Posted on January 22, 2020 - by Justin Gratto - in Growing Your SaaS Company
Application security features sound like obvious items to put on your product roadmap. But since applications today are constantly changing and evolving, it becomes a never-ending marathon consisting of sprints to the next goal. The next release, the next bug fix, or UI/UX improvement.
Then application security features can get put off in favor of “a more pressing issue.”
But no development team can put off application security forever. Especially if you have enterprise-level customers. Whether you’re planning it from the start or bolstering your security features later, you have to pick out the application features that truly make a difference.
Here we’ve identified 14 common application security features for you to consider for your SaaS product roadmap.
First on our list is a no-brainer, right? However some SaaS companies are still getting the basics wrong, and as a result, they’re paying for it. With that fact in mind, we want to provide our top tips for what application security features will help make your SaaS customers more secure. The following password features are critical to that goal:
Don’t forget that users may pick a weak password if you let them – including one of these four types of password no one should ever use. It’s up to your team to decide how to suggest or require strong passwords from your users.
You may want to allow for your app to send notifications via email or other means to the user when:
Check out this great example of a detailed security notification from Dropbox:
There are several different standards in place that exist for this application security feature. We suggest (as a minimum) account lockout for a duration of 30 minutes, or until an administrator unlocks the account conditional to the following rules:
Give administrators the tools and features to effectively administer the accounts in the application. It is important for them to have the ability to enforce their own security requirements, customizable to meet the needs and regulations of their industry. One customer may need to comply with the regulations of the Payment Card Industry (PCI) and may have different enforcement requirements than another customer, which does business in the healthcare industry and cares about HIPAA compliance.
Data protection and data privacy regulations that are popping up across the globe mean having the tools to respond. New regulations, like the GDPR, establish a data subject’s right to submit a “subject access request.” That means building in a way for users to submit such a request for their data and a way for you to respond.
This application feature is largely conditional to any privacy or data protection regulations/laws that are relevant to your company. If you are unsure of what privacy laws are relevant to your company, we suggest you consult a Privacy and Data Security lawyer in your jurisdiction.
Applications today contain tons of data. Which is why it is important to offer data backup support and data export support. Best practice for data export features is in a human-readable, and easily portable, or transferrable format.
In fact, this “portability” is often a privacy requirement in many new privacy regulations. So it is not only an application security feature, but it also helps you and your customers comply with data protection and privacy standards.
There are several very good choices in terms of Identity Providers offering a Single Sign-On solution to many app developers. Customers expect SaaS solutions today to offer, at a minimum, two SSO Identity provider options to sign in to their apps.
The benefit of providing SSO to your customers is the ease of use and improved efficiency of sign-in. It also helps curb Password Fatigue.
When users flag items or select items to delete, a good application feature to have is a soft delete feature. A soft delete application feature means that a deleted object not actually deleted, at least initially.
Soft delete merely flags as “deleted” and makes it unavailable in the live production database or corresponding bucket. Think of how most operating systems have a “Trash” where your files are stored. You can restore those files before they are actually deleted.
This feature intends to prevent data loss in the case that it was unintentional and needs to be reversed. It may also help if the delete was malicious and intentional. Once an item is flagged for deletion/removal you want to set a retention period and then the item can be permanently deleted after that period ends.
In the cases where your customer requires its users to use a VPN to access a service, IP whitelisting may be a useful application feature to make available. IP whitelisting is the process of pre-vetting accepted IP addresses that are able to connect to the service.
This feature allows your application to deny any IP that is not on the IP whitelist. A VPN will have a set range of IP addresses or a subnet that will be included in the whitelist — this will allow only the VPN to be able to connect to the service. This feature will only be relevant to customers that process very sensitive data or are operating within regulated industries.
Many large and medium-sized organizations use an active directory or LDAP to manage Identity and Access such as managing users, assigning permissions and roles on a traditional “security zone” network.
More commonly today there are cloud-based IAM solutions being offered such as Azure AD, AWS Identity and Access Management (IAM), and Okta to name a few. Adding directory integration with common directory services is a great way to get customers on board and working securely within your application.
Offering customers the ability for their administrators to enforce their organization’s specific data retention strategies or requirements is important.
Circling back to industries such as Payment Card Industry and Healthcare Industries — these industries have data retention standards and requirements as part of their compliance. Therefore, as part of their due diligence in strategic sourcing, they will be searching for SaaS providers that offer application features that are cognizant of their data retention needs.
From a security standpoint, automation can be a huge force multiplier to the effectiveness of an application. But there are a couple of points to be aware of and consider when automating processes and tasks.
First, ensure that any automated processes or APIs have minimum permissions to be functional and perform authenticated tasks. Then, you want accounts and application instances provided to the customer to be secure by default.
It is important that when an administrator modifies, deletes or removes an account that you have the added feature of cutting off active sessions with that deleted user account. When an account is deleted or has a password changed, all existing sessions should, therefore, be deleted immediately.
From the Security page, you should be able to easily monitor linked devices, active web sessions, and third-party apps with access to your account. Something doesn’t look, right? You can cut off access in seconds. From the Events page, you can track changes to files and folders, including edits, deletions, and shared folder membership.
It’s a good idea to make sure your roadmap regularly includes new security features and updates. But how to pick where to start?
In general, it comes down to your priorities, risks, and customers. If you just had a penetration test that exposed several vulnerabilities? You might need to put a project or new features on hold while you put resources into fixing those security issues. If security is a major selling point for your enterprise customers sending you vendor assessment questionnaires? You might be moving up multiple security features at once.
In the end, it’s a good idea to plan security features into your application roadmap. It also helps make security part of your company culture, blending best practices from your company security policies and awareness training into your product.
If you want your company to grow, and grow fast? Make sure you are ready to live up to customers’ expectations for security features.