Welcome!

@CloudExpo Authors: Kevin Benedict, Liz McMillan, Lori MacVittie, Elizabeth White, Pat Romanski

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Article

Cloud Security Series | SQL Injection and SaaS

Avoiding Common Security Attacks In SaaS Applications

Security #1 Concern for Cloud Adoption
An analysis of several CIO Surveys about cloud adoption reveals two things:

  1. There is a growing adoption of cloud computing
  2. But Security Concerns remains on top of CIO's minds

So either as a SaaS provider or a IT services provider who develops applications on PaaS platform, we should address the security concerns,  and this series of  article aims at  addressing various security concerns.

This concern is aptly shown in the study,  Courtesy ‘Microsoft : The Economics Of Cloud'.

SaaS and SQL Injection
Like other web-based systems, cloud applications are prone to most of the common web attacks ranging from:

  • Cross-Site Scripting (XSS)
  • Injection Flaws
  • Information Leakage and Improper Error Handling
  • Broken Authentication and Session Management
  • Failure to Restrict URL Access
  • Improper Data Validation
  • Insecure Communications
  • Malicious File Execution

While  most of these are common vulnerabilities found in web applications, a SQL Injection is one of the highest possibilities in a SaaS application.

SQL injection is a method of attack where an attacker can exploit vulnerable code and the type of data an application will accept, and can be exploited in any application parameter that influences a database query.

Examples include parameters within the url itself, post data, or cookie values. If successful, SQL Injection can give an attacker access to backend database contents, the ability to remotely execute system commands, or in some circumstances the means to take control of the server hosting the database.

SQL Injection In Multi Tenant Database Design
We have seen in some of the earlier posts about  multi tenant database design, that  storing the multi tenant database in the same table  segregated by the Tenant ID acting as a primary key is a valid design pattern.

For example if there is a Retail SaaS applications that allows multiple  retailers to host their products and sell them through the online SaaS Application, then the possible multi tenant table design for table that hosts all the orders could be.

Column Name

Description

Tenant ID

Unique ID that distinguishes each tenant

Order ID

Unique Order ID per tenant

Order Total Price

Total Price Of the Order

Order Currency

Currency  in which the order is done

.... Other Order related parameters like Customer Information, Shipping Address Etc.

 

 

If the SaaS application is prone to  SQL Injection, then it is very easy for  some one logging on behalf of  One Tenant can view the orders belonging to another Client, let us see with an example.

As explained in this simple example.

  • Front end application sends the tenant id to the database calls, so that the orders belonging to that tenant can be retrieved
  • However the dynamic SQL written simply attaches the ‘tenant Id' Supplied, and returns the results
  • This could potentially lead to a situation, where a hacker who could create a dummy tenant id' with the SaaS application can pass on random tenant ID values and could view orders belong to other tenants

Common Steps to Avoid SQL Injection
Below are some generic best practices that could be utilized by any application to avoid SQL Injection.

  • Parameterized Queries: SQL Injection arises from an attacker's manipulation of query data to modify query logic. The best method of preventing SQL Injection attacks is thereby to separate the logic of a query from its data. This will prevent commands inserted from user input from being executed.
  • Validate input: The vast majority of SQL Injection checks can be prevented by properly validating user input for both type and format.
  • Stored Procedures: Consider using stored procedures. They require a very specific parameter format, which makes them less susceptible to SQL Injection attacks.

Additional Steps for SaaS Applications
Below are some additional steps  on top of  the common steps mentioned above, which could be used to prevent SQL Injection specific to SaaS cloud application.

  • Never pass the Tenant ID as a parameter to the back end queries in a open form, which will enable hackers to guess and manipulate the same, keep the Tenant ID as a hidden or internal value from the eyes of the user.
  • Do not display the internal values of Tenant ID or the Table names involved when database errors happen, rather mask the errors with generic text
  • Validate that the Tenant ID indeed belong to the particular User who has logged on before executing the query. For example if a particular user say John Doe logged on and use the SaaS application for the Tenant A, then any queries by John Doe should only retrieve records from Tenant A and should not include other tenants , this cross reference between the users and tenants are maintained in the system and should be used in all queries.
  • Enable additional controls at the database level like Virtual Private Database feature of Oracle 11g or equivalent so that even with the Injection we cannot view the values of other tenants.

Summary
Protecting tenant specific data is the ultimate goal  of the SaaS application and  hackers can use SQL Injection among all techniques  to penetrate the same and the above mentioned  techniques will prevent the SQL Injection and make the application secure and speed up the Cloud Enablement in the minds of CIOs.

More Stories By Srinivasan Sundara Rajan

Highly passionate about utilizing Digital Technologies to enable next generation enterprise. Believes in enterprise transformation through the Natives (Cloud Native & Mobile Native).

