Welcome to our blog.

In the last few weeks, we’ve released lots of new features and expanded support for different tool stacks. Most notably we’ve added support for scanning many container registries! Besides that:

• We’ve added lots of new AWS rules
• Autofix now also supports Python
• We’ve improved our exploit reachability analysis to support PNPM

Expanding container registry support

Many containers run web-facing software such as Apache, Nginx, Python, Node.js or other runtimes. Keep them secure with docker container scanning! Next to Docker Hub, Azure Container Registry, GCP Artifact Registry & AWS Elastic Container Registry we’re now also supporting the following registries:

GitLab container registry (Cloud & self-managed)

We now support GitLab’s Container Registry for Cloud & Self-Managed. As a GitLab Technology Alliance partner for Security, we couldn’t miss out on these features!

Read the docs to set up:

• Container scanning for Gitlab Container Registry
• Container scanning for Gitlab Self-Managed Container Registry

Digital Ocean container registry

DigitalOcean is a solid cloud solution that we couldn’t wait to support. We’re happy to say we now do so for containers!

Read the docs on how to set it up

Scaleway container registry

We’re proud to also do exploit scanning for Scaleway’s Container Registry, one of the few real European clouds!

Read the docs on how to set it up

Exploit reachability analysis improved

We've rolled out reachability analysis for PNPM lockfiles. To accomplish this at our standard of quality, we've made sure to cover many typical edge cases (aliasing, special version notation, etc.). This means our auto-triage engine gets rid of many false positives that others simply don’t.

If you’re using PNPM and using Aikido, you’re in luck! You’re using one of the only products in the industry with this level of noise reduction capabilities! 🎉

AWS rules expansion

We’ve upgraded our AWS ruleset to include more relevant rules. We want to make sure you’re notified about issues that really matter. Some new rules include:

• Checking for unused IAM Credentials
• SSL certificates that won't auto-renew
• ECR repositories that do not auto-delete old images.

Make sure to connect your AWS cloud to Aikido to check if you’ve got new findings.

Expanding autofix coverage: Python

With Aikido’s Autofix feature, you can create pull requests to fix vulnerabilities with just one click. We now also support Python! (Currently, this only applies to environments using requirements.txt, but not yet for poetry.lock files.) There’s nothing extra to configure. Just browse to a Python issue and find the Autofix button!

Read more on Autofix in our docs.

Try these out today

Log into your Aikido account to test these new features. Alternatively, you can request a demo from our team.

We would love to get your feedback on them. If any ideas pop to mind, please don’t hold back - just let us know! We’re always available via the in-app chat. 😉

SaaS companies have a huge target painted on their backs when it comes to security, and that’s something that keeps their CTOs awake at night. The Cloud Security Alliance released its State of SaaS Security: 2024 Survey Report and discovered that “58% of organizations report that they experienced an incident in the past two years”.

‍

The importance of security is backed up by the results from Aikido’s consultation with 15 SaaS CTOs, in which “93% of CTOs ranked threat prevention importance 7 (out of 10) or higher.”

To help SaaS CTOs sleep better, we’ve created a comprehensive SaaS CTO Security Checklist. We’re confident that, if you follow it, and keep going back to it, you will make both your company and application 10x more secure.

Real risks for SaaS companies

CI/CD tools like GitHub Actions and CircleCI are prime hacker targets. Their frequent breaches grant access to clouds and lead to data exposure. A 2023 CircleCI breach compromised customer secrets, while a 2022 GitHub Actions exploit hit open source projects.

A startup's entire AWS environment was compromised via a basic contact form on their site. How? The form allowed SSRF attacks, granting access to IAM keys which were then emailed out. The attacker gained control of S3 buckets and environment variables.

These security breaches happened to real companies and had real effects. But they could have been prevented if they had invested more time and effort into improving their security practices.

SaaS CTO Security Checklist: 40+ items to guide you

Our deceptively simple checklist covers over 40 ways to harden security across your people, processes, code, infrastructure, and more. It's organized by business growth stage - bootstrap, startup, and scaleup - so you can find the security best practices relevant to your current phase. As you grow, our checklist will become your trusted guide and constant companion on the journey to security best practices for your SaaS company.

