SaaS Security Checklist: 50+ Must-Haves for Every Stage (2026)
DesignRevision Editorial
· SaaS, frontend & developer tooling
In 2025, 67 percent of SaaS security incidents traced back to misconfigurations. Not sophisticated zero-day exploits. Not state-sponsored attacks. Simple misconfigurations: an S3 bucket left public, an API endpoint without authentication, an admin account without MFA.
The LastPass breach started with a compromised developer password. The Okta breach started with a stolen session token. The CircleCI breach started with an exposed API key. Every major SaaS security failure in the past three years began with something that a checklist would have caught.
This SaaS security checklist covers 50+ items across six categories, organized by priority. It is not theoretical. Every item maps to a real attack vector that has breached a real SaaS company. Whether you are pre-launch or processing millions in transactions, work through this list from top to bottom and close the gaps.
The average SaaS data breach costs 5.2 million dollars according to IBM's 2025 report. A checklist costs nothing.
Key Takeaways
If you remember nothing else:
- Misconfigurations cause 67% of SaaS breaches - most are preventable with basic security hygiene
- Start with authentication (MFA, SSO, RBAC) and encryption (AES-256, TLS 1.3) before anything else
- Multi-tenant isolation at the database level is non-negotiable for any SaaS handling customer data
- SOC 2 Type II is required for enterprise B2B sales - start preparing at least 6 months before you need it
- Automate security scanning in CI/CD rather than relying on periodic manual audits
- Every checklist item maps to either OWASP Top 10 or a documented SaaS breach
- Security is not a feature you ship once - it is a continuous process with quarterly reviews
Table of Contents
- How to Use This SaaS Security Checklist
- Authentication and Access Control (12 Items)
- Data Protection and Encryption (10 Items)
- Infrastructure Security (9 Items)
- Application Security (11 Items)
- Compliance and Governance (8 Items)
- Monitoring and Incident Response (8 Items)
- SaaS Security Tools Compared
- The Priority Matrix: What to Implement First
- Conclusion
How to Use This SaaS Security Checklist
This checklist is organized into six categories. Within each category, items are ordered by priority: critical items first, then important, then recommended.
Priority levels:
- Critical - Must have before handling any customer data. A gap here is an active vulnerability.
- Important - Should have before scaling beyond early adopters. Required for enterprise sales.
- Recommended - Best practice for mature SaaS products. Differentiates security-conscious companies.
Work through each category sequentially. If you are building a new SaaS product, start with authentication and data protection before touching infrastructure or compliance. If you are auditing an existing product, use the checkboxes to identify gaps.
Authentication and Access Control
Authentication is where 20 percent of SaaS breaches begin. Stolen credentials were the attack vector in the Okta, Twilio, and CircleCI incidents. Lock this category down first.
Critical:
- Enforce MFA for all user accounts. Support TOTP (authenticator apps) and WebAuthn (hardware keys). SMS-based MFA is better than nothing but vulnerable to SIM swapping. The Twilio breach exploited MFA fatigue, where attackers sent repeated push notifications until a user approved one.
- Implement SSO via SAML 2.0 or OIDC. Enterprise customers will require this. Use providers like Clerk, Auth0, or Okta rather than building from scratch. See our auth provider comparison for detailed tradeoffs.
- Configure RBAC with least-privilege defaults. Every user should start with the minimum permissions required. Admin access should require additional verification. Never use shared admin accounts.
- Set session timeouts and token expiration. JWT tokens should expire within 15 to 60 minutes. Refresh tokens should have a maximum lifetime of 7 to 30 days. Implement absolute session timeouts that force re-authentication.
- Enforce strong password policies. Minimum 12 characters, no reuse of the last 10 passwords. Check against breach databases using the Have I Been Pwned API. Hash with Argon2id or scrypt, never MD5 or SHA-1.
Important:
- Implement account lockout after failed attempts. Lock accounts after 5 to 10 failed attempts with exponential backoff. Alert users of failed login attempts from new locations.
- Log all authentication events. Track successful logins, failed attempts, password changes, MFA enrollment, and session creation. Retain logs for at least 12 months.
