I suppose this list was created using automated testing? I'm in general a bit skeptical of the results of these tools, often they will have a very high false-positive rate and be more distracting than useful. For example regarding cookie security it's often the case that web apps use a mix between secure+HTTP-only cookies (e.g. for access tokens) and JS-accessible cookies (e.g. just for storing the login status so a web app can know if there's a secure access token cookie as well). Doing this usually poses no security risk but often gets flagged by automated tools anyway. Are you able to differentiate between the two cases? Similar arguments could be made about many other points on your list (e.g. mixed HTTP/HTTPs content, CSP headers etc.). Also, some of the things you mention like public key pinning and HSTS can carry operative risks themselves and should only be implemented with great care, slapping them onto a bullet list might give the suggestion that it's always a good idea to implement them (it's not) and is therefore not very helpful (IMHO).
I see that you do port scanning as well, which IP addresses do you scan against? In my experience many SaaS providers sit behind proxies like Cloudflare these days, so of course you won't find any open ports when scanning against their HTTP services, that doesn't mean that their real servers don't have any though.
I'm not complaining because we're not on your list (we're not), I just think if you really want to help companies to be more secure you should strive to explain the trade-offs and benefits of each point you mentioned instead of grossly oversimplifying an extremely complex topic. I understand the marketing value of this page but honestly I think it might be harmful to your reputation as a serious security firm. Just my 2c.
At Sqreen, we love SaaS! We especially love making SaaS companies more secure :-)
The SaaS Security 1000, is a security overview of the world's fastest growing SaaS companies. We run a few basic security checks to identify network and application security issues.
No SaaS business has been harmed during that experiment ;-) (information gathered with fully passive & non-intrusive tests)
ThePhysicist|7 years ago
I see that you do port scanning as well, which IP addresses do you scan against? In my experience many SaaS providers sit behind proxies like Cloudflare these days, so of course you won't find any open ports when scanning against their HTTP services, that doesn't mean that their real servers don't have any though.
I'm not complaining because we're not on your list (we're not), I just think if you really want to help companies to be more secure you should strive to explain the trade-offs and benefits of each point you mentioned instead of grossly oversimplifying an extremely complex topic. I understand the marketing value of this page but honestly I think it might be harmful to your reputation as a serious security firm. Just my 2c.
paulb81|7 years ago
The SaaS Security 1000, is a security overview of the world's fastest growing SaaS companies. We run a few basic security checks to identify network and application security issues.
No SaaS business has been harmed during that experiment ;-) (information gathered with fully passive & non-intrusive tests)
Have feedback or question?
unknown|7 years ago
[deleted]