Each item on the list is designed to make you and your team think about security in the first place, then give you clear, concise instructions on what you can do to deal with the vulnerability. And each item is tagged so that you can be sure it applies to your company’s current stage.

The checklist is also divided into sections so that you can consider the needs of different parts of your company. Your employees are vulnerable to different threats than your code or your infrastructure, so it makes sense to look at them separately.

As you go through the list, you’ll undoubtedly find that some items don’t apply to you yet. But we recommend that you revisit the checklist regularly so that you don’t encounter any nasty surprises. Security doesn’t have to be scary, as long as you act to become more secure before something bad happens.

We’ve cherry-picked a few items to give you a sneak peek at the checklist. The final checklist contains over 40, so make sure you download your copy and get started on improving your security today.

Back up, then back up again

The first applies to all stages of company growth, and it’s absolutely vital. But then again, we’re sure you already back up regularly, right? Right?!

Hire an external penetration testing team

Our next item is crucial for companies that are starting to scale up. Growth is going well, you’ve dealt with all the issues that are risks on the way up, but are you sure that your infrastructure is secure at all levels? That’s when it’s time to hire a penetration testing team!

Update your OS and Docker containers

This one is straightforward, but many developers cut corners here. Updating eats up sprint time while other tasks seem more urgent. But skipping updates leaves vital systems exposed to vulnerabilities. Stay diligent with patching and updating to avoid major headaches down the road.

Get everyone accustomed to basic security practices

The last item is relevant at all stages and it’s part and parcel of our checklist: the need to get everyone accustomed to basic security practices. Humans make mistakes. It’s inevitable. But if you get everyone thinking about security, those mistakes can be mitigated.

Download your free SaaS CTO Security Checklist

That’s just a handful of the essential tips covered in the checklist. We’ll also give you guidance on code reviews, onboarding and offboarding,  DDoS attacks, database recovery plans, and much more.

Download Aikido’s 2025 SaaS CTO Security Checklist now and get started on hardening your app and getting your team thinking seriously about security. It’s never too late, or too early, no matter what stage your company is at.

Download the full SaaS Security Checklist:

SaaS companies have a huge target painted on their backs when it comes to security, and that’s something that keeps their CTOs awake at night. The Cloud Security Alliance released its State of SaaS Security: 2023 Survey Report earlier this year and discovered that “55% of organizations report that they experienced an incident in the past two years”.

The importance of security is backed up by the results from Aikido’s recent consultation with 15 SaaS CTOs, in which “93% of CTOs ranked threat prevention importance 7 (out of 10) or higher.”

To help SaaS CTOs sleep better, we’ve created a comprehensive SaaS CTO Security Checklist. We’re confident that, if you follow it, and keep going back to it, you will make both your company and application 10x more secure.

Real risks for SaaS companies

CI/CD tools like GitHub Actions and CircleCI are prime hacker targets. Their frequent breaches grant access to clouds and lead to data exposure. A 2023 CircleCI breach compromised customer secrets, while a 2022 GitHub Actions exploit hit open source projects.

A startup's entire AWS environment was compromised via a basic contact form on their site. How? The form allowed SSRF attacks, granting access to IAM keys which were then emailed out. The attacker gained control of S3 buckets and environment variables.

These security breaches happened to real companies and had real effects. But they could have been prevented if they had invested more time and effort into improving their security practices.

SaaS CTO Security Checklist: 40+ items to guide you

Our deceptively simple checklist covers over 40 ways to harden security across your people, processes, code, infrastructure, and more. It's organized by business growth stage - bootstrap, startup, and scaleup - so you can find the security best practices relevant to your current phase. As you grow, our checklist will become your trusted guide and constant companion on the journey to security best practices for your SaaS company.

Each item on the list is designed to make you and your team think about security in the first place, then give you clear, concise instructions on what you can do to deal with the vulnerability. And each item is tagged so that you can be sure it applies to your company’s current stage.

The checklist is also divided into sections so that you can consider the needs of different parts of your company. Your employees are vulnerable to different threats than your code or your infrastructure, so it makes sense to look at them separately.

