SaaS Application Security Testing
Comprehensive security assessment for SOC 2 Type II, ISO 27001, and Cyber Essentials Plus certification
The Challenge
A UK-based SaaS company preparing for SOC 2 Type II audit and ISO 27001 certification needed comprehensive security testing of their multi-tenant application platform. The platform served enterprise clients handling sensitive business data and required Cyber Essentials Plus accreditation to bid on government contracts.
The client needed to demonstrate robust security controls, proper tenant isolation, and compliance with multiple security frameworks to win enterprise contracts worth millions. Any security gaps could delay certifications, damage reputation, and cost significant business opportunities.
Our Approach
We conducted a thorough security assessment aligned with SOC 2, ISO 27001, and Cyber Essentials Plus requirements:
Web Application Security Assessment
Comprehensive testing of the SaaS platform including authentication, authorization, data handling, and business logic. We tested for OWASP Top 10 vulnerabilities and security misconfigurations that could impact multiple tenants.
REST API Penetration Testing
Detailed assessment of REST APIs including authentication mechanisms, authorization controls, input validation, rate limiting, and error handling. We tested both public and internal APIs used by the platform.
Multi-Tenancy Isolation Testing
Rigorous testing of tenant isolation controls to ensure one tenant could not access, modify, or view another tenant's data. We tested data segregation at application, database, and API levels.
Authentication & Authorization Review
In-depth review of authentication mechanisms including SSO integration, MFA implementation, session management, and role-based access controls (RBAC). We tested for authentication bypass and privilege escalation vulnerabilities.
Key Findings
- Tenant Isolation Vulnerabilities: Critical flaws allowing one tenant to access another tenant's data through manipulated API requests and SQL queries
- IDOR in API Endpoints: Insecure direct object references in multiple API endpoints allowing unauthorized access to resources across tenant boundaries
- Weak Password Policy Implementation: Password policies not properly enforced, allowing weak passwords that failed Cyber Essentials Plus requirements
- Insufficient Session Management: Sessions not properly invalidated on logout, and concurrent session limits not enforced
- Missing Rate Limiting: No rate limiting on authentication endpoints exposing the platform to brute force and credential stuffing attacks
- Inadequate Audit Logging: Insufficient security logging required for SOC 2 and ISO 27001 compliance
Remediation & Certification
We provided a comprehensive remediation roadmap aligned with all three certification frameworks:
- Tenant isolation architecture redesign with multi-level validation
- Authorization framework overhaul with centralized access control
- Password policy enforcement meeting Cyber Essentials Plus standards
- Session management improvements with secure token handling
- Rate limiting implementation across all authentication endpoints
- Comprehensive audit logging aligned with SOC 2 Trust Service Criteria
- ISO 27001 control mapping and gap remediation
Following remediation and successful retest, the client achieved all three certifications within their target timeline.
Impact & Outcome
The client successfully achieved SOC 2 Type II, ISO 27001 certification, and Cyber Essentials Plus accreditation on schedule. These certifications enabled them to bid on and win enterprise contracts worth over £2M annually, including government contracts requiring Cyber Essentials Plus. The improved security posture also enhanced customer trust and competitive positioning in the market.