- Support API key rotation. API keys should be rotatable without downtime. Set maximum key lifetimes and alert on keys approaching expiration. The CircleCI breach exploited long-lived API keys that were never rotated.
- Implement IP allowlisting for admin access. Restrict admin panel access to known IP ranges or require VPN. This prevents credential stuffing attacks against admin endpoints.
Recommended:
- Deploy passwordless authentication. Magic links, passkeys, and WebAuthn provide stronger security than password-based authentication and better user experience.
- Add device trust verification. Track known devices and require additional verification for new devices or unusual access patterns.
- Implement just-in-time (JIT) provisioning. Automatically create user accounts on first SSO login and deprovision when removed from the identity provider. This eliminates orphaned accounts.
Data Protection and Encryption
Data protection is non-negotiable. The LastPass breach demonstrated what happens when encrypted data falls into attacker hands: even with encryption, weak implementation (low-iteration password hashing) can still lead to compromise.
Critical:
- Encrypt all data at rest with AES-256. Use FIPS 140-2 validated encryption modules. Enable transparent data encryption at the database level and application-level encryption for sensitive fields (PII, payment data, health records).
- Enforce TLS 1.3 for all data in transit. Disable TLS 1.0 and 1.1 completely. Use HSTS headers with a minimum max-age of one year. Include preload directive for HSTS lists.
- Implement envelope encryption with managed KMS. Use AWS KMS, GCP CMEK, or HashiCorp Vault for key management. Rotate data encryption keys annually. Never store encryption keys alongside encrypted data.
- Implement multi-tenant data isolation. Use row-level security at the database level, not just application-level WHERE clauses. A bug in application code should not expose one tenant's data to another.
Important:
- Classify data by sensitivity level. Tag data as public, internal, confidential, or restricted. Apply security controls proportional to classification. PII and payment data require the strictest controls.
- Encrypt all backups with separate keys. Use immutable backup storage (write-once, read-many) to prevent ransomware from encrypting backups. Test backup restoration quarterly.
- Implement field-level encryption for PII. Encrypt email addresses, phone numbers, and personal identifiers at the application level before storage. This provides defense-in-depth beyond database encryption.
- Configure data retention and deletion policies. Define retention periods by data type. Implement hard deletion (not just soft delete) for expired data. Support customer data export and deletion requests for GDPR compliance.
Recommended:
- Implement client-side encryption for sensitive uploads. Encrypt files before they leave the user's browser for maximum protection.
- Use tokenization for payment data. Replace sensitive payment information with tokens using Stripe or a PCI-compliant tokenization service. Never store raw card numbers. See our Stripe integration guide for payment security best practices.
Infrastructure Security
Infrastructure misconfigurations are the single largest attack vector, responsible for 67 percent of SaaS breaches. Most are preventable with proper configuration management.
Critical:
- Deploy a web application firewall (WAF). Cloudflare, AWS WAF, or Imperva block common attack patterns (SQL injection, XSS, path traversal) at the network edge before requests reach your application.
- Enable DDoS protection. Use cloud-native DDoS mitigation from your hosting provider or a dedicated service. Configure rate limiting at the infrastructure level in addition to application-level limits.
- Centralize secrets management. Store all secrets (API keys, database credentials, encryption keys) in AWS Secrets Manager, HashiCorp Vault, or equivalent. Never commit secrets to version control. Scan repositories for accidentally committed secrets using tools like TruffleHog.
Important:
- Segment networks with VPCs. Isolate production, staging, and development environments. Database servers should not be accessible from the public internet. Use private subnets with NAT gateways for outbound traffic.
- Scan container images for vulnerabilities. If using Docker or Kubernetes, scan images with Snyk, Aqua Security, or Trivy before deployment. Block deployments with critical vulnerabilities.
- Implement infrastructure as code (IaC). Use Terraform, Pulumi, or CloudFormation to define infrastructure. Scan IaC templates for misconfigurations with Checkov or tfsec before applying.
- Configure automated patching. Enable automatic security updates for OS packages and runtime dependencies. Maintain a 48-hour SLA for critical vulnerability patches.
Recommended:
- Adopt zero-trust networking. Verify every request regardless of network location. Use mutual TLS between services and implement service mesh policies.