As you go through the list, you’ll undoubtedly find that some items don’t apply to you yet. But we recommend that you revisit the checklist regularly so that you don’t encounter any nasty surprises. Security doesn’t have to be scary, as long as you act to become more secure before something bad happens.

We’ve cherry-picked a few items to give you a sneak peek at the checklist. The final checklist contains over 40, so make sure you download your copy and get started on improving your security today.

Back up, then back up again

The first applies to all stages of company growth, and it’s absolutely vital. But then again, we’re sure you already back up regularly, right? Right?!

Hire an external penetration testing team

Our next item is crucial for companies that are starting to scale up. Growth is going well, you’ve dealt with all the issues that are risks on the way up, but are you sure that your infrastructure is secure at all levels? That’s when it’s time to hire a penetration testing team!

Update your OS and Docker containers

This one is straightforward, but many developers cut corners here. Updating eats up sprint time while other tasks seem more urgent. But skipping updates leaves vital systems exposed to vulnerabilities. Stay diligent with patching and updating to avoid major headaches down the road.

Get everyone accustomed to basic security practices

The last item is relevant at all stages and it’s part and parcel of our checklist: the need to get everyone accustomed to basic security practices. Humans make mistakes. It’s inevitable. But if you get everyone thinking about security, those mistakes can be mitigated.

Download your free SaaS CTO Security Checklist

That’s just a handful of the essential tips covered in the checklist. We’ll also give you guidance on code reviews, onboarding and offboarding,  DDoS attacks, database recovery plans, and much more.

Download Aikido’s 2024 SaaS CTO Security Checklist now and get started on hardening your app and getting your team thinking seriously about security. It’s never too late, or too early, no matter what stage your company is at.

Download the full SaaS Security Checklist

We’ve consulted with 15 SaaS CTOs about their cloud and code security challenges and concerns. Why?

• SaaS CTOs all face challenges in securing their product. We wanted to find those trends and discover their needs and worries.
• Customer research is essential for any startup’s success, and Aikido is no different! In fact, we love finding out what customers have to say.
• From the start, we’ve been focused on designing and evolving our security tools based on what’s most important for our customers.

Here at Aikido, we believe in open knowledge sharing, so now it’s time to pass on what our consultations have discovered and uncovered.

About our cloud and code security consultation

The CTOs we consulted are from cloud-native software startups with between 51-500 employees. We focused on these cloud and code security topics:

• the priority that preventing threat may receive
• blockers to preventing threats
• their satisfaction levels with current solutions
• what other solutions they’ve used and their flaws
• challenges they face
• their requirements and desired outcomes
• features they value, and
• what they want to accomplish in the future.

How important is preventing cloud and code security threats to you?

Let’s start with the level of priority the CTOs give to preventing security threats. Our evidence shows that CTOs give a high level of priority to threat prevention. The average rating is 8.27 (out of 10). 93% of CTOs ranked threat prevention importance 7 or higher. 8 was the most popular response, and 10 was the second-highest choice.

What gets in the way of preventing cloud and code security threats effectively?

As much as CTOs would like to prevent cloud and code security threats, some blockers create obstacles to success. The top three blockers were competing priorities, budget, and complexity.

Competing priorities

The top response: competing priorities (40%). What does this mean regarding security challenges? Although the CTOs view security as a high priority, there are other equally or potentially even more important concerns within a company. For example, the race to bring out new features vs. the security issues around those is the cybersecurity balancing act.

‘Since security is often a good long-term investment but has less impact during the day-to-day, it is easy to deprioritize the work.’

Budget constraints

The second blocker was budgeting constraints (33%). The main challenge lies in proving the ROI that security measures bring to the business. Or, as one CTO puts it, ‘Making the business case for investing in cloud security.’ This can also relate to the day-to-day deprioritization mentioned above.

Complexity

Complexity takes the bronze (27%). The issue here is that there are so many potential threats. Prioritizing them becomes burdensome and challenging. This can be overwhelming and consequently, it’s easy to lose sight of the biggest threats.

