Click here to close now.


@CloudExpo Authors: AppDynamics Blog, Elizabeth White, Flint Brenton, Liz McMillan, Jason Bloomberg

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Article

Cloud Security Series | SQL Injection and SaaS

Avoiding Common Security Attacks In SaaS Applications

Security #1 Concern for Cloud Adoption
An analysis of several CIO Surveys about cloud adoption reveals two things:

  1. There is a growing adoption of cloud computing
  2. But Security Concerns remains on top of CIO's minds

So either as a SaaS provider or a IT services provider who develops applications on PaaS platform, we should address the security concerns,  and this series of  article aims at  addressing various security concerns.

This concern is aptly shown in the study,  Courtesy ‘Microsoft : The Economics Of Cloud'.

SaaS and SQL Injection
Like other web-based systems, cloud applications are prone to most of the common web attacks ranging from:

  • Cross-Site Scripting (XSS)
  • Injection Flaws
  • Information Leakage and Improper Error Handling
  • Broken Authentication and Session Management
  • Failure to Restrict URL Access
  • Improper Data Validation
  • Insecure Communications
  • Malicious File Execution

While  most of these are common vulnerabilities found in web applications, a SQL Injection is one of the highest possibilities in a SaaS application.

SQL injection is a method of attack where an attacker can exploit vulnerable code and the type of data an application will accept, and can be exploited in any application parameter that influences a database query.

Examples include parameters within the url itself, post data, or cookie values. If successful, SQL Injection can give an attacker access to backend database contents, the ability to remotely execute system commands, or in some circumstances the means to take control of the server hosting the database.

SQL Injection In Multi Tenant Database Design
We have seen in some of the earlier posts about  multi tenant database design, that  storing the multi tenant database in the same table  segregated by the Tenant ID acting as a primary key is a valid design pattern.

For example if there is a Retail SaaS applications that allows multiple  retailers to host their products and sell them through the online SaaS Application, then the possible multi tenant table design for table that hosts all the orders could be.

Column Name


Tenant ID

Unique ID that distinguishes each tenant

Order ID

Unique Order ID per tenant

Order Total Price

Total Price Of the Order

Order Currency

Currency  in which the order is done

.... Other Order related parameters like Customer Information, Shipping Address Etc.



If the SaaS application is prone to  SQL Injection, then it is very easy for  some one logging on behalf of  One Tenant can view the orders belonging to another Client, let us see with an example.

As explained in this simple example.

  • Front end application sends the tenant id to the database calls, so that the orders belonging to that tenant can be retrieved
  • However the dynamic SQL written simply attaches the ‘tenant Id' Supplied, and returns the results
  • This could potentially lead to a situation, where a hacker who could create a dummy tenant id' with the SaaS application can pass on random tenant ID values and could view orders belong to other tenants

Common Steps to Avoid SQL Injection
Below are some generic best practices that could be utilized by any application to avoid SQL Injection.

  • Parameterized Queries: SQL Injection arises from an attacker's manipulation of query data to modify query logic. The best method of preventing SQL Injection attacks is thereby to separate the logic of a query from its data. This will prevent commands inserted from user input from being executed.
  • Validate input: The vast majority of SQL Injection checks can be prevented by properly validating user input for both type and format.
  • Stored Procedures: Consider using stored procedures. They require a very specific parameter format, which makes them less susceptible to SQL Injection attacks.

Additional Steps for SaaS Applications
Below are some additional steps  on top of  the common steps mentioned above, which could be used to prevent SQL Injection specific to SaaS cloud application.

  • Never pass the Tenant ID as a parameter to the back end queries in a open form, which will enable hackers to guess and manipulate the same, keep the Tenant ID as a hidden or internal value from the eyes of the user.
  • Do not display the internal values of Tenant ID or the Table names involved when database errors happen, rather mask the errors with generic text
  • Validate that the Tenant ID indeed belong to the particular User who has logged on before executing the query. For example if a particular user say John Doe logged on and use the SaaS application for the Tenant A, then any queries by John Doe should only retrieve records from Tenant A and should not include other tenants , this cross reference between the users and tenants are maintained in the system and should be used in all queries.
  • Enable additional controls at the database level like Virtual Private Database feature of Oracle 11g or equivalent so that even with the Injection we cannot view the values of other tenants.

Protecting tenant specific data is the ultimate goal  of the SaaS application and  hackers can use SQL Injection among all techniques  to penetrate the same and the above mentioned  techniques will prevent the SQL Injection and make the application secure and speed up the Cloud Enablement in the minds of CIOs.

More Stories By Srinivasan Sundara Rajan

Srinivasan is passionate about ownership and driving things on his own, with his breadth and depth on Enterprise Technology he could run any aspect of IT Industry and make it a success.

He is a seasoned Enterprise IT Expert, mainly in the areas of Solution, Integration and Architecture, across Structured, Unstructured data sources, especially in manufacturing domain.

He currently works as Technology Head For GAVS Technologies.

