
Show HN: SaaS Security 1000 – Security overview of the top SaaS companies - paulb81
https://www.sqreen.io/opendoor/saas
======
ThePhysicist
I suppose this list was created using automated testing? I'm in general a bit
skeptical of the results of these tools, often they will have a very high
false-positive rate and be more distracting than useful. For example regarding
cookie security it's often the case that web apps use a mix between
secure+HTTP-only cookies (e.g. for access tokens) and JS-accessible cookies
(e.g. just for storing the login status so a web app can know if there's a
secure access token cookie as well). Doing this usually poses no security risk
but often gets flagged by automated tools anyway. Are you able to
differentiate between the two cases? Similar arguments could be made about
many other points on your list (e.g. mixed HTTP/HTTPs content, CSP headers
etc.). Also, some of the things you mention like public key pinning and HSTS
can carry operative risks themselves and should only be implemented with great
care, slapping them onto a bullet list might give the suggestion that it's
always a good idea to implement them (it's not) and is therefore not very
helpful (IMHO).

I see that you do port scanning as well, which IP addresses do you scan
against? In my experience many SaaS providers sit behind proxies like
Cloudflare these days, so of course you won't find any open ports when
scanning against their HTTP services, that doesn't mean that their real
servers don't have any though.

I'm not complaining because we're not on your list (we're not), I just think
if you really want to help companies to be more secure you should strive to
explain the trade-offs and benefits of each point you mentioned instead of
grossly oversimplifying an extremely complex topic. I understand the marketing
value of this page but honestly I think it might be harmful to your reputation
as a serious security firm. Just my 2c.

------
paulb81
At Sqreen, we love SaaS! We especially love making SaaS companies more secure
:-)

The SaaS Security 1000, is a security overview of the world's fastest growing
SaaS companies. We run a few basic security checks to identify network and
application security issues.

No SaaS business has been harmed during that experiment ;-) (information
gathered with fully passive & non-intrusive tests)

Have feedback or question?

