SaaS Security Checklist 2026 — 52 Items for Enterprise Vendor Assessment

Authentication & Access Control

8 items

Multi-factor authentication (MFA) enforced for all admin and privileged accounts
Password policy: minimum 12 characters, complexity required, breach-list checked
Session timeout enforced (idle sessions expire after ≤ 30 minutes)
Account lockout after 5 failed login attempts with progressive delays
Role-based access control (RBAC) implemented and documented
Principle of least privilege applied to all service accounts
OAuth / SSO integration tested for token leakage and redirect URI validation
API keys rotated at least annually, never committed to version control

7 items

10 items

7 items

8 items

Cloud accounts protected with MFA for root/admin users
Infrastructure access limited by IP allowlist or VPN
Production environment isolated from development and staging
Security groups / firewall rules: only required ports open (no 0.0.0.0/0 on sensitive ports)
Container images scanned for vulnerabilities before deployment
Kubernetes RBAC configured; pods do not run as root by default
Cloud audit logs (CloudTrail / GCP Audit Logs) enabled and retained ≥ 90 days
WAF (Web Application Firewall) in place on public-facing endpoints

6 items

7 items