- Enable immutable infrastructure. Deploy new instances rather than patching running servers. This prevents configuration drift and ensures reproducible environments.
Application Security
Application vulnerabilities are the OWASP Top 10 in action. Every item here maps to a documented attack pattern that has compromised real SaaS products.
Critical:
- Validate and sanitize all user input. Use allowlist validation (define what is allowed) rather than blocklist validation (define what is blocked). Validate on the server side, never rely on client-side validation alone. Use validation libraries like Zod or Joi.
- Use parameterized queries for all database operations. ORMs like Prisma or Drizzle handle this automatically. Never concatenate user input into SQL strings. See our Prisma vs Drizzle comparison for ORM security considerations.
- Implement Content Security Policy (CSP) headers. Define which scripts, styles, and resources can execute on your pages. A strict CSP prevents most XSS attacks even if injection vulnerabilities exist.
- Add CSRF protection to all state-changing requests. Use synchronizer tokens or the SameSite cookie attribute. Framework-level CSRF protection (built into Next.js, Rails, Django) should be enabled by default.
Important:
- Implement rate limiting on all endpoints. Limit authentication endpoints to 5 to 10 requests per minute per IP. Limit API endpoints based on your plan tiers. Return 429 status codes with Retry-After headers.
- Secure API endpoints with OAuth 2.0 or API keys. Authenticate every API request. Use scoped API keys with the minimum required permissions. Log all API access for audit trails.
- Set security headers on all responses. Include X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, and Permissions-Policy to disable unused browser features.
- Implement dependency scanning in CI/CD. Use Snyk, Dependabot, or npm audit to catch vulnerable dependencies before deployment. Block merges with critical vulnerabilities.
Recommended:
- Run SAST (Static Application Security Testing). Tools like Semgrep or CodeQL scan source code for security patterns. Integrate into pull request checks.
- Run DAST (Dynamic Application Security Testing). Tools like OWASP ZAP or Burp Suite test running applications for vulnerabilities. Schedule weekly scans against staging environments.
- Implement request signing for webhooks. Sign outbound webhooks with HMAC-SHA256 so recipients can verify authenticity. Verify signatures on all inbound webhooks.
Compliance and Governance
Compliance is not just about checking boxes. SOC 2 certification is increasingly table stakes for B2B SaaS sales, and GDPR non-compliance carries fines up to 4 percent of global revenue.
Critical:
- Implement comprehensive audit logging. Log all data access, modifications, deletions, and admin actions. Include who, what, when, where, and why. Retain audit logs for a minimum of 12 months in immutable storage. Use structured logging (JSON format) for searchability.
- Create and publish a privacy policy. Document what data you collect, how you use it, how long you retain it, and how users can request deletion. Update with every significant product change. Align with GDPR Article 13 requirements.
- Implement data processing agreements (DPAs). If you process data on behalf of customers (which most SaaS products do), have a signed DPA with every customer and every sub-processor. This is legally required under GDPR.
Important:
- Prepare for SOC 2 Type II. Start at least 6 months before you need certification. Use compliance automation platforms like Vanta or Drata to streamline evidence collection. Budget 20,000 to 50,000 dollars for the audit.
- Implement consent management for GDPR and CCPA. Track consent for data collection, marketing communications, and cookie usage. Support granular opt-out. Use OneTrust or build a lightweight consent layer.
- Conduct vendor risk assessments. Evaluate the security posture of every third-party service you use. Maintain a vendor inventory with data access levels. Review vendor SOC 2 reports annually.
Recommended:
- Define data retention schedules by data type. Align retention periods with regulatory requirements and business needs. Automate deletion of expired data.
- Conduct regular Data Protection Impact Assessments (DPIAs). Required under GDPR for high-risk processing. Assess new features before launch for privacy implications.
Monitoring and Incident Response
You cannot protect what you cannot see. Monitoring is the difference between detecting a breach in hours versus months. The average time to detect a SaaS breach is 204 days according to IBM. Strong monitoring cuts that to days or hours.
Critical:
- Deploy SIEM or centralized log analysis. Aggregate logs from all services into Datadog, Splunk, or an ELK stack. Create alerts for anomalous patterns: unusual login locations, bulk data exports, privilege escalations.
