LevelBlue + SentinelOne: Global Partnership to Deliver AI-Powered Managed Security Operations and Incident Response. Learn More

LevelBlue + SentinelOne: Global Partnership to Deliver AI-Powered Managed Security Operations and Incident Response. Learn More

Submit RFP
Request a Demo
Services
Cyber Advisory
Managed Cloud Security
Data Security
Managed Detection & Response
Email Security
Managed Network Infrastructure Security
Exposure Management
Security Operations Platforms
Incident Readiness & Response
SpiderLabs Threat Intelligence
View All Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Operational Technology
End-to-end OT security
Microsoft Security
Unlock the full power of Microsoft Security
Securing the IoT Landscape
Test, monitor and secure network objects
Why LevelBlue
About Us
We reduce cyber risk and build resilience
Awards and Accolades
The most recognized cybersecurity leader
LevelBlue SpiderLabs
Elite global threat experts and intelligence
PGA of America Partnership
Cybersecurity at the championship level
Secure What's Next
Future-proof your organization
LevelBlue Security Operations Platforms
Unprecedented security visibility and control
Security Colony
Cybersecurity threat protection resources
Partners
SentinelOne
Advancing integrated, intelligence‑driven security operations
Microsoft
Unlock the full power of Microsoft Security
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Partner Portal
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

SaaS Security Best Practices to Keep in Mind

4 Minute Read by Kim Crawley

Software as a Service (SaaS) is huge. More and more developers are choosing SaaS as the delivery mechanism of their software and services, and more and more businesses are using it. Where you or your organization have internally-developed, SaaS-delivered applications, ensuring the security of those applications is critical to both the security of the data, and minimizing risks to your organization!

Web development has made leaps and bounds in functionality since Tim Berners-Lee invented the web in 1990. Now web applications serving SaaS offer functions like CAD software, DBMS software, payroll, accounting, record keeping, collaboration, enterprise resource planning, and more. With SaaS, the sky's the limit! But sensitive data often goes through the endpoints that users deal with, and the servers that drive SaaS. Protecting your SaaS development and production infrastructure from cyber-attacks is crucial. Following are best practices for when your company is ready to offer your own SaaS application. Keep in mind that these are some basics, rather than a comprehensive guide.

Security Controls

Your SaaS infrastructure should have built-in controls to manage user access and data in a secure way.

  • Data and application controls help to keep your data secure. There are different mechanisms you can employ:
    • Data encryption is a mechanism all SaaS systems should have. Whichever ciphers you use, the encryption keys should be managed and stored securely within a key management system (KMS), which can be as simple as a secure server that operates in your premises, with a trusted third party, or in some other physical or logical proprietary or open source solution. As much as possible, data should be encrypted, both when at rest (such as when it's stored on a disk) and while it's in transit.
    • Data loss prevention (DLP) mechanisms and policies should also be employed. There are two aspects to DLP, detection and action. DLP detection systems can look for certain keywords and phrases in transmitted text to determine if your corporation's sensitive data is being leaked to an unauthorized party or entity. There are also SaaS APIs you may implement in your development that can determine events such as when a file is opened, and by whom. All such events can be configured to appear in DLP logging. Then an administrator or SIEM solution can receive an alert, and decide if it's a false positive or a true positive. If a true positive incident is reported, the next step is action. Company security policy determines how to respond to incidents such as a sensitive file being emailed to an unauthorized party.
    • Never assume that just because your application runs through the cloud that you don't need to have your own backups. You can never have too many backups. What if something terrible happens to your web servers? Make sure the metadata of your files is included in your backups. Metadata plays a vital role in determining who created your files, how, and various permission and usage rights. To simplify your operations, there are third party backup services such as Spanning, Barracuda, and Backupify. Comparison shop carefully.
  • Identity and access management is just as important in your SaaS environment as it is in any of your other traditional applications hosted on your on-premises and corporate networks.
    • Make sure that each employee, user, or authorized contractor who is allowed to use your SaaS application has authentication credentials that are unique to them.
    • Where passwords are used, a password policy is just as important for SaaS as it is for everything else. Not only should complexity be enforced, but also passwords should be changed at least once every three months.
    • Where possible, there should also be an extra authentication vector, commonly referred to as two-factor authentication (2FA) or multi-factor authentication (MFA), such as a time delay code or a physical token such as a USB device.
    • Access controls are also important. Depending on the nature of your SaaS application, access rights can be determined by the user's role and network location. For example, a user may be denied access if they're outside of the company's network, such as on a home WLAN. Or they may need multifactor authentication if they're accessing their employer's SaaS application from home.
  • Implement logging and monitoring controls. Not only should you log authentication and access events, and DLP-related events, you should also log various other metrics related to SaaS use. In particular, watch for events (either through your own logging capabilities, or by implementing other security products such as a SIEM) such as when a user:
    • Tries to acquire access to a function they're not authorized for.
    • Uploads and/or downloads a lot more data than usual.
    • Connects from two very different geographic locations within an unrealistic time frame. For example, how could you log in from New York at 10am, and then log in from Los Angeles at noon?

Always Evaluate and Change

Most general cybersecurity widsom applies to SaaS as much as it does to all of your other computer technology systems.

More and more SaaS security controls and services are also transmitted through the cloud. From time to time, evaluate which security controls and systems should be done in house, or via third party cloud services. Choose your hosting providers and security vendors carefully, and look out for when they offer new products and services.

Penetration test your SaaS applications and infrastructure at least once or twice per year. Employ red teams, blue teams, and purple teams. (Blue teams penetration test from a defensive perspective, purple teams test both offensively and defensively.) Consider their findings carefully.

Evaluate all of your security policies and mechanisms every so often. Do so as at least as frequently as you hire penetration testing. Don't hesitate to spend money on employee training, networking, security testing, hardware, software.

Watch for OWASP's Top Security Issues

An extremely valuable resource to review while developing or enhancing your internally-developed, SaaS-delivered applications is the Open Web Application Security Project (OWAP), which has a list of the top security issues that web applications face. Be mindful of these issues (bulleted below), and make sure that you have mechanisms, applications, policies, and procedures to address them.

  • Malicious code injection via SQL, LDAP, and operating systems
  • Insecure authentication and session management
  • Data integrity vulnerabilities that enable cross-site scripting
  • Exposing references like files and directories insecurely
  • Cross-site request forgery
  • Poor database, operating system, and middleware configuration
  • Exposing sensitive data, such as authentication credentials, and personal information
  • Using components with known vulnerabilities
  • Access checks on the server side or inside business logic
  • Un-validated redirects and forwards

My tips should prepare you to design and implement a secure SaaS system. For further reading, I recommend Intel SaaS Security: Best Practices, Minimizing Risk in the Cloud whitepaper.

ABOUT LEVELBLUE

LevelBlue is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

How LevelBlue’s FedRAMP Authorization Removes the Burden of CMMC Federal Compliance from Clients
Building a Unified Security Program with LevelBlue MDR
Cybersecurity in Hospitality: Defending a Highly Distributed Enterprise

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
© Copyright 2026