Click here to close now.

Welcome!

@CloudExpo Authors: Carmen Gonzalez, Elizabeth White, Tom Lounibos, Wayne Lam, Pat Romanski

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Article

Cloud Security Series | SQL Injection and SaaS

Avoiding Common Security Attacks In SaaS Applications

Security #1 Concern for Cloud Adoption
An analysis of several CIO Surveys about cloud adoption reveals two things:

  1. There is a growing adoption of cloud computing
  2. But Security Concerns remains on top of CIO's minds

So either as a SaaS provider or a IT services provider who develops applications on PaaS platform, we should address the security concerns,  and this series of  article aims at  addressing various security concerns.

This concern is aptly shown in the study,  Courtesy ‘Microsoft : The Economics Of Cloud'.

SaaS and SQL Injection
Like other web-based systems, cloud applications are prone to most of the common web attacks ranging from:

  • Cross-Site Scripting (XSS)
  • Injection Flaws
  • Information Leakage and Improper Error Handling
  • Broken Authentication and Session Management
  • Failure to Restrict URL Access
  • Improper Data Validation
  • Insecure Communications
  • Malicious File Execution

While  most of these are common vulnerabilities found in web applications, a SQL Injection is one of the highest possibilities in a SaaS application.

SQL injection is a method of attack where an attacker can exploit vulnerable code and the type of data an application will accept, and can be exploited in any application parameter that influences a database query.

Examples include parameters within the url itself, post data, or cookie values. If successful, SQL Injection can give an attacker access to backend database contents, the ability to remotely execute system commands, or in some circumstances the means to take control of the server hosting the database.

SQL Injection In Multi Tenant Database Design
We have seen in some of the earlier posts about  multi tenant database design, that  storing the multi tenant database in the same table  segregated by the Tenant ID acting as a primary key is a valid design pattern.

For example if there is a Retail SaaS applications that allows multiple  retailers to host their products and sell them through the online SaaS Application, then the possible multi tenant table design for table that hosts all the orders could be.

Column Name

Description

Tenant ID

Unique ID that distinguishes each tenant

Order ID

Unique Order ID per tenant

Order Total Price

Total Price Of the Order

Order Currency

Currency  in which the order is done

.... Other Order related parameters like Customer Information, Shipping Address Etc.

 

 

If the SaaS application is prone to  SQL Injection, then it is very easy for  some one logging on behalf of  One Tenant can view the orders belonging to another Client, let us see with an example.

As explained in this simple example.

  • Front end application sends the tenant id to the database calls, so that the orders belonging to that tenant can be retrieved
  • However the dynamic SQL written simply attaches the ‘tenant Id' Supplied, and returns the results
  • This could potentially lead to a situation, where a hacker who could create a dummy tenant id' with the SaaS application can pass on random tenant ID values and could view orders belong to other tenants

Common Steps to Avoid SQL Injection
Below are some generic best practices that could be utilized by any application to avoid SQL Injection.

  • Parameterized Queries: SQL Injection arises from an attacker's manipulation of query data to modify query logic. The best method of preventing SQL Injection attacks is thereby to separate the logic of a query from its data. This will prevent commands inserted from user input from being executed.
  • Validate input: The vast majority of SQL Injection checks can be prevented by properly validating user input for both type and format.
  • Stored Procedures: Consider using stored procedures. They require a very specific parameter format, which makes them less susceptible to SQL Injection attacks.

Additional Steps for SaaS Applications
Below are some additional steps  on top of  the common steps mentioned above, which could be used to prevent SQL Injection specific to SaaS cloud application.

  • Never pass the Tenant ID as a parameter to the back end queries in a open form, which will enable hackers to guess and manipulate the same, keep the Tenant ID as a hidden or internal value from the eyes of the user.
  • Do not display the internal values of Tenant ID or the Table names involved when database errors happen, rather mask the errors with generic text
  • Validate that the Tenant ID indeed belong to the particular User who has logged on before executing the query. For example if a particular user say John Doe logged on and use the SaaS application for the Tenant A, then any queries by John Doe should only retrieve records from Tenant A and should not include other tenants , this cross reference between the users and tenants are maintained in the system and should be used in all queries.
  • Enable additional controls at the database level like Virtual Private Database feature of Oracle 11g or equivalent so that even with the Injection we cannot view the values of other tenants.

Summary
Protecting tenant specific data is the ultimate goal  of the SaaS application and  hackers can use SQL Injection among all techniques  to penetrate the same and the above mentioned  techniques will prevent the SQL Injection and make the application secure and speed up the Cloud Enablement in the minds of CIOs.

More Stories By Srinivasan Sundara Rajan

Srinivasan is passionate about ownership and driving things on his own, with his breadth and depth on Enterprise Technology he could run any aspect of IT Industry and make it a success.

He is a seasoned Enterprise IT Expert, mainly in the areas of Solution, Integration and Architecture, across Structured, Unstructured data sources, especially in manufacturing domain.

He currently works as Technology Head For GAVS Technologies.