- Document an incident response plan. Define roles, communication channels, escalation paths, and decision authority. Follow the NIST Incident Response framework: Preparation, Detection, Containment, Eradication, Recovery, Lessons Learned. Test the plan with tabletop exercises quarterly.
- Configure breach notification workflows. GDPR requires notification within 72 hours. Pre-draft notification templates for customers, regulators, and media. Know who approves external communications before a breach happens.
Important:
- Run continuous vulnerability scanning. Snyk, Nessus, or Qualys should scan your infrastructure and application weekly at minimum. Triage critical findings within 48 hours.
- Schedule annual penetration testing. Hire external pen testers to simulate real attacks. Test annually at minimum, semi-annually for fintech or healthcare SaaS. Budget 10,000 to 50,000 dollars per engagement.
- Implement intrusion detection (IDS/EDR). CrowdStrike Falcon or equivalent EDR on all endpoints and servers. Alert on known attack patterns and anomalous behavior.
Recommended:
- Set up bug bounty or vulnerability disclosure programs. Platforms like HackerOne or Bugcrowd let external researchers report vulnerabilities before attackers find them. Start with a vulnerability disclosure policy (VDP) before committing to paid bounties.
- Conduct security awareness training. Train all employees quarterly on phishing, social engineering, and secure development practices. The Twilio and Okta breaches both started with employee-targeted attacks.
SaaS Security Tools Compared
Here are the key tools across each security category. Select based on your stage and budget.
| Category | Tool | Starting Price | Best For |
|---|---|---|---|
| Auth/SSO | Clerk | $25/mo | Developer-first auth |
| Auth/SSO | Auth0 | Free tier | Flexible identity |
| Compliance | Vanta | ~$10K/yr | SOC 2 automation |
| Compliance | Drata | ~$10K/yr | Multi-framework |
| Scanning | Snyk | Free tier | Dependency scanning |
| Scanning | Semgrep | Free tier | SAST code analysis |
| Secrets | HashiCorp Vault | Open source | Secrets management |
| WAF | Cloudflare | Free tier | Edge security |
| Monitoring | Datadog | $15/host/mo | Full-stack observability |
| EDR | CrowdStrike | Custom | Endpoint detection |
For early-stage startups, start with free tiers: Cloudflare (WAF + DDoS), Snyk (dependency scanning), Semgrep (SAST), and your cloud provider's built-in KMS. This covers the critical items at zero cost.
If you are building your SaaS on Next.js, using a starter kit with pre-configured auth, RBAC, and security headers gives you a head start on the first two categories. Tools like Forge generate projects with secure defaults including CSRF protection, input validation, and proper session management baked in.
The Priority Matrix: What to Implement First
Not every item has equal urgency. Here is the order to tackle your SaaS security checklist based on risk and effort:
Week 1 (Day 1 to 5) - Stop the bleeding:
- Enforce MFA for all accounts
- Enable TLS 1.3 and HSTS
- Enable database encryption at rest
- Deploy a WAF (Cloudflare free tier)
- Move secrets out of code into a secret manager
- Add rate limiting to auth endpoints
Week 2 to 4 - Build the foundation:
- Implement RBAC with least privilege
- Set up row-level security for multi-tenancy
- Add CSP headers and security headers
- Implement input validation and parameterized queries
- Set up audit logging
- Configure dependency scanning in CI/CD
Month 2 to 3 - Harden and document:
- Deploy SIEM or centralized logging
- Write incident response plan
- Implement backup encryption and test restoration
- Conduct first vulnerability scan
- Draft privacy policy and DPA template
- Start SOC 2 preparation if selling to enterprise
Month 4 to 6 - Mature and certify:
- Complete first penetration test
- Achieve SOC 2 Type II (if applicable)
- Implement advanced monitoring and IDS
- Set up vendor risk management process
- Launch vulnerability disclosure program
This timeline assumes a small team (2 to 5 developers). Larger teams can parallelize across categories. The critical items in week one should be non-negotiable regardless of team size.
