SaaSTrana podcast session with Kashish Jajodia, CTO at Draup, focuses on best practices for addressing SaaS application security and hosts Venkatesh Sundar, Founder | Indusface.

Venkatesh Sundar:

Today. We have with us Kashish, CTO at Draup. Draup provides an AI-enabled SaaS platform for some of the biggest brands and businesses, which enables them to plan, hire and upskill their workforce and sales talent.

Kashish will share with us how he looks at vulnerability assessment, penetration testing, and application security. He will also share with us the drivers for Draup to look at application security, whether for building trust with their customers or compliance needs.

He will also share what he would do differently if he could go back in time. And, of course, Kashish has been kind enough to share some very candid stories of his tryst with hacker attacks.

Meet Kashish and The Story Behind the Company, Draup

Venky: Welcome to the show, Kashish.

Q: Can you introduce yourself and tell me about your company and what Draup does?

Kashish: Thanks for the opportunity, Venky, and for inviting me to the podcast.

Draup is an AI-driven platform that drives insights for HR and sales leaders. Right now, we focus on two major use cases: Sales and Talent Intelligence.

• On the sales side, we provide sales teams with context-rich data in an easy-to-use natural language interface. This helps the go-to-market teams identify new opportunities, understand what’s top of mind for customers and their strategic investment priorities and anticipate key trends overall in the industry.
• On the talent side, we create very specific talent, customer-centric, role-level, and skill-level insights that are not available outside of any of the platforms. This helps the talent strategy team build strategic location and role-wise workforce plans.

Using Draup’s powerful AI engine, we upload our data which is applied to a database of 750 million profiles. The HR leaders can find and hire the right talent with the right skill sets.

We also have a tool that can be used to implement cost optimize reskilling initiatives to transform global workforces of teams to become future-ready.

Why SaaS Security is Important for Draup?

Venky:  As a SaaS platform, you are, by design, asking your customers to trust some of the data that you manage and provide insights to them. And in your case, it is HR and sales enablement.

Q: How do you think about application security? Why is it important to you? What is the driver for giving it a significant amount of trust and importance in your company?

Kashish:

With any of these cloud-native B2B companies, the application’s security is very important.

We work with the biggest eCommerce players, telecom players, banks, beverage companies, consulting companies, etc. And for all these companies working with us, it’s very important for them to trust us with some of their data.

And to trust our data sets. Any kind of security threat and security issues become reputational damage to us. And we don’t want to do that.

We are an AI company. We have a lot of models and proprietary data. Exposure to them is a loss of revenue for us. Because those are data sets that our team has created.

We want to make sure they’re safe and secure.

We want to make sure there are no downtimes. Now, there are a lot of DDoS attacks happening. Many ethical hackers are trying to find a way out of your system.

Even a small downtime leads to missed deals and renewals.

And then clients trust us for the data that we have for our upturn.

We do not want to be in a situation where a customer logs into our platform to get some important data for a meeting they’re going to or for a decision they’re making, and the platform is down.

These are the major reasons we want to be there always. And, always have a reputation as a security first company. A company that prioritizes security above everything else.

The Story Behind SaaS security Journey

Venky:

Q: Did you think about it when you’re designing the product? Or you thought about it only after your customers came and asked me about it.

Kashish:

That’s a very interesting question, Venky. And I would like to share an interesting story:

We initially like any startup; the most important focus is the product. And keep adding more features.  We had all kinds of security best practices, like MFA and the least privileges.  But they never got prioritized our development cycle.

Because the business was always, I need this feature, why is this not there? We need more customers. So, we are always focused on that.

But generally, we made sure that the passwords were correct. The general basics of security are there.

And one day, we got a mail from a customer saying, we cannot open your website. And we tried to open it on our end, and it worked fine.

Then we started getting mails from multiple customers. We were not able to figure it out. And suddenly, while browsing, we realized that we had been blacklisted. This is completely new to us.

You think about DDoS attacks and SQL injection. You’ve never thought about getting blacklisted.

What happened was that we had a marketing page hosted on Draup.com. It is an external marketing pacing website. And it had a WordPress login.

The default WordPress login admin or whatever that default was there was just left open. Someone logged in and hosted malware on one of our blogs.

Google and Nord VPN and all these companies started finding that malware and blacklisting us. Then we realized,

“There are a lot of things in the market that we don’t understand.  

It’s very important to focus on security and ensure the website is always safe and secure.

Everything that we know and don’t know is secured against it.”

Pen Testing – A Key Driver in Customer Trust

Venky:

Q: Do you do vulnerability management and penetration testing program more frequently? Is this enabling you to better build trust with your customers by showing a third-party report? Can you share some of your insights on that?

Kashish:

Yes, I think this happens quite often, like in the companies we work with. These are all globalized companies.

When you’re going through the RFP process very important part of it is:

Have you had pen testing done? Have you had an external validator perform validation on the website? Can you show us a certificate? 

We have an internal team that keeps checking the static code for any problems, perimeter-based issues, or inbound not being open on the AWS side. But you can’t see so much.

Having an external certificate and an external person validating it helps build client trust.

Venky:

Unless you get visibility, you cannot take action against the risks.

Know what the risks are instead of having your customers find it out at 9 o’clock at night. You should be one step ahead of that or at least try to be.

Kashish:

We started focusing more on it after this incident when we knew that a security problem could have been happening.

How can SaaS Startups Boost Security?

Venky:

Q: Based on your experience, what would be your advice to a new company that is coming up with a new AI-ML model for some other SaaS use case? At what point should they start thinking about application security?

Kashish:

I would say day zero!

As you start creating your architectures, high-level diagrams, low-level diagrams, and everything start thinking about security from that point. Make sure it becomes a very important part of your DNA.

