Why SaaS startups must think about application security, as much as they do about scale and agility on Day 1
“For a SaaS business, unlike other businesses, if you remove the application component, there is no business,” shared Venkatesh Sundar - Founder & CMO, Indusface in his opening remarks during the webinar on ‘Why application security is a must have for any SaaS business.’
Joining the discussion were security and SaaS business leaders - Nath Parameshwaran, Director, PayPal India; Pravanjan Choudhury, CTO, Capillary Technologies; Harishankaran K, Co-founder and CTO, HackerRank; Prithvi Raju Alluri, Head, Infrastructure and Security, Darwinbox.
The discussion threw interesting perspectives on the relevance of application security and how it is bringing greater flexibility to businesses, industry best practices and more. YourStory’s Business Editor, Vishal Krishna moderated the panel discussion.
Watch the video to understand why security is all about building business by building trust.
Rethinking security
“For a SaaS business, security is not a separate team’s effort. It has to be a part of the core culture. There can’t be a trade-off for security. It has to be the top priority,” shared Harishankaran. And, this he pointed out, has been a common theme at HackerRack as they grew from a two-member startup to a 200+ team today.
During the discussion, the leaders pointed out how the evolution of DevSecOps —wherein product development, security and operations has become the ownership of a single team — points at the growing need, relevance and acceptance of security right in the early stage of building a SaaS offering. Prithvi noted, “DevSecOps is the new way of dealing with security. It’s the way to go for everyone.” Deep diving into DevSecOps, Venkatesh noted that ‘Shift Left’ is the new buzz word within DevSecOps that is gaining momentum. “Shift Left calls for moving security as early as possible in the development lifecycle.” He noted that security needs to be worked on continuously. Adding to Venkatesh’s views on Shift Left, Pravanjan shared, “One of the key advantages of the Shift Left approach is that it helps in catching the vulnerability early on, which also means the cost of breach gets dramatically reduced.”
One of the key messages that the panelists reiterated was that the industry and ecosystem must look closely into how they can increasingly integrate security and privacy, right in the design stage.
Why security eliminates barriers to business growth
“Security is important for any company with a digital footprint. It doesn’t have to be a pure play SaaS company. But in a SaaS company, its significance is amplified even further,” noted Venkatesh.
Here Nath pointed out that businesses should see security as an investment and not as a cost - because considering it as a cost could lead to ill-advised reduction in budgets. “When you see security as an investment, you will take a structural and mindful approach which will help in strengthening the business’ security posture.” He shared that internally, PayPal sees itself as a cyber security company and not just a payments platform, pointing to the significance that the company attaches to security.
One of the key messages that the discussion brought out was that it was important to show customers the investments made on security. Harishankaran shared that in the initial days of their startup journey at the final stage of a signing a deal, they would often experience delays because of questions related to security. However, taking a proactive approach to showcasing and answering questions related to security in the initial stages has helped to overcome the challenge as “it gives customers confidence on data and platform security.” The panelists all agreed that there is no way to close a business deal without answering all the questions related to security. Nath pointed out how in the area of payment, security and growth are directly correlated. “Without security, there’s no trust. And, without trust there’s no business. So security is existential for the kind of business we are in.” Venkatesh shared his experience of engaging with SaaS businesses as a leading provider of application security. He stated, “The trigger point for adopting security is no longer risk mitigation but eliminating the barrier for sales. Application security is becoming a business enabler for SaaS businesses.”
The panelists also answered a number of questions posed by the audience - from the kind of security architecture that startups can adopt to build their platform to the role of data encryption, relevance and scope of web bounty programmes and more. The panelists advised that startups should look at security right on Day 1 as opposed to delving into it at a later stage. “Just like agility and scale have become startup day 1 mantra, so should be security,” they said.
The panelists also shared that while security might feel a little overwhelming in a startup’s early days, application security serves as a good starting point to build the organisation’s security roadmap. Harishankaran noted, “There’s no way that you will score a perfect score w.r.t. the business’ security framework as an early stage startup. But, a lot of customers will be okay with it as long as you are transparent and have a clear plan on how it will be addressed in the future security roadmap.” He advised startups on how they could engage in self-assessment of their security posture to get a real picture and how they can leverage that to bring about changes. He shared that startups must look at global and industry certifications not just to be certified but also to know how those certifications can make a difference to their organisation. “The goal is not to get certified but to make the security posture stronger and stringent.”
In his closing remarks, Venkatesh advised startups to start securing the application first and then going on to widening the scope of the security initiatives. “The Application is the epicentre of any SaaS business. If you secure the application, you are essentially securing your SaaS business.”