Conclusion
A SaaS security checklist is not a one-time project. It is an ongoing practice that evolves with your product, your customer base, and the threat landscape.
Start here:
- Print this checklist (or copy it to your project management tool) and audit your current state. Mark every item as done, in progress, or not started.
- Tackle the critical items first. MFA, encryption, WAF, secrets management, and input validation cover the attack vectors behind the majority of SaaS breaches.
- Schedule quarterly security reviews. Re-audit the checklist every 90 days. New features introduce new attack surface. New dependencies introduce new vulnerabilities.
The SaaS companies that avoid breaches are not the ones with the biggest security teams. They are the ones with consistent security practices applied across every layer of the stack. This checklist gives you the complete map. Now work through it.
Related resources:
Frequently Asked Questions
-
Misconfigurations are the leading cause of SaaS security incidents, responsible for 67 percent of breaches. Identity and access management flaws account for 46 percent, followed by supply chain attacks which are rising 20 percent year over year. Shadow SaaS usage affects 43 percent of organizations, where employees connect unauthorized apps that create unmonitored data flows. AI-enhanced phishing campaigns are also increasing, making credential theft more sophisticated. The most critical risks are over-privileged accounts and unmonitored API integrations that expose sensitive data without detection.
-
SOC 2 is an AICPA framework that audits your controls across five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Type I evaluates controls at a point in time. Type II evaluates controls over a period, typically 6 to 12 months. Not every SaaS needs SOC 2. It is essential for B2B products handling sensitive data or operating in regulated industries like fintech and healthcare. Enterprise buyers increasingly require it before signing contracts. Consumer-facing apps with low-risk data may not need formal certification, but the controls themselves are still good practice.
-
At minimum, conduct penetration testing annually. High-risk SaaS products in fintech or healthcare should test every 6 months or quarterly. You should also run tests after major code releases, infrastructure changes, or significant architectural updates. Automated vulnerability scanning with tools like Snyk or Nessus should run continuously in your CI/CD pipeline, catching common issues between formal pen tests. Align your testing schedule with NIST 800-53 RA-5 guidelines. Budget 10,000 to 50,000 dollars per engagement depending on scope.
-
Use AES-256 for data at rest with FIPS 140-2 validated modules. Use TLS 1.3 for data in transit with post-quantum resistant curves like X25519. Implement envelope encryption for key management through services like AWS KMS or GCP CMEK. Hash passwords with Argon2id or scrypt, never MD5 or SHA-1. For database-level encryption, use transparent data encryption in addition to application-level encryption for sensitive fields. Rotate encryption keys annually at minimum, and use hardware security modules for the most sensitive key material.
-
The IBM 2025 Cost of Data Breach Report puts the global average at 4.88 million dollars, up 10 percent year over year. SaaS-specific breaches average 5.2 million dollars due to customer churn and trust erosion. The Verizon DBIR 2025 reports that 28 percent of all breaches involve cloud and SaaS environments, with a median cost of 4.7 million dollars for credential theft incidents. Notable SaaS breaches include LastPass in 2022 where encrypted vaults were stolen, Twilio in 2022 where over 1 million phone numbers were exposed through MFA fatigue attacks, and CircleCI in 2023 where API keys were compromised affecting 150,000 users.
-
The OWASP Top 10 is a standard awareness document listing the most critical web application security risks. The current list includes Broken Access Control at number one, followed by Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures, and Server-Side Request Forgery. For SaaS specifically, multi-tenant isolation and API security are additional critical concerns beyond the standard Top 10. Every item on your SaaS security checklist should map to at least one OWASP risk category.
-
Use database-level policies like PostgreSQL Row Level Security to filter rows by tenant ID automatically. Create a policy that checks the current tenant context against each row tenant_id column. Set the tenant context per database session through middleware that extracts the tenant ID from the authenticated JWT claims. This ensures queries only return data belonging to the current tenant, even if application code has bugs. Always enforce tenant isolation at the database level rather than relying solely on application-level WHERE clauses. Audit your RLS policies regularly with EXPLAIN ANALYZE to verify they are applied correctly.
Join 50k+ subscribers
Web dev, SaaS, growth & marketing. Weekly.
Keep Learning
More articles you might find interesting.