< Back to Blog

SaaS Application Security Checklist You Should Implement — 7 Practical Tips

Security cameras on a wall

Security is a never-ending battle. After all, to protect the application you must have no holes in your system. While those trying to break in only need to find a single opening. Fundamentally you are never 100% secure. And getting close to 100% can be prohibitively expensive, to the degree that a product is not profitable.

However, it’s not that hard or expensive to make a system relatively secure by considering the best SaaS application security checklist. If your system is hardened so that only a small number of hackers might be able to break-in, that often is sufficient. Because the best hackers are going after the most valuable targets and that usually is someone else.

Here are seven SaaS security best practices that are both easy and inexpensive to implement:

Snippet of code

1. Encrypt all Customer Data: Use the underlying databases system to encrypt the data stored in the database (in SQL Server this is Transparent Data Encryption). Once this is enabled all of the data stored to the DB is encrypted, yet you do not have to do anything different in your code. The encryption/decryption occurs below your calls in the database and you can avoid a lot of SaaS security risks and protect everything running on your software application.

2. Use the Customer’s Key Store: Have all keys used to access the database, encrypt the data, any private keys for document signing, etc. stored in a key store. A distinct key store for each customer. And the customer is the only one with full access to the key store. Your SaaS application can use the keys as needed when accessing the DB, signing documents, etc., but your application cannot read or copy the keys.

3. Use their Active Directory for all Authentication & Authorization: First, make this optional as some customers have good reasons to want the user & group information for your app to be separate. But where they can, make the sole source for authentication & authorization the customer’s Active Directory. This way only they control who has access and to what in the application.

4. Use a 3rd Party to Get & Store Credit Cards: To get a credit card, use a 3rd party app like Square where it is their HTML that is prompting for and then storing the credit card number. Do not touch that full number (it’s fine if you have the last 4 digits) even just to read it and pass it on.

5. Use SetParameter() for any Parameter in a SQL (or OData, XPath, etc.) Query: Never ever do a string substitution or any other approach that opens you up to an injection attack. Besides, this makes your code more robust against inadvertent issues with user field entries for O’Malley or Smith & Sons to Coffee;Tea;Milk.

The word security with a mouse pointer on it

6. Use a Robust Hosting Service (AWS, Azure, etc.) and Make Full Use of the Security they Offer: Several capabilities in the hosting stack will help protect your application. Take full advantage of them.

7. Engage a Secure SDLC Process —Focus on Security Right from the Start: Instead of placing a security bolt on top of your SaaS application, you can bake (embed) security right at the beginning of your Software Development Life Cycle (SDLC). So right from the development stage of the application you can quickly identify any vulnerabilities and come up with a secure SaaS application, thus avoid any potential setbacks in the end.

Certification

The next big step after the above is certification. This is where it starts to get expensive. Also, certification and agile development are in direct conflict with each other. Because as soon as you make one change in the program (and with agile you make several each week), the certification is now void.

A person sitting in front of a laptop and phone

When you get certified, you will likely need to then offer your application in three versions:

Certified – this is the version certified. You will add a list of known bugs in this version, but nothing will be fixed.

Certified + bug fixes – this is the certified version with any serious bugs fixed. So no longer certified, but the changes from the certified version are minimal.

Latest – this is the latest fully tested version, from your ongoing agile development. As time goes on it will have more & larger differences from the certified version.

Then once a year (or at a different cadence), you get the agile version certified and start over for the above three releases.

Windward takes security seriously, which is why we offer the best-in-class document automation software that's secure and safe to use no matter where and how you work.

If you've just discovered us, we're excited. Know more about Windward and get your 14-day free trial and start creating documents in quick time with our low/no code solutions.


Tags Start & End

Tags Can Start & End Anywhere

Appendix B

.NET code for multi-page image output

Appendix A

Java code for multi-page image output

Data Bin Search

The Data Bin can now be searched to find a table, column, node or other piece of data without scrolling through it all.

Shrink to Fit

This will shrink the contents of a cell until it fits the defined cell size.

Time Zone Conversion

A new Windward macro has been added to help with converting dates and times from UTC time to the local time zone.

Image Output Format

New image output formats added.

PostScript Output Format

PostScript, commonly used with printers and printing companies, has been added as an additional output format.

New and Improved Datasets (Designer, Java Engine, .NET Engine)

Datasets have been re-written from scratch to be more powerful and easier to use.

Stored Procedure Wizard (Designer)

This works for all tag types that are connected to a SQL-based data source (Microsoft SQL Server, Oracle, MySQL, or DB2).

Boolean Conditional Wizard (Designer)

Before, conditional statements could only be written manually. Now they can also be built using our intuitive Wizard interface.

