SaaS and Security
As we develop the web based version of Accpac, we are having to develop a lot of knowledge about hacking and web based security exploits. Learning about these things is very interesting but also very eye opening and scary. Once you expose your application to the web you are definitely in a different world.
We currently offer an on-line version of Accpac through http://www.accpaconline.com, but here we are using citrix server and relying on Citrix and Microsoft to protect us. You first have to login to a Windows domain and then these services provide the secure connection. Of course we do have to be vigilant and make sure all security patches are installed promptly. We also have to keep auditing our server configurations to ensure they are secure. We have to ensure there are the minimum services running that can be exploited. We have to ensure that a pissed off user can only damage their own data and things of that nature.
Once we leave the comfort of the Citrix/Windows Domain world and expose our log-in page as the first line of defense, then we are in a very different world. We now take on responsibility for new level of security, where all the previous threats still exist, but now there are a great many more. It will be the hacker living in their parents basement patiently staying up all night trying to get past our login screen; patiently probing and trying to find any crack that can be exploited; putting together many disparate bits of information to learn how to get past our security.
We need to now deal directly with denial of service (DoS), sql injection, cross site scripting (XSS) and many other forms of attack. We have to train our QA department how to be hackers. How to think like hackers and how to probe our software to find these cracks before the black hat hackers do. Our programmers have to be vigilant in everything they do, about what are the security concerns.
Certainly this is going to be a very challenging journey, but a very rewarding journey. The challenges are very unique and interesting. It certainly adds an extra dimension to software development, beyond just getting the functionality correct (challenging enough), but to be correct and secure.