How satisfied are you with your current solutions to prevent code and cloud security threats?

Grade D. The average rating is 6.4 and a third of the CTOs ranked their satisfaction with current solutions at 5 or under. Only 20% were highly satisfied with an 8 or 9 while 0% reported a perfect 10. The key here is to compare this to the much higher level of priority they give to threat prevention. We find a noticeable and worrying gap between importance and satisfaction.

Which other security solutions do you use and what are their flaws?

Current security solutions include a wide range of what’s available on the market. CTOs mentioned 11 products; SonarQube was the most widely used (33%). Beyond that, not more than 13% of CTOs were using the same products at the time of our survey.

Pricing and pricing models

40% of CTOs indicated that the biggest flaw concerns high pricing and pricing models. One CTO reports an astronomically high price tag, ‘paying for software today in the order of six figures.’ Another one questions the long-term viability of pricing by line: ‘Pricing models that follow the number of code lines is a cause of concern for the future.’

False positives

33% flagged up false positives - alerts that erroneously identify a vulnerability or malicious activity. We can all relate to the frustrations here: alert fatigue and wasted resources that come out of false positives.

Further flaws with current solutions

Other flaws include challenges around assessing risk, complex setup and maintenance, no tech stack fit, and limited protection.

One CTO pinpoints the frustrations around the need to employ multiple security solutions:

‘I don't know of any solution that covers multiple scenarios, meaning that my expectation as a CTO would be that the SaaS we currently use for automated security scans of our codebase is surely not going to be the same as a solution that assures compliance with one of our cloud providers.’

What do we learn from what CTOs think about current flaws in security software?

Here’s the main takeaway. CTOs are looking for a one-stop shop for cloud and code security software, featuring:

• reasonable pricing
• a lack of false positives
• a straightforward setup, and
• hassle-free maintenance.

What are the biggest challenges with securing code and cloud?

Current top challenges for SaaS CTOs are opposition within the company, too much information to deal with, evolving threats, and the complexity of having full coverage.

Internal opposition

40% said the main challenge is internal: lack of awareness or other priorities means limited resources. This verifies their top two threat prevention blockers mentioned earlier (priorities and budget).

‘The biggest challenge is turning the organizational mindset around and getting them to understand that security is a feature and that we must continuously invest in it.’

Change management is notoriously difficult. And raising awareness to make meaningful changes to attitude and strategy can be even more of an uphill challenge.

Too much noise

Information overload is a real thing. 27% of CTOs report that triaging between the noise is the next biggest challenge. It’s not easy to understand which threats to prioritize or explore, nor how to deal with them. Again, if false positives are in the mix, there may be some dead ends, inefficiencies, and misguided labor.

‘There seems to be unlimited data in the logs, but no way to manage what they all mean and by who and how they should be addressed.’

Threat evolution, coverage, and complexity

Threat evolution, coverage, and complexity were ranked as lower-level challenges. However, they still confirm some of the blockers and flaws identified earlier in the survey.

Security threats are not stagnant - they evolve and tend to stay a step ahead of security solutions. This means your vulnerabilities are also evolving, and it may feel a bit like a game of whack-a-mole at times.

‘Attackers are becoming more sophisticated in their methods, and new vulnerabilities are discovered on a regular basis.’

CTOs further pointed out challenges confirming some of the flaws identified with their current solutions. They report receiving incomplete coverage, which creates a false sense of security. And in the security business, that’s just not good enough!

‘While they try to provide a sense of safety, I'm concerned that they are not actually protecting us against the majority of threats.’

Incomplete coverage is linked to the need, or perception of need, for a patchwork of various solutions:

‘There are too many moving parts. From actual initial development systems and software, CICD process to application infrastructure and data repositories, … they do not fit into a holistic security posture solution approach.’

What are CTOs’ desired business outcomes? What matters most to CTOs about cloud and code security?

We asked these two questions to find out what their strategic objectives were and what matters most to achieve those.

Desired outcomes

CTOs ranked the top three strategic outcomes like this:

1. Protecting brand reputation and customer trust (47%)
2. Sensitive data is protected meaning no data breaches (33%)
3. Being covered for compliance (20%)

What matters most?

