SaaS Security Checklist: The 10 Things Software Publishers Must Do

The quick answer

The five steps that prevent most SaaS breaches: use a password manager for all developer and admin accounts, enable two-factor authentication on cloud and source code platforms, train your team to spot phishing, keep server and developer software updated, and back up your code and customer data automatically. Everything else on this list is secondary to these five.

1. Password manager and unique passwords

Every account – especially those for source code repositories (like GitHub, GitLab), cloud hosting (AWS, Azure, Google Cloud), CI/CD pipelines (Jenkins, CircleCI), and sensitive internal tools – needs a unique, strong password. A single reused password is the fastest way for hackers to get into your critical systems. Set this up immediately. Services like 1Password Business, Bitwarden Teams, or Dashlane Business are designed for teams and can be set up in under an hour, securing all your developer and admin logins.

2. Two-factor authentication on critical accounts

Enable 2FA on every account that touches your code, customer data, or finances. This means: your primary business email, your domain registrar, all cloud provider accounts (AWS root account, Azure subscriptions, GCP projects), source code management (GitHub, GitLab), payment processors (Stripe, Paddle), and internal communication/project management tools. For developers, especially, use an authenticator app (like Authy or Google Authenticator) instead of SMS. SIM swapping attacks are a real risk, and losing access to a developer's phone can give hackers the keys to your entire infrastructure.

3. Phishing awareness

Many breaches begin with a phishing email — a message designed to look real but trick you into giving up login details or clicking a bad link. For software companies, these often pretend to be from cloud providers (AWS, Azure), source code platforms (GitHub), or even internal tools. Watch for urgent messages about "account suspensions," "security alerts," or "failed builds." Always hover over links to see the real address. If an email asks you to log in, go directly to the website yourself instead of clicking the link. This is especially critical for your engineering team, who might receive highly targeted messages.

4. Automatic backups

Ransomware can lock up your codebase, customer databases, or production servers. The best defense is a reliable, off-system backup. For your software, this means:

* **Codebase:** Ensure your Git repositories (GitHub, GitLab) are regularly backed up to a separate, immutable storage solution, or use services that offer redundancy. * **Databases:** Implement automated daily backups of your production databases (PostgreSQL, MongoDB, etc.) to a separate region or dedicated backup service. Many cloud providers (AWS RDS, Azure SQL Database) offer this, but verify they are truly isolated from your main system and restorable. * **Configuration Files:** Back up server configurations and environment variables.

Google Drive or OneDrive are not enough for critical server or database backups. You need dedicated solutions like AWS Backup, Azure Backup, or a third-party service that ensures isolated, versioned backups. Test your restores regularly.

5. Software updates

Outdated software is a huge risk. Many attacks happen because a known flaw in an operating system, web server, or development library wasn't patched.

* **Developer Machines:** Enable automatic updates for your operating system (macOS, Windows, Linux) and critical developer tools (IDEs, Docker, Git clients). * **Servers & Infrastructure:** Set up automated patching for your production servers and development environments. Monitor for security updates for your chosen frameworks (Node.js, Python, Ruby on Rails) and database systems. * **Dependencies:** Regularly scan your code for vulnerable third-party libraries using tools like Snyk, Dependabot (built into GitHub), or OWASP Dependency-Check. Staying updated takes little effort but closes many common security holes.

6-10. Additional measures by risk level

6. **Separate work and personal devices when possible.** If possible, use company-issued laptops or dedicated machines for all development and sensitive business tasks. This prevents personal browsing habits or risky downloads from impacting your company's critical systems and customer data. If a personal device is compromised, it should not have access to your production environment or source code.

7. **Use a VPN on public networks.** When working outside your office or home, especially in cafes or public Wi-Fi spots, always connect through a Virtual Private Network (VPN). Public Wi-Fi is easy for attackers to snoop on. A VPN encrypts your connection, protecting your access to cloud platforms, source control, and other sensitive services. Services like NordLayer, ExpressVPN, or even a self-hosted OpenVPN can provide this.

8. **Enable remote wipe on business laptops and phones.** If a company laptop or phone is lost or stolen, it could grant direct access to your systems. Enable remote wipe capabilities through services like Apple Find My, Google Find My Device, or Mobile Device Management (MDM) solutions (e.g., Jamf for Apple, Microsoft Intune for Windows). This lets you erase all company data remotely, preventing a breach from a lost device.

9. **Create a simple incident response plan (who to call if you are breached).** Knowing what to do *before* a breach happens saves precious time and money. Your plan doesn't need to be complex, but it should cover: * **Who to call:** List internal contacts (tech lead, CEO) and external contacts (cybersecurity lawyer, incident response firm, your cloud provider's support line). * **Initial steps:** How to contain the breach (e.g., disconnect affected server, revoke compromised credentials). * **Communication:** How you'll notify affected customers (if personal data is involved, this is often legally required) and what internal communications need to happen. Even a one-page document is better than nothing.

10. **Review account access quarterly — revoke access from former contractors and employees immediately when they leave.** Every three months, check who has access to your critical systems: cloud platforms (AWS, Azure, GCP), source code repositories (GitHub, GitLab), production servers, databases, and internal tools. Immediately revoke access for any former employee or contractor the moment they leave. Unused or forgotten accounts are a common backdoor for attackers. This is a simple, cost-free step that closes a major security gap.

RECOMMENDED TOOLS

Some links above are affiliate links. We may earn a commission if you sign up — at no extra cost to you.

FREQUENTLY ASKED QUESTIONS

Related Guides