@CloudExpo Stories
DevOps Summit, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development...
SYS-CON Events announced today that Harbinger Systems will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Harbinger Systems is a global company providing software technology services. Since 1990, Harbinger has developed a strong customer base worldwide. Its customers include software product companies ranging from hi-tech start-ups in Silicon Valley to leading product companies in the US a...
Containers have changed the mind of IT in DevOps. They enable developers to work with dev, test, stage and production environments identically. Containers provide the right abstraction for microservices and many cloud platforms have integrated them into deployment pipelines. DevOps and Containers together help companies to achieve their business goals faster and more effectively. In his session at DevOps Summit, Ruslan Synytsky, CEO and Co-founder of Jelastic, reviewed the current landscape of...
The enterprise market will drive IoT device adoption over the next five years. In his session at @ThingsExpo, John Greenough, an analyst at BI Intelligence, division of Business Insider, analyzed how companies will adopt IoT products and the associated cost of adopting those products. John Greenough is the lead analyst covering the Internet of Things for BI Intelligence- Business Insider’s paid research service. Numerous IoT companies have cited his analysis of the IoT. Prior to joining BI In...
"ciqada is a combined platform of hardware modules and server products that lets people take their existing devices or new devices and lets them be accessible over the Internet for their users," noted Geoff Engelstein of ciqada, a division of Mars International, in this SYS-CON.tv interview at @ThingsExpo, held June 9-11, 2015, at the Javits Center in New York City.
SYS-CON Events announced today that Secure Infrastructure & Services will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Secure Infrastructure & Services (SIAS) is a managed services provider of cloud computing solutions for the IBM Power Systems market. The company helps mid-market firms built on IBM hardware platforms to deploy new levels of reliable and cost-effective computing and hig...
Live Webinar with 451 Research Analyst Peter Christy. Join us on Wednesday July 22, 2015, at 10 am PT / 1 pm ET In a world where users are on the Internet and the applications are in the cloud, how do you maintain your historic SLA with your users? Peter Christy, Research Director, Networks at 451 Research, will discuss this new network paradigm, one in which there is no LAN and no WAN, and discuss what users and network administrators gain and give up when migrating to the agile world of clo...
DevOps is about increasing efficiency, but nothing is more inefficient than building the same application twice. However, this is a routine occurrence with enterprise applications that need both a rich desktop web interface and strong mobile support. With recent technological advances from Isomorphic Software and others, it is now feasible to create a rich desktop and tuned mobile experience with a single codebase, without compromising performance or usability.
Containers are revolutionizing the way we deploy and maintain our infrastructures, but monitoring and troubleshooting in a containerized environment can still be painful and impractical. Understanding even basic resource usage is difficult – let alone tracking network connections or malicious activity. In his session at DevOps Summit, Gianluca Borello, Sr. Software Engineer at Sysdig, will cover the current state of the art for container monitoring and visibility, including pros / cons and liv...
SYS-CON Media announced today that CloudBees, the Jenkins Enterprise company, has launched ad campaigns on SYS-CON's DevOps Journal. CloudBees' campaigns focus on the business value of Continuous Delivery and how it has been recognized as a game changer for IT and is now a top priority for organizations, and the best ways to optimize Jenkins to ensure your continuous integration environment is optimally configured.
The 4th International Internet of @ThingsExpo, co-located with the 17th International Cloud Expo - to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA - announces that its Call for Papers is open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than
SYS-CON Events announced today that ProfitBricks, the provider of painless cloud infrastructure, will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. ProfitBricks is the IaaS provider that offers a painless cloud experience for all IT users, with no learning curve. ProfitBricks boasts flexible cloud servers and networking, an integrated Data Center Designer tool for visual control over the...
The most often asked question post-DevOps introduction is: “How do I get started?” There’s plenty of information on why DevOps is valid and important, but many managers still struggle with simple basics for how to initiate a DevOps program in their business. They struggle with issues related to current organizational inertia, the lack of experience on Continuous Integration/Delivery, understanding where DevOps will affect revenue and budget, etc. In their session at DevOps Summit, JP Morgenthal...
"We provide a web application framework for building really sophisticated web applications that run on a browser without any installation need so we get used for biotech, defense, and banking applications," noted Charles Kendrick, CTO and Chief Architect at Isomorphic Software, in this SYS-CON.tv interview at @DevOpsSummit (http://DevOpsSummit.SYS-CON.com), held June 9-11, 2015, at the Javits Center in New York
"Plutora provides release and testing environment capabilities to the enterprise," explained Dalibor Siroky, Director and Co-founder of Plutora, in this SYS-CON.tv interview at @DevOpsSummit, held June 9-11, 2015, at the Javits Center in New York City.
DevOps tends to focus on the relationship between Dev and Ops, putting an emphasis on the ops and application infrastructure. But that’s changing with microservices architectures. In her session at DevOps Summit, Lori MacVittie, Evangelist for F5 Networks, will focus on how microservices are changing the underlying architectures needed to scale, secure and deliver applications based on highly distributed (micro) services and why that means an expansion into “the network” for DevOps.
"The idea of polyglot persistence is you have to apply the right database for the job - you always have to have many different databases in play. We offer that whole system as a service," explained Raj Singh, Developer Advocate for IBM Cloud Data Services, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
In his session at 16th Cloud Expo, Simone Brunozzi, VP and Chief Technologist of Cloud Services at VMware, reviewed the changes that the cloud computing industry has gone through over the last five years and shared insights into what the next five will bring. He also chronicled the challenges enterprise companies are facing as they move to the public cloud. He delved into the "Hybrid Cloud" space and explained why every CIO should consider ‘hybrid cloud' as part of their future strategy to achie...
SYS-CON Events announced today that WHOA.com, an ISO 27001 Certified secure cloud computing company, participated as “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which took place June 9-11, 2015, at the Javits Center in New York City, NY. WHOA.com is a leader in next-generation, ISO 27001 Certified secure cloud solutions. WHOA.com offers a comprehensive portfolio of best-in-class cloud services for business including Infrastructure as a Service (IaaS), Secure Cloud Desk...
SYS-CON Events announced today that Intelligent Systems Services will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Established in 1994, Intelligent Systems Services Inc. is located near Washington, DC, with representatives and partners nationwide. ISS’s well-established track record is based on the continuous pursuit of excellence in designing, implementing and supporting nationwide clients’ ...