New CS proposal: Multi-Tenant Application Security Cheat Sheet #1928
Description
What is the proposed Cheat Sheet about?
This cheat sheet will provide security checks for multi-tenant applications (systems that serve multiple customers (tenants) from shared infrastructure, database). This architecture is very popular modern SaaS platforms.
The cheat sheet will cover tenant isolation strategies, context management, database security patterns (row-level security, schema isolation), cache isolation, secure onboarding/offboarding, and cross-tenant attack prevention.
What security issues are commonly encountered related to this area?
Cross-Tenant Data Leakage
Broken Tenant Isolation
Insecure Direct Object References (IDOR)
Noisy Neighbor
Shared Resource Poisoning(Cache poisoning, message queue injection)
What is the objective of the Cheat Sheet?
The CS will provide actionable items for the multi-tenant applications like;
- Tenant isolation strategy
- Context Management
- DB Security, query filtering
- cache and storage isolation
- Onboarding/offboarding tenants
What other resources exist in this area?
- AWS SaaS Lens - Tenant Isolation - AWS-specific, infrastructure focused
- Azure Multi-Tenant Architecture Guide - Azure-specific patterns
- PostgreSQL Row Level Security Documentation - Database feature documentation, not security guidance
- NIST SP 800-144 Cloud Computing Security - High-level cloud security, not multi-tenant implementation
There is no vendor-neutral security cheat sheet.