation digital platforms have some of the past platform needs a...
Join Impiger for their featured webinar: ‘Cloud Computing: A Roadmap to Modern Software Delivery’ on November 10, 2016, at 12:00 pm CST. Very few companies have not experienced some impact to their IT delivery due to the evolution of cloud computing. This webinar is not about deciding whether you should entertain moving some or all of your IT to the cloud, but rather, a detailed look under the hood to help IT professionals understand how cloud adoption has evolved and what trends will impact th...
"We've discovered that after shows 80% if leads that people get, 80% of the conversations end up on the show floor, meaning people forget about it, people forget who they talk to, people forget that there are actual business opportunities to be had here so we try to help out and keep the conversations going," explained Jeff Mesnik, Founder and President of ContentMX, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
The Internet of Things (IoT) promises to simplify and streamline our lives by automating routine tasks that distract us from our goals. This promise is based on the ubiquitous deployment of smart, connected devices that link everything from industrial control systems to automobiles to refrigerators. Unfortunately, comparatively few of the devices currently deployed have been developed with an eye toward security, and as the DDoS attacks of late October 2016 have demonstrated, this oversight can ...
Enterprises have been using both Big Data and virtualization for years. Until recently, however, most enterprises have not combined the two. Big Data's demands for higher levels of performance, the ability to control quality-of-service (QoS), and the ability to adhere to SLAs have kept it on bare metal, apart from the modern data center cloud. With recent technology innovations, we've seen the advantages of bare metal erode to such a degree that the enhanced flexibility and reduced costs that cl...
Intelligent machines are here. Robots, self-driving cars, drones, bots and many IoT devices are becoming smarter with Machine Learning. In her session at @ThingsExpo, Sudha Jamthe, CEO of IoTDisruptions.com, will discuss the next wave of business disruption at the junction of IoT and AI, impacting many industries and set to change our lives, work and world as we know it.
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, will discuss the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They will also review two "free infrastruct...
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smar...