197: Securing your SaaS
Download MP3Hello everyone, Welcome to the Bootstrapped Founder. My name is Arvid Kahl, and I talk about bootstrapping, entrepreneurship, and building in public.
When acquirers consider purchasing your Software-as-a-Service business, they want to see many things: an impressive customer base, a promising growth trajectory, and solid financials. But no matter how good these numbers look, you'll never be able to sell your business if it isn't secure. **Nobody wants to buy a ticking time bomb.**
So let's look into the three parts of your business where security matters most: your product, your business, and the eventual acquisition.
## Isn't Security "Just Another Thing?"
And yes, for a founder who is already juggling a dozen different things needed to run a business, thinking about security feels like yet another problem piled upon the ones you already face.
Fortunately, it's not as volatile as the hunt for the elusive product-market fit or dealing with recession-induced customer churn. Security is mostly about making the right fundamental choices and acting according to a set of best practices. You will still have to build a system for selling your product to an ever-changing market. You won't sell your business on its internal security regiment alone. But by dealing with security from the start, you will have a much smoother operational reality in which you can spend your energy on business problems, not security concerns.
Also, one more thing: you can't ever be "fully secure." It's a cat-and-mouse game: shady actors come up with new ways to scam, cheat, and steal from people, and security professionals find ways to mitigate those attack vectors. What you CAN do is stay as secure as possible, making a concerted attack on you and your business prohibitively expensive. The reality is that there's always a way to get into your system, but you want to make it so hard that criminals go for another, less secure company instead.
That's why at least a baseline of security efforts must be made for every SaaS business, yours included. Luckily, that's a relatively easy task.
Let's start with how you can build a secure product.
## Securing your Product
Software products should be secure by themselves, built on well-protected foundations, safe to use, and shield all incoming and outgoing data from prying eyes.
Building a secure software product becomes much easier when your initial tech stack choices are made with long-term security in mind. That usually means you should skip the "hype of the day" framework in favor of well-tested and already-established systems. [The "Lindy effect"](https://www.notion.so/Product-Development-for-Calm-SaaS-Businesses-1754-a172ca708b3a400498ef594da1838ba7) suggests that technology that has been around for a while will likely stick around for equally as long. Look at the longevity of Ruby on Rails: this web framework has been around since 2004 and is being used by massive enterprise businesses such as Airbnb, Netflix, and Shopify. This tech will be around for a while, not just because these businesses need it to make money. Established frameworks tend to form strong communities of experts and contributors over time.
And many of these developers care a lot about security. Using such a framework —and learning all about its [security best practices](https://guides.rubyonrails.org/security.html)— will already get you very far. Developer communities tend to organize their collective knowledge in free and easily accessed documents or websites. You'll be building on the shoulders of giants.
And since we're talking about using the work of others: you'll very likely need to outsource several parts of your product's functionality to service providers. Hosting, file storage, all those things will be easier, cheaper, and more secure in the cloud. Amazon Web Services has teams of thousands of engineers tasked with nothing but making their infrastructure as secure as possible. It's extremely unlikely that you can set up a server with the same security measures as such a massive team. The fact that you have to sleep alone makes this impossible. When you're in bed, hundreds of engineers carefully monitor their systems for all kinds of anomalies, responding within seconds if anything out of the ordinary is happening.
That's the level of security you want in your critical dependencies.
But it's definitely not the level of security you should EXPECT in your dependencies. Because, after all, most businesses care more about their revenue than the security of their customers' data.
This makes outsourcing a two-step process: first, you need to figure out what you want to hand over to third parties and then select the right ones.
Let me state this as clearly as possible: anything touching extremely sensitive customer data —payment, authentication, and often analytics— should be handled by an expert third-party vendor. It's for the same reason that banks hire security companies to move their cash from one location to another: it's not a bank's business to train, maintain, and deploy a security force. A bank's business is money.
The same goes for your login system and how your customers pay you. The moment you save their password or credit card number into your database —no matter how well you think they are encrypted— you become a target. You're on the safe side if all you save in your database is an easily revoked authentication token or a payment ID. All the risk now lies with a payment portal or an authentication provider — both heavily insured businesses spending enormous amounts of money on keeping their data under lock and key.
A few practical points here:
- **Turn on as many security features as you can.** Allow your customers to use multi-factor authentication and Single-Sign-On when they log into your application. You might lose direct access to them this way, so you will have to ask them for permission to reach them through email. But that is more than worth it compared to having to tell them their account —and all the data in it— was breached because you didn't update your servers and someone who should have gained access to your data.
- **Since we're talking about updates: updating your dependencies is product work.** Anything making your codebase more secure and durable is an improvement. Not every minute of every day needs to be spent on feature implementations. Integrating the most recent and more secure API for a critical service is just as important. An ounce of prevention is worth a pound of cure. Updating is coding.
