SaaS AppSec Stories on Malware, Sleepless Nights and DevSecOps | Kashish Jajodia (CTO, Draup)
SaaSTrana podcast session with Kashish Jajodia, CTO at Draup, focuses on best practices for addressing SaaS application security and hosts Venkatesh Sundar, Founder | Indusface.
Introduction to Draup
1. Can you introduce yourself and tell me about your company and what Draup does?
Draup is an AI-driven platform that drives insights for HR and sales leaders. Right now, we focus on two major use cases: Sales and Talent Intelligence.
- On the sales side, we provide sales teams with context-rich data in an easy-to-use natural language interface. This helps the go-to-market teams identify new opportunities, understand what’s top of mind for customers and their strategic investment priorities, and anticipate key trends in the industry.
- On the talent side, we create very specific talent, customer-centric, role-level, and skill-level insights that are not available outside of any of the platforms. This helps the talent strategy team build strategic location and role-wise workforce plans.
Using Draup’s powerful AI engine, we upload our data which is applied to a database of 750 million profiles. The HR leaders can find and hire the right talent with the right skill sets.
We also have a tool that can be used to implement cost optimize reskilling initiatives to transform global workforces of teams to become future-ready.
The driver for their application security
2. How do you think about application security? What is the driver for giving it a significant amount of trust and importance in your company?
The application’s security is very important with any of the cloud-native B2B companies.
We work with the biggest eCommerce players, telecom players, banks, beverage companies, consulting companies, etc. And all these companies working with us need to trust us with some of their data and to trust our data sets.
Any security threat and security issues become reputational damage to us. And we don’t want to do that.
We are an AI company. We have a lot of models and proprietary data. Exposure to them is a loss of revenue for us. Because those are data sets that our team has created.
We want to make sure they’re safe and secure. We want to make sure there are no downtimes.
Now, there are a lot of DDoS attacks happening. Many ethical hackers are trying to find a way out of your system. Even a small downtime leads to missed deals and renewals.
We want to avoid being in a situation where a customer logs into our platform to get some important data for a meeting they’re going to or for a decision they’re making, and the platform is down.
These are the major reasons we want to be there always. And, always have a reputation as a company that prioritizes security above everything else.
The story behind their SaaS security journey
3. Did you think about application security when you were designing the product? Or you thought about it only after your customers came and asked you about it?
We initially like any startup; the most important focus is the product. And keep adding more features. We had all kinds of security best practices, like MFA and the least privileges. But they never got prioritized our development cycle.
Because the business was always, I need this feature, why is this not there? We need more customers. So, we are always focused on that.
But generally, we made sure that the passwords were correct. The general basics of security are there.
And one day, we got a mail from a customer saying, we cannot open your website. And we tried to open it on our end, and it worked fine.
Then we started getting mails from multiple customers. We were not able to figure it out. And suddenly, while browsing, we realized that we had been blacklisted. This is entirely new to us.
You think about DDoS attacks and SQL injection. You’ve never thought about getting blacklisted.
What happened was that we had a marketing page hosted on Draup.com. It is an external marketing-facing website. And it had a WordPress login.
The default WordPress login was just left open. Someone logged in and hosted malware on one of our blogs.
Google and Nord VPN companies found that malware and blacklisted us.
Then we realized, “It’s crucial to focus on security to ensure the website is always safe and secure.”
Building customer trust with pen-testing
4. Do you do vulnerability management and pen-testing program more frequently? Is this enabling you to better build trust with your customers by showing a third-party report?
Yes, this happens quite often in the companies we work with. These are all globalized companies.
When you’re going through the RFP process very important part of it is:
Have you had pen testing done? Have you had an external validator to perform validation on the website? Can you show us a certificate?
We have an internal team that keeps checking the static code for any problems or perimeter-based issues. But you can’t see so much.
Having an external certificate and an external person validating it helps build client trust.
Best practices for SaaS security
5. What would be your advice to a new SaaS company? At what point should they start thinking about application security?
I would say day zero!
As you start creating your architectures, high-level diagrams, and low-level diagrams, start thinking about security from that point. Make sure it becomes a vital part of your DNA.
Security always takes a back seat because people think that –
“It takes a lot of time, you will have to hire people, and you will have to get more staff or someone else to help you.”
But in today’s world, we live in this SaaS domain. Platforms like Indusface help a lot. It’s plug-and-play. You don’t need an extra development team to come in and start playing around or adding tools and technologies internally to do that.
Indusface made SaaS security simple
6. What are your views on devsecops as a trend? What is your take on that?
Devsecops means just like how DevOps has revolutionized your CI/CDs and automation of your deployment cycles. Devsecops wants to add a security layer to it.
People should start thinking about security right from the time they start architecting; they start opening up the system to others. It’s very important to enable a centralized team to care for the entire security.
Top pitfalls that SaaS businesses should avoid
7. Are there any pitfalls that you want SaaS firms to avoid?
What happens, especially for new companies, is that they plug into tools and technologies that are not well-tested in the market. Especially the open-source tools that are out there. I always say to wait for it to get stable.
The open-source tools and technologies, will have issues. Wait for it to get stable before you start using it.
Second, always keep the teams involved. Getting people from business, product, and other teams engaged in security make them understand the importance.
It goes a long way in making your life easier when you spend time, money, or whatever is there to make your platform system safe, and that education helps you greatly.
Another thing that I always say is you are not an expert. You might have read ten blogs. You might have a lot of open-source tools and technologies. Always take external partners’ help for security. So you can focus on your core work.
Vulnerability Scanning Frequency
8. How frequently do you do your vulnerability testing and pen testing? Is it automated scanning?
With a platform like Indusface, it becomes a daily thing for us. Every day it runs automatically, and we get a report.
Our automated scans are scheduled daily. And manual pen testing happens twice a year.
To know more, listen to the podcast, here.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.