Application security features sound like obvious items to put on your product roadmap. But since applications today are constantly changing and evolving, it becomes a never-ending marathon consisting of sprints to the next goal. The next release, the next bug fix, or UI/UX improvement.
Then application security features can get put off in favor of “a more pressing issue.”
But no development team can put off application security forever. Especially if you have enterprise-level customers. Whether you’re planning it from the start or bolstering your security features later, you have to pick out the application features that truly make a difference.
Here we’ve identified 14 common application security features for you to consider for your SaaS product roadmap.
1. Password security
First on our list is a no-brainer, right? However some SaaS companies are still getting the basics wrong, and as a result, they’re paying for it. With that fact in mind, we want to provide our top tips for what application security features will help make your SaaS customers more secure. The following password features are critical to that goal:
- Passwords Stored Hashed and Salted
This sounds like we’re talking about a new kind of peanut butter. But bcrypt is commonly used to hash passwords function that may assist in implementing this feature. Another commonly implemented and more current password hashing function is scrypt.
- Enforceable Minimum Password Strength Options for Administrators
Allowing your customers to optionally engage their users with a minimum password strength allows them to decide how they want to enforce security. Alternatively, adding a password strength meter to the password creation process can help motivate the user to create stronger passwords.
- Enforceable Password Expiration Options for Administrators
Another key ingredient in offering the tools to your customers to manage their own security.
- Password Reuse Prevention
When the user is creating a new password, require the user to enter the old password and then check to see if the old password is the same or similar to the new password. Doing this is a way to ensure that each password is unique without storing unsalted, hashed passwords.
- Password Reset Controls
Best practice means allowing a user to reset their own password or enforcing and delivering a password reset. You want to avoid requiring human intervention or an administrator sending the new password to the user.
- Multifactor and 2-Factor Authentication Enforcement Option for Administrators
You can give admins the option to turn the feature on or off, on a case by case basis. This is another great way to offer application security features to make customers more secure while giving them flexibility.
Don’t forget that users may pick a weak password if you let them – including one of these four types of password no one should ever use. It’s up to your team to decide how to suggest or require strong passwords from your users.
2. Security Activity Notifications
You may want to allow for your app to send notifications via email or other means to the user when:
- There are several incorrect login attempts when a user enters an incorrect password, yet with a correct email address or username.
- There is a login from a new device or browser.
- Logging in from a different geographic location than usual.
- The password for an account changes.
Check out this great example of a detailed security notification from Dropbox:
3. Password Attempt Threshold/ Account Lockout
There are several different standards in place that exist for this application security feature. We suggest (as a minimum) account lockout for a duration of 30 minutes, or until an administrator unlocks the account conditional to the following rules:
- More than 5 failed login attempts within 6 hours from 1 user
- More than 50 failed login attempts from 1 IP address within 1 hour
4. Admin Security Controls
Give administrators the tools and features to effectively administer the accounts in the application. It is important for them to have the ability to enforce their own security requirements, customizable to meet the needs and regulations of their industry. One customer may need to comply with the regulations of the Payment Card Industry (PCI) and may have different enforcement requirements than another customer, which does business in the healthcare industry and cares about HIPAA compliance.
5. Subject Access Request
Data protection and data privacy regulations that are popping up across the globe mean having the tools to respond. New regulations, like the GDPR, establish a data subject’s right to submit a “subject access request.” That means building in a way for users to submit such a request for their data and a way for you to respond.
This application feature is largely conditional to any privacy or data protection regulations/laws that are relevant to your company. If you are unsure of what privacy laws are relevant to your company, we suggest you consult a Privacy and Data Security lawyer in your jurisdiction.
6. Third-party Data Backup Support/Data export Support
Applications today contain tons of data. Which is why it is important to offer data backup support and data export support. Best practice for data export features is in a human-readable, and easily portable, or transferrable format.
In fact, this “portability” is often a privacy requirement in many new privacy regulations. So it is not only an application security feature, but it also helps you and your customers comply with data protection and privacy standards.
7. Single Sign-On Support
There are several very good choices in terms of Identity Providers offering a Single Sign-On solution to many app developers. Customers expect SaaS solutions today to offer, at a minimum, two SSO Identity provider options to sign in to their apps.
The benefit of providing SSO to your customers is the ease of use and improved efficiency of sign-in. It also helps curb Password Fatigue.
8. Soft Delete
When users flag items or select items to delete, a good application feature to have is a soft delete feature. A soft delete application feature means that a deleted object not actually deleted, at least initially.
Soft delete merely flags as “deleted” and makes it unavailable in the live production database or corresponding bucket. Think of how most operating systems have a “Trash” where your files are stored. You can restore those files before they are actually deleted.
This feature intends to prevent data loss in the case that it was unintentional and needs to be reversed. It may also help if the delete was malicious and intentional. Once an item is flagged for deletion/removal you want to set a retention period and then the item can be permanently deleted after that period ends.
9. IP Whitelisting
In the cases where your customer requires its users to use a VPN to access a service, IP whitelisting may be a useful application feature to make available. IP whitelisting is the process of pre-vetting accepted IP addresses that are able to connect to the service.
This feature allows your application to deny any IP that is not on the IP whitelist. A VPN will have a set range of IP addresses or a subnet that will be included in the whitelist — this will allow only the VPN to be able to connect to the service. This feature will only be relevant to customers that process very sensitive data or are operating within regulated industries.
10. Active Directory/Google, etc Employee Directory Features
Many large and medium-sized organizations use an active directory or LDAP to manage Identity and Access such as managing users, assigning permissions and roles on a traditional “security zone” network.
More commonly today there are cloud-based IAM solutions being offered such as Azure AD, AWS Identity and Access Management (IAM), and Okta to name a few. Adding directory integration with common directory services is a great way to get customers on board and working securely within your application.
11. Data Retention Controls
Offering customers the ability for their administrators to enforce their organization’s specific data retention strategies or requirements is important.
Circling back to industries such as Payment Card Industry and Healthcare Industries — these industries have data retention standards and requirements as part of their compliance. Therefore, as part of their due diligence in strategic sourcing, they will be searching for SaaS providers that offer application features that are cognizant of their data retention needs.
From a security standpoint, automation can be a huge force multiplier to the effectiveness of an application. But there are a couple of points to be aware of and consider when automating processes and tasks.
First, ensure that any automated processes or APIs have minimum permissions to be functional and perform authenticated tasks. Then, you want accounts and application instances provided to the customer to be secure by default.
It is important that when an administrator modifies, deletes or removes an account that you have the added feature of cutting off active sessions with that deleted user account. When an account is deleted or has a password changed, all existing sessions should, therefore, be deleted immediately.
14. Monitor Account Activity
From the Security page, you should be able to easily monitor linked devices, active web sessions, and third-party apps with access to your account. Something doesn’t look, right? You can cut off access in seconds. From the Events page, you can track changes to files and folders, including edits, deletions, and shared folder membership.
Prioritizing All Those Application Security Features
It’s a good idea to make sure your roadmap regularly includes new security features and updates. But how to pick where to start?
In general, it comes down to your priorities, risks, and customers. If you just had a penetration test that exposed several vulnerabilities? You might need to put a project or new features on hold while you put resources into fixing those security issues. If security is a major selling point for your enterprise customers sending you vendor assessment questionnaires? You might be moving up multiple security features at once.
In the end, it’s a good idea to plan security features into your application roadmap. It also helps make security part of your company culture, blending best practices from your company security policies and awareness training into your product.
If you want your company to grow, and grow fast? Make sure you are ready to live up to customers’ expectations for security features.