- **Protect your web app with Cloudflare.** At this point, not using Cloudflare's free DDoS protection in front of your application intentionally adds risk to your business. You'd think DDoS only affects enterprise businesses like Twitter or Facebook, but the small size of your SaaS makes it relatively cheap for a malicious competitor to take you out. Cloudflare protects you behind their network, for free. You get SSL encryption, DNS management, and unmetered DDoS protection. Using this service alone will already let you sleep easier at night, and it won't cost you anything. Even their paid plans —with more fine-grained features— are affordable for a bootstrapped SaaS business. It's a no-brainer.
- **But still: vet your vendors.** Cloudflare is a recognized and trusted name in the developer world — and they worked hard to get there. Vetting needs to happen for every single vendor you use. And your customers do the same. This will probably be bad news if you're a solopreneur SaaS founder, but it is the unfortunate reality of the market. If the business you're handing your data to hasn't been around for at least a few years, you're going into a risky relationship. Most small SaaS businesses fly under the radar of cybercriminals, but once a SaaS grows to a certain size, it needs to be secured much more robustly than a scrappy prototype. And people expect that from enterprise-ready services.
- **Don't grab more data than you need.** Every data point that sits in your database unused is a liability. Why exactly do you need to track every single page view or every click? Do you really need to save the contents of their abandoned cart for a year? Over-asking and over-storing sensitive information (or information that, in aggregate, can be used to identify a person) will give you no advantages and a lot of drawbacks in the future. Take what you need and not a bit more.
- **Try hacking your own products.** Since you know how it works, it'll be easy to find "[attack vectors](https://www.pluralsight.com/courses/ethical-hacking-web-servers)" to get to data that normal users shouldn't be able to access. Change the IDs in your URLs and see if you can load things you shouldn't. This isn't a comprehensive method, but it definitely beats trusting that you built a secure product in the first place. You might want to set up a [bug bounty program](https://www.aon.com/cyber-solutions/thinking/set-up-bug-bounty-program-ten-steps/) to encourage technical users to disclose oddities, errors, and attack vectors to you for a reward.
- **An insecure product erodes customer trust.** News of data leaks or even just minor security issues spreads extremely fast in professional circles. People will be extremely cautious when they hear such things, even if they're unfounded. If there has been an incident, you need to disclose it immediately. Not only is it the law in most jurisdictions, but it's also the only way to salvage existing relationships. You'll still lose customers over this, and it's way less costly to invest in security before something happens than paying for the cleanup.
To stay ahead of the curve, it's a good idea to keep an eye on the web security space. One resource that every single SaaS developer should know is the Open Worldwide Application Security Project, or OWASP for short. It's a non-profit offering tools, guides, and best practices to keep any web application secure and protect your customer's privacy. Regularly browse the [OWASP foundation website](https://owasp.org/) for new threats, subscribe to a [security newsletter](https://larasec.substack.com/) or two, and watch for security conversations in your technical communities.
## A Secure Perspective / Securing your Business
Let's say you now have a secure product built on secure foundations. That's half the battle. The other half, unfortunately, won't be as straightforward as the technical part — because it involves people. And people make security much more challenging.
But let's stay pragmatic.
Securing your business means that you —and only you— have access to critical information at all times. It means that your secrets are protected, and the value you create working in and on the business will eventually translate into financial wealth, either in an exit or just through the dividends your business can generate. And for that, you need documents, processes, and best practices.
The most important thing to do is to have backups in place. Secure backups. Secure backups that you actually tried to restore. An untested backup is like Schrödinger's Cat: it might be alive, or it might be dead; you won't know until you try to restore your data.
A general rule here: no backup is the worst, a single backup is effectively just another single point of failure, and two backups are a start. Consider having a local backup —such as having the same files saved on another computer—, a cloud backup, and a regularly updated external backup at a safe location that is not your home or office.
Make sure you have backups for anything that touches money: invoices, receipts, transaction lists, tax documents, all of it. You'll be glad to have it in one place when the next audit comes around. Also, keep a backup of your codebase. Since you're following best practices and don't keep any secrets or credentials in your code —right? Right!?— you can safely store a compressed and encrypted code backup somewhere out of sight.
Oh, and you should keep what is in sight secure as well. Secure your devices. It doesn't matter that you're the only person in your home office using your desktop computer. Use a password to log in, and encrypt your hard drive. We all hope never to be the victim of theft, but if it happens, you can at least rest assured that no one is going through your emails to grab your credit card information. Secure your phones, laptops, and computers; encrypt every single hard drive — and, if possible, all SD cards.
Follow the basic guidelines of credential safety: don't re-use passwords, use a password manager with strong, long, and complex randomly generated passwords, and use security features such as two-factor authentication and [hardware security keys](https://www.yubico.com/) wherever possible.
