Software-as-a-Service (SaaS) apps have the same security challenges as any other web-based products. The good news is that many SaaS apps are more secure than installed enterprise apps due to more timely roll outs of security enhancements and better economies of scale for vulnerability testing.
Here are some simple best practice security-related ideas for SaaS apps:
- Require more complicated passwords for users (e.g. at least eight characters with upper case, lower case, and numbers included)
- Enforce two-factor authentication for any power users
- Audit the application quarterly with vulnerability scans, cross site scripting scans, and SQL injection scans
- Limit server access to as few people as possible and enforce IP address white listing
- Authorize individual machine access after email confirmation
- Expire user passwords on a regular basis
SaaS security best practices are well known at this point and should be implemented early on for apps that contain confidential information.
What else? What are some other security ideas for SaaS apps?