@CloudExpo Stories
Extracting business value from Internet of Things (IoT) data doesn’t happen overnight. There are several requirements that must be satisfied, including IoT device enablement, data analysis, real-time detection of complex events and automated orchestration of actions. Unfortunately, too many companies fall short in achieving their business goals by implementing incomplete solutions or not focusing on tangible use cases. In his general session at @ThingsExpo, Dave McCarthy, Director of Products...
Amazon has gradually rolled out parts of its IoT offerings in the last year, but these are just the tip of the iceberg. In addition to optimizing their back-end AWS offerings, Amazon is laying the ground work to be a major force in IoT – especially in the connected home and office. Amazon is extending its reach by building on its dominant Cloud IoT platform, its Dash Button strategy, recently announced Replenishment Services, the Echo/Alexa voice recognition control platform, the 6-7 strategic...
Aspose.Total for .NET is the most complete package of all file format APIs for .NET as offered by Aspose. It empowers developers to create, edit, render, print and convert between a wide range of popular document formats within any .NET, C#, ASP.NET and VB.NET applications. Aspose compiles all .NET APIs on a daily basis to ensure that it contains the most up to date versions of each of Aspose .NET APIs. If a new .NET API or a new version of existing APIs is released during the subscription peri...
Verizon Communications Inc. (NYSE, Nasdaq: VZ) and Yahoo! Inc. (Nasdaq: YHOO) have entered into a definitive agreement under which Verizon will acquire Yahoo's operating business for approximately $4.83 billion in cash, subject to customary closing adjustments. Yahoo informs, connects and entertains a global audience of more than 1 billion monthly active users** -- including 600 million monthly active mobile users*** through its search, communications and digital content products. Yahoo also co...
Ixia (Nasdaq: XXIA) has announced that NoviFlow Inc.has deployed IxNetwork® to validate the company’s designs and accelerate the delivery of its proven, reliable products. Based in Montréal, NoviFlow Inc. supports network carriers, hyperscale data center operators, and enterprises seeking greater network control and flexibility, network scalability, and the capacity to handle extremely large numbers of flows, while maintaining maximum network performance. To meet these requirements, NoviFlow in...
As companies gain momentum, the need to maintain high quality products can outstrip their development team’s bandwidth for QA. Building out a large QA team (whether in-house or outsourced) can slow down development and significantly increases costs. This eBook takes QA profiles from 5 companies who successfully scaled up production without building a large QA team and includes: What to consider when choosing CI/CD tools How culture and communication can make or break implementation
"There's a growing demand from users for things to be faster. When you think about all the transactions or interactions users will have with your product and everything that is between those transactions and interactions - what drives us at Catchpoint Systems is the idea to measure that and to analyze it," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York Ci...
Redis is not only the fastest database, but it is the most popular among the new wave of databases running in containers. Redis speeds up just about every data interaction between your users or operational systems. In his session at 19th Cloud Expo, Dave Nielsen, Developer Advocate, Redis Labs, will share the functions and data structures used to solve everyday use cases that are driving Redis' popularity.
UpGuard has become a member of the Center for Internet Security (CIS), and will continue to help businesses expand visibility into their cyber risk by providing hardening benchmarks to all customers. By incorporating these benchmarks, UpGuard's CSTAR solution builds on its lead in providing the most complete assessment of both internal and external cyber risk. CIS benchmarks are a widely accepted set of hardening guidelines that have been publicly available for years. Numerous solutions exist t...
Choosing the right cloud for your workloads is a balancing act that can cost your organization time, money and aggravation - unless you get it right the first time. Economics, speed, performance, accessibility, administrative needs and security all play a vital role in dictating your approach to the cloud. Without knowing the right questions to ask, you could wind up paying for capacity you'll never need or underestimating the resources required to run your applications.
SYS-CON Events announced today that LeaseWeb USA, a cloud Infrastructure-as-a-Service (IaaS) provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. LeaseWeb is one of the world's largest hosting brands. The company helps customers define, develop and deploy IT infrastructure tailored to their exact business needs, by combining various kinds cloud solutions.
Adding public cloud resources to an existing application can be a daunting process. The tools that you currently use to manage the software and hardware outside the cloud aren’t always the best tools to efficiently grow into the cloud. All of the major configuration management tools have cloud orchestration plugins that can be leveraged, but there are also cloud-native tools that can dramatically improve the efficiency of managing your application lifecycle. In his session at 18th Cloud Expo, ...
The competitive landscape of the global cloud computing market in the healthcare industry is crowded due to the presence of a large number of players. The large number of participants has led to the fragmented nature of the market. Some of the major players operating in the global cloud computing market in the healthcare industry are Cisco Systems Inc., Carestream Health Inc., Carecloud Corp., AGFA Healthcare, IBM Corp., Cleardata Networks, Merge Healthcare Inc., Microsoft Corp., Intel Corp., an...
SYS-CON Events announced today the Kubernetes and Google Container Engine Workshop, being held November 3, 2016, in conjunction with @DevOpsSummit at 19th Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA. This workshop led by Sebastian Scheele introduces participants to Kubernetes and Google Container Engine (GKE). Through a combination of instructor-led presentations, demonstrations, and hands-on labs, students learn the key concepts and practices for deploying and maintainin...
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, described how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability. He addres...
Is your aging software platform suffering from technical debt while the market changes and demands new solutions at a faster clip? It’s a bold move, but you might consider walking away from your core platform and starting fresh. ReadyTalk did exactly that. In his General Session at 19th Cloud Expo, Michael Chambliss, Head of Engineering at ReadyTalk, will discuss why and how ReadyTalk diverted from healthy revenue and over a decade of audio conferencing product development to start an innovati...
Ovum, a leading technology analyst firm, has published an in-depth report, Ovum Decision Matrix: Selecting a DevOps Release Management Solution, 2016–17. The report focuses on the automation aspects of DevOps, Release Management and compares solutions from the leading vendors.
Continuous testing helps bridge the gap between developing quickly and maintaining high quality products. But to implement continuous testing, CTOs must take a strategic approach to building a testing infrastructure and toolset that empowers their team to move fast. Download our guide to laying the groundwork for a scalable continuous testing strategy.
SYS-CON Events announced today that Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Venafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity – cryptographic keys and digital certificates – so they can’t be misused by bad guys in attacks...
SYS-CON Events announced today that 910Telecom will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Housed in the classic Denver Gas & Electric Building, 910 15th St., 910Telecom is a carrier-neutral telecom hotel located in the heart of Denver. Adjacent to CenturyLink, AT&T, and Denver Main, 910Telecom offers connectivity to all major carriers, Internet service providers, Internet backbones and ...