And this is not just about you. Teach your family to adhere to these practices, too. This is particularly important if you're sharing a WiFi network with non-technical people who might not understand the need for tight security. Tell them about how quickly an attacker can ruin your whole future if they ever were to take control of a computer inside your home. Explain how access to your email inbox allows criminals to change passwords for every other service you use within minutes. Spend some time researching [Internet Safety Tips for Parents](https://bc-cb.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=2077&languageId=1&contentId=21690) — they're not just for kids. The concepts of not sharing too much information, safeguarding your credentials, and being distrustful of "too good to be true" offers are important for every age group.
Your business is only as safe as the weakest link in your home network. So you'll have some educating to do. Understand that people tend to re-use their passwords between personal and business accounts. That's something you need to banish from your life and the lives of your family members. It's extremely risky for the longevity of your business.
It's important to secure your business because the security of other businesses might depend on it. For this reason, you should look at the most common compliance expectations among your customers and your countries of operation. Standards like [SOC 2](https://en.wikipedia.org/wiki/System_and_Organization_Controls) for accounting, [ISO 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001) for general IT security, [HIPAA](https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act) for medical information, and the ever-so-present privacy law [GDPR](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) come to mind here. If you serve smaller businesses, these might not be important. Still, it won't hurt to look into being compliant from the start — it'll make any eventual certification easier once you move on to bigger customers.
One final thing before we talk about the exit: if you're building in public, or sharing anything online, beware of accidental credential leakage. Usually, this happens through screenshots or URLs that you share.
Screenshots might include IDs or usernames that nefarious actors could use to impersonate you. Train yourself to always look at any screenshot you're about to share and think about what a hacker could do with the information you provide. Smart screenshot tools such as fellow indie hacker Tony Dinh's Xnapper have redaction features built-in — that tool automatically redacts sensitive data and allows you to quickly block out other text before you save the screenshot as a file.
If you share URLs, they might contain session IDs that hackers can use to act on your behalf. You might share sensitive usernames or private virtual locations that can lead criminals to data that isn't protected by anything but obscurity.
If you share, share the minimum you need to share. A picture of the dozens of open tabs on your browser might seem hilarious, but you just exposed precisely what websites you visit. You might have told thousands of people which bank you use, where you shop, what news sites you visit, and where you store important information. Redact everything.
## Securing your Exit
Alright, let's get to the good part — the good part of your entrepreneurial journey! When acquirers come knocking, the founder's life becomes incredibly exciting. The due diligence process is an integral part of any sale and has several security implications. For most founders, that stage is still a few years away, so we'll look at how you can set up your business to make this process as smooth as possible when that happy day draws near.
Rule #1: Never share secret information without having the proper agreements in place. Do your own [seller-side due diligence](https://thebootstrappedfounder.com/how-to-do-due-diligence-on-your-potential-acquirer/) on any potential acquirer. Some people are faking offers to get a glimpse at your secret sauce. Don't share anything on a whim, and make sure that even if contracts are in place, you keep protecting your customer data.
But let's say you're talking to a legitimate buyer who can be trusted. Let's make it easy for them to transition the business over — a gesture that in itself makes your business more valuable and increases the potential size of your check.
You will want to have clear and complete account separation between how you log into your business's dependencies and your personal accounts. From the start, create an email address that is only used for business purposes and sign up with that. Right at the beginning, this can be a new Gmail account, but I recommend setting up something on a custom domain as soon as possible. It'll look more professional and can be more easily extended once more people join your efforts.
Whatever you do, use password managers and keep all passwords in a password vault. In fact, keep all links to your process documentation and codebase locations in there, too. Most password managers support secure notes for this purpose. This will make the handover extremely easy. When we sold FeedbackPanda back in 2019, the big "day of the sale" was effectively just us handing over a URL and a password to our password vault. Anything else was in that vault. This is a great streamlining opportunity, and your acquirer will appreciate it.
Alright, there we have it. A secure product, operated securely, sold and transitioned safely.
Of course, what I shared with you here isn't exhaustive. The world of security is constantly shifting, and while the fundamentals will keep you mostly safe, there is no such thing as perfect security. Keep an open mind, follow the experts —like [Troy Hunt,](https://www.troyhunt.com/) who I talked to earlier this week about this very topic— and consider security a first-class citizen in the crowded room that contains all the many things that you need to take care of as a founder.
And that's it for today. Thank you for listening to The Bootstrapped Founder. You can find me on Twitter at @arvidkahl. You'll find my books and my Twitter course there as well. If you want to support me and the show, please subscribe to my YouTube channel, get the podcast in your podcast player of choice, and leave a rating and a review by going to [ratethispodcast.com/founder](http://ratethispodcast.com/founder). Any of this will help the show. Thank you very much for listening, and have a wonderful day. Bye bye.