How Much is the Reputation of Your SaaS Provider Worth?

Baynote just got shamefaced with the discovery of a basic Cross Site Scripting vulnerability in their ‘Social Search’ SaaS offering. Although – as seems to be the trend – you won’t find this out from reading their blog, press releases, or other public areas of their website. Instead, you learn of it from El Reg or from the blog of the security researcher that discovered the bug – Russ McRee:

Following the principles of one flaw to rule them all, a single validation error in the q variable found in http://[Insert customer here].com/socialsearch/query?cn=[customer]&cc=us&q= led to numerous Baynote customers falling prey to cross-site scripting. [VIDEO HERE]

I don’t know if Baynote contacted their clients to explain (a) the ramifications of the flaw and (b) that they were making code changes in the background…but either way, I have a question:

Given that a Cross Site Scripting flaw can be exploited to attack the users of a website, where does that leave the visitors of the SaaS clients’ website who would be potentially exposed to the flaw?

Along with the many benefits of SaaS services, you and your customers inherit the security bugs too. From a business perspective, we can begin the chorus of wailing and gnashing of teeth as we are reminded that a single vulnerability in a multi-tenant application exposes all the tenants. But what about the customers of the tenants? Surely, the end-user is the real victim!

The positive side of this particular story is that Baynote moved quickly to fix the flaw.

The other angle on this incident is the disparity between the security claims a SaaS/Cloud provider makes and the reality.

A quick Google site search of Baynote.com for the word ‘security’ brings up this:

When a provider's primary website property is vulnerable to a basic XSS attack, what do you make of statements like this?