SaaS AppSec Stories on Malware, Sleepless Nights and DevSecOps

Overview

This podcast is hosted by Venkatesh Sundar, founder at Indusface, with our guest Kashish Jajodia CTO at Draup.

In this session, Kashish talks to Venky about how he looks at vulnerability assessment, penetration testing, and application security. What drives Draup to look at application security? Is it for building trust with their customers or compliance needs?

Indusface
Indusface

Indusface is a leading application security SaaS company that secures critical Web, Mobile, and API applications of 5000+ global customers using its award-winning fully managed platform that integrates web application scanner, web application firewall, DDoS & BOT Mitigation, CDN, and threat intelligence engine.

Key highlights from the discussion :
  • Why is application security important for Draup?
  • The story behind their SaaS security journey
  • How does pen-testing aid in their customer trust?
  • How can SaaS startups boost security?
  • How Indusface made SaaS security simple?
  • How to make Devsecops a reality?
  • Time to worry: hackers can run a cyberattack in minutes
  • Top pitfalls that SaaS businesses should avoid
  • When and how often should you run a vulnerability scan?

Transcript

Draup is an AI-driven platform that drives insights for HR and sales leaders. Right now, we focus on two major use cases: Sales and Talent Intelligence.

  • On the sales side, we provide sales teams with context-rich data in an easy-to-use natural language interface. This helps the go-to-market teams identify new opportunities, understand what’s top of mind for customers and their strategic investment priorities, and anticipate key trends in the industry.
  • On the talent side, we create very specific talent, customer-centric, role-level, and skill-level insights that are not available outside of any of the platforms. This helps the talent strategy team build strategic location and role-wise workforce plans.

Using Draup’s powerful AI engine, we upload our data which is applied to a database of 750 million profiles. The HR leaders can find and hire the right talent with the right skill sets.

We also have a tool that can be used to implement cost optimize reskilling initiatives to transform global workforces of teams to become future-ready.

The application’s security is very important with any of the cloud-native B2B companies.

We work with the biggest eCommerce players, telecom players, banks, beverage companies, consulting companies, etc. And all these companies working with us need to trust us with some of their data and to trust our data sets.

Any security threat and security issues become reputational damage to us. And we don’t want to do that.

We are an AI company. We have a lot of models and proprietary data. Exposure to them is a loss of revenue for us. Because those are data sets that our team has created.

We want to make sure they’re safe and secure. We want to make sure there are no downtimes.

Now, there are a lot of DDoS attacks happening. Many ethical hackers are trying to find a way out of your system. Even a small downtime leads to missed deals and renewals.

We want to avoid being in a situation where a customer logs into our platform to get some important data for a meeting they’re going to or for a decision they’re making, and the platform is down.

These are the major reasons we want to be there always. And, always have a reputation as a company that prioritizes security above everything else.

We initially like any startup; the most important focus is the product. And keep adding more features. We had all kinds of security best practices, like MFA and the least privileges. But they never got prioritized our development cycle.

Because the business was always, I need this feature, why is this not there? We need more customers. So, we are always focused on that.

But generally, we made sure that the passwords were correct. The general basics of security are there.

And one day, we got a mail from a customer saying, we cannot open your website. And we tried to open it on our end, and it worked fine.

Then we started getting mails from multiple customers. We were not able to figure it out. And suddenly, while browsing, we realized that we had been blacklisted. This is entirely new to us.

You think about DDoS attacks and SQL injection. You’ve never thought about getting blacklisted.

What happened was that we had a marketing page hosted on Draup.com. It is an external marketing-facing website. And it had a WordPress login.

The default WordPress login was just left open. Someone logged in and hosted malware on one of our blogs.

Google and Nord VPN companies found that malware and blacklisted us.

Then we realized, “It’s crucial to focus on security to ensure the website is always safe and secure.”

Yes, this happens quite often in the companies we work with. These are all globalized companies.

When you’re going through the RFP process very important part of it is:

Have you had pen testing done? Have you had an external validator to perform validation on the website? Can you show us a certificate?

We have an internal team that keeps checking the static code for any problems or perimeter-based issues. But you can’t see so much.

Having an external certificate and an external person validating it helps build client trust.

I would say day zero!

As you start creating your architectures, high-level diagrams, and low-level diagrams, start thinking about security from that point. Make sure it becomes a vital part of your DNA.

Security always takes a back seat because people think that –

“It takes a lot of time, you will have to hire people, and you will have to get more staff or someone else to help you.”

But in today’s world, we live in this SaaS domain. Platforms like Indusface help a lot. It’s plug-and-play. You don’t need an extra development team to come in and start playing around or adding tools and technologies internally to do that.

Devsecops means just like how DevOps has revolutionized your CI/CDs and automation of your deployment cycles. Devsecops wants to add a security layer to it.

People should start thinking about security right from the time they start architecting; they start opening up the system to others. It’s very important to enable a centralized team to care for the entire security.

What happens, especially for new companies, is that they plug into tools and technologies that are not well-tested in the market. Especially the open-source tools that are out there. I always say to wait for it to get stable.

The open-source tools and technologies, will have issues. Wait for it to get stable before you start using it.

Second, always keep the teams involved. Getting people from business, product, and other teams engaged in security make them understand the importance.

It goes a long way in making your life easier when you spend time, money, or whatever is there to make your platform system safe, and that education helps you greatly.

Another thing that I always say is you are not an expert. You might have read ten blogs. You might have a lot of open-source tools and technologies. Always take external partners’ help for security. So you can focus on your core work.

With a platform like Indusface, it becomes a daily thing for us. Every day it runs automatically, and we get a report.

Our automated scans are scheduled daily. And manual pen testing happens twice a year.