[marcc]

You really need to think about security as a few distinct, but related parts. There's (at least) infrastructure, data and product security to consider.

1. Infrastructure security is because you don't want intruders on your servers. If you don't control access to the actual servers and your own SaaS accounts, and have systems to detect and alert when something abnormal happens, then all bets are off.

2. Data security is because my data is important to me, and I want you to keep it confidential. Store it encrypted. Encrypt in transit, even inside your network. Don't send confidential stuff over Slack. The data a customer puts into your SaaS product should be safe and secure from anyone else who wants to see it.

3. Product security options are required when selling any SaaS offering today. Build and enable 2fa. Build a feature to allow for role based access controls. Don't build any system that would enable you to send me my password in an email. This is a huge list to make.

We recently launched an open source guide for product managers of SaaS applications to use when trying to build for the enterprise. It's at https://www.enterpriseready.io. There are a few relevant sections for this conversation: Product Security, Audit Logs, Role Based Access Control. I'd encourage you to read those sections, and send any feedback. Our team has been working on problems in this space for a while now, and put a lot of time into building those guides.