SaaS Vendor Security Checklist

SaaS Vendor Security Checklist

A quick start guide to begin to evaluate SaaS vendor security


Moving to the cloud and SaaS introduces new risks for security practitioners that must be carefully managed. When selecting a SaaS vendor, thoroughly evaluating their security is critical to protect your data and users. This SaaS vendor security checklist provides a framework to analyze key security capabilities during your due diligence process.

Product Security

  • Identity and access management features like SSO, MFA, and robust user management

  • Granular access controls and configurable sharing policies

  • Auditing capabilities to track access and changes

  • Encryption for data in transit and at rest

App Security

  • Evidence of secure development practices like training, threat modeling, and static code analysis

  • Annual penetration testing by respected security firms

  • Secure coding practices and vulnerability management

Infrastructure Security

  • Cloud infrastructure documentation showing security best practices like defense in depth, least privilege, and minimizing attack surfaces- Example: Ensure lateral movement across networks is restricted

  • Network security following cloud provider guidelines - AWS services like CloudFront, WAF, security groups, VPCs

  • Operations and management security with MFA, role-based access, just-in-time access

  • Logging, monitoring, and alerting to detect threats across all infrastructure layers- Example: Have anomaly detection to detect suspicious activities and compromised credentials


  • Relevant certifications like SOC 2, ISO 27001, etc. based on your regulatory requirements

  • Industry or region-specific compliance as applicable


Using this SaaS vendor security checklist will help you perform thorough due diligence and risk analysis. By evaluating product security, application security, infrastructure security, compliance, and security responsibilities, you can gain assurance that a SaaS provider has the necessary controls in place to protect your data and users.