A Guide to SaaS Startup Security, by a SaaS Startup
Shared by nathanganser · 18d ago · 5 comments

Hope this is useful if you've been thinking about security :)

benjamin_a · 18d ago

It has a lot of good tips but is very opinionated and some parts aren’t always true.

For example: “ Monolithic architecture is better than micro-services” is sometimes true because it can cut down on complexity, but often times it can actually increase complexity because the app becomes so big and convoluted. Also, there can sometimes be times when breaking modules down can actually increase security (for example, let’s say a hacker breaks into one module/server but it’s no use without having data from another service). There are pros and cons.

Also, “ Do not offer username/password login options” is bad advice because there are companies like Auth0 that provide auth SaaS you can use to securely implement authentication in a way that won’t potentially cause you to lose users, like skipping it altogether might.

If you want to make your app secure you need to do a lot more research than just following these procedures. They are helpful but won’t really do much if your app itself is insecure. A good thing to do if you have the budget is hire a freelance pentester, for example.

nathanganser · 18d ago

Monolithic vs micro-services architecture
From my experience, a big repository is still much simpler and practical than a big bundle of repositories with small apps inside. It also makes it much harder to get a good overview of the whole system when you have many services. Odds are you would not even realise someone hacked into one of your servers.

Do not offer username/password login options
You have to look at it more from a systemic point of view, statistically, there are more username/password auth that are poorly implemented than passwordless implementations. Of course if you're a great and smart developer, you can build an old-school password auth and everything will be fine. But on average, companies with password auth are less secure.
I'm always looking at security from a systemic point of view, not looking at any individual implementations.

Security is an ongoing concern, you're never done with security.

werbot.com · 17d ago

And use our solution for server access - werbot.com ))

zainzaidi · 18d ago

Great guide!

sole-fields · 14d ago

How do you see this evolving in the ensuing months / next year this time? Let's say you 20x the number of users.