And, to implement these desired outcomes, what mattered most to CTOs were these (allowed to choose more than one for this question):

1. Low maintenance (53%)
2. Reliability / No false positives (40%)
3. Clear and effective reporting (33%)

Do you notice what we notice? These are similar takeaways to what we learned from the question about current security solution flaws.

But what about pricing?

However, clear and effective reporting replaces reasonable pricing in the list above compared to the flaws learnings. So, contradicting the comments and choices about price and budget earlier in the survey, only 7% prioritized pricing in this question. What could that mean?

Let’s unpack the pricing perplexity. We interpret this to mean that price is a challenge and blocker when the security software does not deliver to expectation. But, if the security solution is accurate, easy to maintain, demystifies complexity with straightforward reporting, and in turn helps achieve the higher objectives of protecting brand reputation, creating customer trust, and keeping data safe while meeting compliance standards, pricing becomes less of a blocker and easier to justify.

The most important features when choosing cloud and code security software

We also asked the SaaS CTOs about which technical features are most important to them. They ranked five statements as follows (scores out of 4):

1. Cloud Misconfiguration Detection - 3.67 (33% ranked this first)
2. Open Source Vulnerability Scanning - 3.53 (33% ranked this first)
3. Secrets Detection (API keys, passwords, certificates, etc.)- 3.53 (over 53% ranked this second)
4. Static Code Analysis via CI/CD platforms - 2.93
5. Open Source License Scanning - 1.33 (80% ranked this last)

Which of these security features are the most important for you? Are there others you’d like to see in your security solution?

Want a product that solves your cloud and code security challenges?

Above all, when asked what they’d like to accomplish moving forward, CTOs ranked the following statement the highest:

‘I want to feel completely secure from cloud and code security threats.’

This is music to our ears. Willem, our CTO, struggled with exactly that at his previous companies. That pain point put him on a mission to create the right solution. So that’s precisely what we’re building with Aikido.

Our solution brings together the best-of-breed open-source software security tools. This enables you to cover all the relevant areas. Aikido also shows you which issues and vulnerabilities really matter and which ones you should actually solve. No false positives here!

See for yourself how Aikido can relieve a CTO’s cloud and code security challenges. Take Aikido for a free test drive or get in touch with us.

In the rapidly shifting digital landscape, application security is a necessity. One of the most effective ways to bolster your application’s security is by evaluating it with the OWASP Top 10. But what exactly is the OWASP Top 10, and why should it matter to you?

OWASP Top 10: a framework for web security

The Open Web Application Security Project (OWASP) is a nonprofit foundation that strives to make software on the web more secure. Their Top 10 is a widely recognized report that outlines the 10 most critical web application security risks. It’s essentially a checklist of the most common weaknesses that could make your application a target for cyber threats.

Why should you care about the OWASP Top 10?

The OWASP Top 10 is all about risk management. Addressing the vulnerabilities highlighted in the OWASP Top 10 helps you mitigate the risk of a security breach, develop safer code, and create a more secure application.

Following the OWASP Top 10 is also a smart move to adhere to regulatory standards and give users faith in your commitment to security best practices. If your application handles sensitive data, your users want to know that it is safe.

The OWASP checklist is updated about every three or four years and the last update was in 2021. Some consolidation, renaming, and rearranging occur each time, as vulnerabilities and threats rise and fall in severity. Being aware of current dangers can help you to know where to start and what critical risks need immediate attention.

Let’s take a look at the most recent checklist.

OWASP Top 10 Web Application Security Risks

1. Broken Access Control

Restrictions on what authenticated users are allowed to do are often not enforced. Hackers can exploit these flaws to access unauthorized functionality and/or data. They might be able to access other user accounts, view sensitive files, modify or destroy data, and change access rights. They could even end up with admin rights to the entire system. The OWASP Top 10 stresses one essential rule here: except for public resources, deny by default.