@CloudExpo Stories
As organizations realize the scope of the Internet of Things, gaining key insights from Big Data, through the use of advanced analytics, becomes crucial. However, IoT also creates the need for petabyte scale storage of data from millions of devices. A new type of Storage is required which seamlessly integrates robust data analytics with massive scale. These storage systems will act as “smart systems” provide in-place analytics that speed discovery and enable businesses to quickly derive meaningf...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
In his General Session at 17th Cloud Expo, Bruce Swann, Senior Product Marketing Manager for Adobe Campaign, explored the key ingredients of cross-channel marketing in a digital world. Learn how the Adobe Marketing Cloud can help marketers embrace opportunities for personalized, relevant and real-time customer engagement across offline (direct mail, point of sale, call center) and digital (email, website, SMS, mobile apps, social networks, connected objects).
The buzz continues for cloud, data analytics and the Internet of Things (IoT) and their collective impact across all industries. But a new conversation is emerging - how do companies use industry disruption and technology enablers to lead in markets undergoing change, uncertainty and ambiguity? Organizations of all sizes need to evolve and transform, often under massive pressure, as industry lines blur and merge and traditional business models are assaulted and turned upside down. In this new da...
In recent years, at least 40% of companies using cloud applications have experienced data loss. One of the best prevention against cloud data loss is backing up your cloud data. In his General Session at 17th Cloud Expo, Sam McIntyre, Partner Enablement Specialist at eFolder, presented how organizations can use eFolder Cloudfinder to automate backups of cloud application data. He also demonstrated how easy it is to search and restore cloud application data using Cloudfinder.
The Internet of Everything is re-shaping technology trends–moving away from “request/response” architecture to an “always-on” Streaming Web where data is in constant motion and secure, reliable communication is an absolute necessity. As more and more THINGS go online, the challenges that developers will need to address will only increase exponentially. In his session at @ThingsExpo, Todd Greene, Founder & CEO of PubNub, exploreed the current state of IoT connectivity and review key trends and t...
We all know that data growth is exploding and storage budgets are shrinking. Instead of showing you charts on about how much data there is, in his General Session at 17th Cloud Expo, Scott Cleland, Senior Director of Product Marketing at HGST, showed how to capture all of your data in one place. After you have your data under control, you can then analyze it in one place, saving time and resources.
With all the incredible momentum behind the Internet of Things (IoT) industry, it is easy to forget that not a single CEO wakes up and wonders if “my IoT is broken.” What they wonder is if they are making the right decisions to do all they can to increase revenue, decrease costs, and improve customer experience – effectively the same challenges they have always had in growing their business. The exciting thing about the IoT industry is now these decisions can be better, faster, and smarter. Now ...
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true ...
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem"...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound...
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, San...
Apps and devices shouldn't stop working when there's limited or no network connectivity. Learn how to bring data stored in a cloud database to the edge of the network (and back again) whenever an Internet connection is available. In his session at 17th Cloud Expo, Ben Perlmutter, a Sales Engineer with IBM Cloudant, demonstrated techniques for replicating cloud databases with devices in order to build offline-first mobile or Internet of Things (IoT) apps that can provide a better, faster user e...
In today's enterprise, digital transformation represents organizational change even more so than technology change, as customer preferences and behavior drive end-to-end transformation across lines of business as well as IT. To capitalize on the ubiquitous disruption driving this transformation, companies must be able to innovate at an increasingly rapid pace. Traditional approaches for driving innovation are now woefully inadequate for keeping up with the breadth of disruption and change facin...
I recently attended and was a speaker at the 4th International Internet of @ThingsExpo at the Santa Clara Convention Center. I also had the opportunity to attend this event last year and I wrote a blog from that show talking about how the “Enterprise Impact of IoT” was a key theme of last year’s show. I was curious to see if the same theme would still resonate 365 days later and what, if any, changes I would see in the content presented.
Cloud computing delivers on-demand resources that provide businesses with flexibility and cost-savings. The challenge in moving workloads to the cloud has been the cost and complexity of ensuring the initial and ongoing security and regulatory (PCI, HIPAA, FFIEC) compliance across private and public clouds. Manual security compliance is slow, prone to human error, and represents over 50% of the cost of managing cloud applications. Determining how to automate cloud security compliance is critical...
The Internet of Things (IoT) is growing rapidly by extending current technologies, products and networks. By 2020, Cisco estimates there will be 50 billion connected devices. Gartner has forecast revenues of over $300 billion, just to IoT suppliers. Now is the time to figure out how you’ll make money – not just create innovative products. With hundreds of new products and companies jumping into the IoT fray every month, there’s no shortage of innovation. Despite this, McKinsey/VisionMobile data...
Just over a week ago I received a long and loud sustained applause for a presentation I delivered at this year’s Cloud Expo in Santa Clara. I was extremely pleased with the turnout and had some very good conversations with many of the attendees. Over the next few days I had many more meaningful conversations and was not only happy with the results but also learned a few new things. Here is everything I learned in those three days distilled into three short points.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York and Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty ...