[theluketaylor]

I can offer some advice from the other side of the fence as someone who evaluates potential SaaS platforms for use in an enterprise.

Audit log everything. If you think you have enough logging you're likely wrong. I have never seen a platform where I thought "this is nice, but I wish it has less logs"

Strong role based access controls, especially if you provide rights that can be built into custom roles. It's very hard to add these later and I can usually tell when a platform hasn't be designed to handle roles from very early on

Federated logins like SAML or Open ID Connect. Getting authentication right is very hard and it's usually better to use a well tested service rather than try to do it yourself. Codegeek mentioned not storing things you don't need. If you don't need to store passwords you've done yourself a huge favour.

Architecture reviews and penetration tests. Big organizations are going to ask for the results of these processes, so you might as well plan for it. Pen tests are nice, but bringing in outside help to do architecture reviews of your security is really cost effective. You'll catch issues at the design stage where it's still much easier to fix them. Once code is in production security design changes are much, much harder. This is an area you want someone to look over your shoulder to make sure you are considering the right threat models and building things out the right way.