2. Cryptographic Failures

Many web applications don’t properly protect sensitive data, such as credit cards, authentication credentials, health records, and other personal data. Attackers can steal or modify weakly protected data to conduct credit card fraud, identity theft, or other crimes. For businesses, intellectual property and other business secrets need to be kept safe. Make sure to evaluate the protection needs of data in transit and at rest. And regularly assess all protocols and algorithms for weaknesses.

3. Injection

Injection flaws occur when an application sends untrusted data as part of a command or query. Attackers can trick the interpreter into executing unintended commands or accessing unauthorized data, leading to data loss, corruption, or unauthorized access. Source code review will help you here, as will rigorous use of application security testing tools before deploying to production.

4. Insecure Design

OWASP firmly recommends that security needs to start before any coding takes place. Design or architectural flaws can doom an application even if it is securely implemented. This pre-coding phase needs to include more threat modeling, secure design patterns and principles, and reference architectures. It has to involve the balancing of business and technical requirements, alongside a cold, hard look at business risk profiling.

5. Security Misconfiguration

Misconfiguration risk refers to improper implementation of controls to keep application data safe, such as errors in security settings, software updates, server configuration files, or application features and pages. You can go a long way towards mitigating these risks by keeping a tight ship in the form of a minimal platform. Don’t include unnecessary features, frameworks, and components. The bottom line, according to the OWASP Top 10, is to disable default accounts and passwords, make sure that error handling doesn't reveal too much info, and keep everything patched and updated.

6. Vulnerable and Outdated Components

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, an attack can mean serious data loss or even a complete server takeover. You need to know the versions you’re using both on the client and server side, scan for vulnerabilities regularly, and keep track of security bulletins. But most importantly, OWASP says, don’t just patch every month or quarter, as this leaves your application exposed and at risk.

7. Identification and Authentication Failures

If your application’s authentication and session management functions are not implemented correctly, attackers can compromise passwords, keys, or session tokens, or exploit other implementation flaws to assume other identities. The OWASP Top 10 warns against weak passwords, reusing session identifiers, weak recovery processes, or permitting automated attacks. If you can, multi-factor authentication is the way to go here, along with a range of straightforward, common-sense authentication measures.

8. Software and Data Integrity Failures

Software and data integrity failures can happen when applications depend on untrusted sources, like plugins or libraries. Also, having insecure CI/CD pipelines can lead to unauthorized access or even system compromise. Another risk comes from auto-update features that don’t do enough to verify integrity and insecure ways of organizing data structures. To prevent these risks, your team should use digital signatures. These can confirm the safety of software or data. Make sure to only use trusted repositories for libraries and dependencies. You should also implement software supply chain security tools to check for known vulnerabilities. OWASP suggests maintaining a review process for code and configuration changes and setting up proper access control for the CI/CD pipeline. Finally, don’t send unsigned or unencrypted serialized data to clients unless you’ve checked it for integrity or added a digital signature.

9. Security Logging and Monitoring Failures

Insufficient logging and monitoring, combined with missing or ineffective integration with incident response, allows attackers to attack systems, maintain persistence, pivot to more systems, and tamper with, extract, or destroy data. Among other measures, the OWASP Top 10 suggests that you should log all events like logins and failed logins, warnings, and errors should generate clear log messages, and logs should never only be stored locally. Making logging and alerting events visible to a user is also a source of risk.

10. Server-Side Request Forgery

Server Side Request Forgery (SSRF) issues occur when a web app fetches data from a remote source without checking the user-given URL. This can let attackers trick an app into making requests to unwanted places, even past network security measures. OWASP believes that these issues are becoming more common as modern web apps often need to fetch URLs. The risks are becoming more serious because of the use of cloud services and complex systems. Again, the deny-by-default approach at the network access level is your friend here. And there are a range of application layer measures to take as well.

I’ve written a blog about a real-life use case, feel free to check it out.

Why use OWASP Top 10?

The OWASP Top 10 is not just a list of problems—it’s a guide to solutions. Each item on the checklist includes a section on how to prevent the vulnerability and example attack scenarios that provide developers with practical steps to improve their application's security. Securing your application is an ongoing process and new threats emerge all the time. By staying vigilant and making security a priority, you can keep your application secure and your users safe.

