App Security & Compliance for SaaS Companies in Saudi Arabian Market
In this episode of SaaSTrana, host Venkatesh Sundar is joined by Sangmesh Hiremath (Founder of Marmin.AI) to discuss how application security and compliance are crucial for SaaS companies to grow in Saudi Arabia, the Middle East, and the European markets.
Introduction to Marmin.ai
Venky: Can you tell me a little bit about yourself and your company?
I am the founder of Marmin.ai. We founded Marmin in 2020. When we started, we were trying to build an application for exchanging documents over the internet between all accounting systems and ERPs.
We saw an opportunity in 2020 when Saudi Arabia developed a guideline for National Tax Authority. It says that all invoices generated should be electronic invoices.
The electronic invoice is not one which we send as a PDF. It has embedded XML, which goes to the Tax Authority. Tax Authority approves or rejects it. Based on that business will issue invoices to customers.
We immediately pivoted on it, and we built an application. We are an approved solution provider by Saudi Tax Authority.
Our main business area is electronic invoicing for businesses. We have a parallel product that is used as a document exchange platform. Both are cloud-based.
Venky: As a SaaS-based platform, how would you define your target customers or your ideal customer profile in the Saudi Arabian Market?
When the Saudi Arabian Tax Authority listed all the approved solution providers, there were around 800 listed companies. There are ERPs, accounting systems, cloud accounting systems, and consultants who provide advisory roles in these areas.
We have differentiated ourselves in a way; for example, if a business has its existing investment in its ERP or accounting system, they don’t need to switch to a compliant solution.
If their main service provider of the solution is not ready for compliance, these companies can simply integrate with us and remain compliant.
We give these businesses a great value proposition: “You retain your existing investment and do not lose on your CapEx and OpEx”.
Cybersecurity Compliance in Saudi Arabia
Venky: How do you look at Cybersecurity? What triggered you to take those initiatives for Marmin?
Being in the tech space for the last 15 years, we have understood that cyber security is very much required for each application.
Saudi Arabia has come up with National Cyber Security Authority which releases guidelines on how and what cyber security controls should be for each company and product. Based on the scenario, they are laying out the basic rules.
The main agenda of this National Cyber Security Authority is to build governance, defense, and cyber resilience mechanisms related to cyber security.
When building applications, we always follow basic protocols, like multi-factor authentication, complex passwords, and compliance with national regulations.
On the other side, when we are trying to be a supplier to some customers, the customers also are made aware enough by the National Cyber Security Authority.
When we are trying to register as a supplier for such companies, they have their cyber security checklist, which we must fulfill.
This way, we keep up, and it’s a gradual process of growing and strengthening our processes internally.
Why do SaaS companies need cyber insurance for customer protection?
Venky: As a supplier of this to the businesses, you must meet the must-have controls and processes in place from the National Cyber Security Authority checklist. Right?
This is on the front where customers are from Saudi Arabia. Many Saudi Arabian customers are from the UK, the US, and Australia.
These companies also take their local guideline into the picture. In such a situation, one point has influenced and impacted us.
A company says, “We need Cyber Security Insurance plus Error and Omission Insurance.”
Depending upon the size of the company, deal, and proposition we’re giving, the customer says, “I need minimum insurance of this much.”
You have to get into the market and look for insurance providers to insure you. They also have their checks on what you are doing internally for cyber security.
This is well-connected, so you must comply with cybersecurity-related activities.
Venky: I’m just surprised to expect you to have cyber insurance instead of the customer already having their own cyber insurance policy.
They have their cyber insurance policy, but we own SaaS products, so we must comply. If there is any gap in those compliances, they want to ensure that someone else, like an insurance company, is backing us in case of a claim of damages.
So, when this happens insurance company also tries to ensure that as a customer of the insurance company, and having our own SaaS application, we are making our internal governance and defense mechanisms strong so that there is no such claim by the customer.
Role of Third-Party Assessment in Strengthening Application Security
Venky: As part of this National Service Cyber Security Authority checklist and other forks of compliance checklist, including insurance policy driven from where they operate, application security is one of the aspects of the checklist, right?
Exactly! It is like that. Another part is that the National Cyber Security Authority also has a guideline that says that third-party testing and pen testing should be involved in the cyber security mechanisms to send them the internal cyber security controls.
Venky: Is it just compliance, or are there other things from an application security standpoint that you feel a third party is important for your business?
Cyber security is internally embedded into our application development pipeline. We ensure all these checks are covered, and third parties like Indusface help us identify those vulnerabilities and fix them.
Venky: What are some of the best practices for vulnerability scanning and penetration testing?
You mentioned having a third-party report is one of them.
We do a vulnerability scan every week. Usually, what happens is that the threats are not so frequent if your scans are regular and you keep taking action on them.
Over time, a threat becomes critical if it has remained for a longer time or is known but not fixed.
We do not let anything go to that stage. Whenever it is identified as low or medium; we do not delay those things to reach a critical stage. Even if there is a medium threat, we just fix that.
Internally we have processors and policies where we manage who will control what. There is proper access authorization. Need basis access is only provided, which are some internal things we control so that no one has direct access to databases or the products.
Venky: Until the time to fix the vulnerabilities, if there is a virtual patching-based capability. Is that something that you think is the best practice?
In that case, we would prefer virtual patching. We do it immediately if there is a known patching mechanism available. Eventually, we’ll fix it over time in our programming pipeline.
Pitfalls new SaaS firms should avoid
As a new SaaS firm, make application security / cyber security an integral part of your offering. So that you get a head start on building your application.
Because cybersecurity-related guidelines and compliances in different markets will expect you to have a minimum threshold, you still cannot sell without meeting those thresholds.
Regarding compliance and security specific to Saudi Arabia, the National Cyber Security Authority checklist is the most authoritative document you will have to look at.
Because the consumers and the customers are well aware of this and enforce this as a minimum compliance requirement that their supplier should provide.
To know more, listen to the podcast here.