FTX is one of the largest crypto companies in the world. They got hacked for 600 million dollars. Imagine the kind of sophistication all these hackers and that they’re procured.

Indusface Makes SaaS Security Simple

Kashish:

Security always takes a back seat because people think that –

 “It takes a lot of time, you will have to hire people to do it, and you will have to get more staff or someone else to help you out”

But I think in today’s world, we live in this SaaS domain. Platforms like Indusface help a lot.  It’s kind of plug-and-play. You don’t need an extra development team to come in and start playing around or adding tools and technologies internally to do that right.

Just get a partner like you know who can add in a plug-in or just have an external system that does keep doing pen testing on top of it.

Now tools also have automated kind of patching. I think you guys also have that. The time spent by the development team and the founders where the business is almost negligible.

All it takes is your knowledge and understanding of what you need to focus on security.  So I think that’s what a new start-up should do.

How to make DevSecOps a Reality?

 Venky:

As well you said, “Start from Day Zero. On Day Zero typically you’re writing your first line of code, you are trying to build something.

One of the hot topic and trends today is devsecops. I keep hearing about shift left and shift left.

Q: What are your views on devsecops as a trend? What is your take on that?

Kashish:

Devsecops means just like how DevOps has revolutionized your CI/CDs in your automation about your deployment cycles, push cycles, and everything.  Devsecops wants to add a security layer to it.

People should start thinking about security right from the time they start architecting; they start opening up the system to others. That’s very important, enabling a centralized team to care for the entire security.

What also happens is that in larger organizations, security owners are in the development team or the people working on a specific product. They might not have the understanding or knowledge to handle and solve issues.

Having a centralized team automating it for you is actually a good initiative. I think overall, the industry is adopting.

Venky:

As a responsibility, devsecops is a product responsibility. Development, security and operations have to be owned by the product team.  Then you can have specialized people with a centralized security team doing the security part. But devsecops has to be viewed as one umbrella.

But my take on that, honestly Kashish, I have heard this from other people who said we are shift left. And what ends up happening with shift left is they stop doing what’s right.

Guess what there can be a new zero-day attack. There can be a third-party component that you integrate with the changes. so it has to be continuous.

Devsecops it’s not just a shift left you to start early, but it continues throughout the deployment and production life cycle.

Hackers Can Run a Cyberattack in Minutes – Time to Worry!

Kashish:

That’s what happens in this Day Zero vulnerability you’re talking about. And the new issues that people keep finding. On that you know I just wanted to share one quick story again:

Like what happened when we hosted a QA database server.  We’re just hosting it, pushing data and leaving the public IP open.  Within 15 minutes, the entire system was hacked.

There was a file folder saying,

“Please send me X Bitcoins if you want to unencrypt your files; otherwise, I’m going to post it somewhere”

It was a QA system for us, and there was hardly any data.  Maybe a user login record, that’s it.

But I was like, 15 minutes is all it takes.

Venky:

I don’t believe it took 15 minutes. There are studies that show that if you put a vulnerable server and make it a public ID. It takes less than a few minutes to have probes and attack vectors coming toward it.  So you were lucky that it took 15 minutes.

Kashish:

It might have happened faster we might have realized it after 15 minutes

Pitfalls that SaaS Businesses Should Avoid

Venky

Q: Are there any pitfalls that you want SaaS firms to avoid? Would you have any recommendations or pitfalls that you would tell them to avoid based on your learnings?

Kashish:

I think what happens, especially for new companies, they plug into tools and technologies that are not well-tested in the market.  Especially the open-source tools that are out there.  Like releasing a new version and the companies wanting to start using it.  I would always say to wait for it to get stable.

Look at a new phone example if Samsung launches a new watch today, right, or Google launches a new tab today. You’ll always find the first versions to have some issues there.

Similarly, all these open-source tools and technologies, they’ll have issues.  Wait for it to get stable before you start using it.

Second, always keep the teams involved. Generally, the world of security is kind of burned by the engineering teams. Getting people involved on the business side, the product side, and the other teams at least educating them and making them understand the importance.

It goes a long way in making your life easier when you spend time, money or whatever is there to make your platform system safe that education helps you greatly.

Another thing that I always say is you are not an expert. You might have read 10 blogs. you might have a lot of open-source tools and technologies.  Always take external partners’ help as well.  You said they’re on a daily level, their new threats, and issues people are discovering.  So it’s always better to take an external person’s help for security. And you focus on your core work.

When and How Often Should You Run a Vulnerability Scan?

Venky:

Q: How frequently do you do your vulnerability testing and Pen testing? is it automated scanning? Do you recommend doing it daily? How frequently do you want to do it?

Kashish:

When we fill up all these RFP forms, they question how frequently we do it.  There is an option for weekly, monthly, quarterly, and yearly.  But using a platform like Indusface has helped us because it has become a daily thing for us. Every day it automatically goes runs; you get a report.

So I think we do it daily. Our automated scans are scheduled daily. And manual pen testing happens twice a year.

Venky:

Thank you very much!  All the best; the Draup is doing some amazing work.  Kashish it was a pleasure hosting you. There are a lot of insights and a lot of things I learned. Hopefully, the people who are listening to this will learn as well.

Kashish

That would be great, and thanks a lot Venky for the opportunity.

Stay tuned for more relevant and interesting security updates. Follow Indusface on Facebook, Twitter, and LinkedIn

The post SaaSTrana Podcast Episode 1: How Draup Secures their SaaS Applications? appeared first on Indusface.

*** This is a Security Bloggers Network syndicated blog from Indusface authored by Indusface. Read the original post at: https://www.indusface.com/blog/saastrana-podcast-episode-1-how-draup-secures-their-saas-applications/