And for companies, the OWASP Top 10 isn’t just a checklist—it's a conversation starter. It’s a tool that brings security to the forefront of the development process, fostering a culture of security awareness within your organization. By focusing on the OWASP Top 10, you’re not just enhancing your application’s security, you’re making security a core part of your development process.

If you’re a cloud-native company, Aikido now makes it easy for you to scan your development environment for OWASP Top 10 coverage. Our testing tools and security reports give you a clear OWASP Top 10 score and an analysis of the measures taken to prevent each vulnerability. You can share the reports with stakeholders and use them to get a quick snapshot of what security practices you need to focus on.

Scan your environment with Aikido right now to get your OWASP Top 10 score.

How can you avoid common mistakes when building a SaaS admin panel? We’ll outline some pitfalls and potential solutions specifically for all you SaaS builders out there!

What happens when you’re building a SaaS app that has more than a few customers? At some point, the inevitable happens! Your sales and customer success people come to the development team with requirements like:

• Show me which accounts are actively used
• Allow me to enter a customer account for technical support
• Enable or disable a specific feature flag for some account
• Some users cannot log in, can you tell me what method they use to authenticate?
• I have a reseller and they need access to their subaccounts
• I need to extend a free trial for an account
• An account needs a specific config that only customer success agents should be able to set up
• Show me the total MRR for a specific group of customers.

A variety of tools can cover some of these use cases. PLG tools like Segment and journy.io can track activity. Maybe you use a feature flag service such as LaunchDarkly. Stripe or Chargebee might manage some of the billing-related aspects. Meanwhile, problems related to authentication might be visible in your Auth0 account. However, it’s unlikely that you’re using all these platforms. Even if you are, you probably can’t cover some use cases.

The solution is building a custom admin panel. There seem to be some frameworks and commercial services available to start quickly.  But, how do you go about picking one vs building your own from scratch?

Avoid admin panels built into your app

As a first principle, we’d advocate avoiding any admin panel injected into your main app’s code, as ActiveAdmin does. This has many disadvantages:

• New admin API routes can likely be detected in your app’s client code and attackers can probe or attack this vulnerability
• You’ll likely end up with multiple types of users inside of one codebase, complicating access control reviews
• Adding extra protection features, such as restricting access from a single IP address, will be a lot harder
• If there’s a critical issue detected in the admin panel code, it’s harder to take it offline without taking your app offline.

Apps that do not follow this principle have a higher chance of ending up in Slashdot stories. Here’s one: https://yro.slashdot.org/story/23/01/09/221207/researchers-track-gps-location-of-all-of-californias-new-digital-license-plates. Notably, this story demonstrates that it’s possible to upgrade a user account to a super admin account that can view data from other users.

Pick an admin panel with a user action audit log

In case it has to be said, that means your admins will need to authenticate with separate user accounts. (No logging in with a shared password using support@app.io !). What’s the advantage of this? If any sensitive account settings are updated, you can find out later who made the change.

Enforce at least 2FA (or 3FA) to authenticate admin users

Choose an admin panel solution that allows you to add extra factors on top of 2FA such as IP restrictions or access via other zero-trust solutions.

Bonus: Use Content Security Policy (CSP) headers to block unknown javascript

Blocking unknown javascript is critical, especially on internal admin portals. Below, an example of how Apple was vulnerable to email injection vulnerability, which could’ve been solved with simple CSP headers.

This tweet reminded me of a time when I was hacking on Apple's bug bounty program. I found, of all things, a base64 encoded Harry Potter quote on an internal iCloud account debug and administration page. This is the first time I'm sharing this, as more than 90 days have passed… https://t.co/CBc8QC5y3i pic.twitter.com/BNauDq7w01

— Sam Curry (@samwcyo) December 24, 2023

Concluding thoughts on building a secure admin panel

Yes, it’s possible to build a safe admin panel for your app. You’ll have to pick either a framework to help you or an existing SaaS or low-code solution to help you get started. As long as you keep it separate from your main app and have it communicate with your main app over private APIs, you should be good to go.

Aikido is an all-in-one application security tool. Want to see if your app is secure? Start scanning for free.