Reorganized Ribbon

The ribbon menus have been re-organized and consolidated to improve the report design workflow.

XPath 2.0 as Data Source

Adds various capabilities such as inequalities,descending sort, joins, and other functions.

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

SQL Select Debugger

SQL Select  Debugger

  • The look and feel was improved
  • Stored Procedure Wizard
  • Improved Exceptions pane

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

Tag Editor/Tag Selector

Added a Query tab as a field for typing or pasting in a select statement

  • Color Coding of Keywords
  • TypeAhead
  • Evaluate is now "Preview"

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

Rename a Datasource

All tags using that Data source will be automatically updated with that name.

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

Connecting to a Data Source

New single interface to replace 2 separate dialog boxes

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

Tag Tree

Displays of all the tags in the template, structured as they are placed in the template. This provides a simple & intuitive way to see the structure of your template. Also provides the capability to go to any tag and/or see the properties of any tag.

Added Javelin into the RESTful Engine

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

Support for Google Application Engine Integration

The ability to integrate the Windward Engine into Google’s cloud computing platform for developing and hosting web applications dubbed Google Applications Engine (GAE).

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

Additional Refinement for HTML Output

  • Improved indentation for ordered and unordered lists
  • Better handling of template header and footer images
  • Better handling for background images and colors

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

Redesigned PDF Output Support

This new  integration will allow for processing of complex scripts and bi-directional  text such as Arabic.  Your PDF output  will be much tighter and more closely match your template, and we’ll be able  to respond rapidly to PDF requests and fixes.

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

PowerPoint Support

Includes support for new ForEach and slide break handling, table header row repeat across slide breaks, and native Microsoft support for charts and images.

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

Tags are Color Coded

Tags are color coded in the template by type, making it easy to visually identify them.

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

Increased Performance

Version 13’s core code has been reworked and optimized to offer a reduced memory footprint, faster PDF generation and full documentation of supported features and limitations in the specifications for DOCX, XLSX and PPTX.

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

Advanced Image Properties

Documents can include advanced Word image properties such as shadows, borders, and styles.

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

Improved HTML Output

Windward has updated HTML output to reflect changing HTML standards.

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

Version 13 New Data Sources

Windward now works with a slew of new datasources: MongoDB, JSON, Cassandra, OData, Salesforce.com

If you've just discovered us, we're excited. Learn more about Windward document automation software now.

Try Windward with our 14-day free trial and start creating documents in quick time with our low/no code solutions.

Generate Code

The Generate Code tool in the designer allows you to open an existing template and, with a click of a button, automatically create a window with the code needed to run your current template with all data sources and variables. Simply copy this code and paste into your application's code in the appropriate place. You now have Windward integrated into your application.

You only need to do this once. You do not do this for each template. Instead, where it has explicit files for the template and output, change that to parameters you pass to this code. Same for the parameters passed to Windward. This example uses explicit values to show you what to substitute in where.

Pivot Tables Adjusted in Output

Any pivot tables in an XLSX template are carried over to the XLSX output. The ranges in the pivot ranges are adjusted to match the generated output. So your final XLSX will have pivot tables set as expected in the generated file.

This makes creating an XLSX workbook with pivot tables trivial.

Imported Template Can be Set to Match the Parent Styles

In an imported sub-template, if its properties for a style (ex. Normal) differ from the parent template's properties for the style, the use in the sub-template can be set to either use the properties in the sub-template, or the properties in the parent.

You set to retain when you don't want the child template's styling to change when imported. You set to use the parent when you want the styling of the imported template to match the styling in the parent.

Any explicit styling is always retained. This only impacts styling set by styles.

Tags can be Placed in Text Boxes

Tags can be placed in text boxes. Including linked text boxes. This gives you the ability to set the text in a textbox from your data.

Tags can be Placed in Shapes & Smart Art

Tags can be placed in shapes & smart art. This gives you the ability to set the text in a shape from your data.

HTML Output Supports Embedded Images

When generating HTML output, the engine can either write bitmaps as distinct files the generate HTML references, or it can embed the images in the HTML providing a single file for the output.

Footnotes & Endnotes can Have Tags

You can place tags in pretty much any part of a template, including in footnotes & endnotes.

Document Locking Supported in DOCX & XLSX

Any parts of a DOCX or XLSX (PowerPoint does not support this) file that are locked in the template, will be locked the same in the output.

Specify Font Substitution

If a font used in the template does not exist on the server generating a report, the font to substitute can be specified.
In addition, if a glyph to be rendered does not exist in the font specified, you can specify the replacement font. This can be set distinctly for European, Bi-Directional, and Far East fonts.

Process Multiple Datasources Simultaneously

If you need this - it's essential. And if you don't need it, it's irrelevant.

Windward enables you to build a document by applying multiple datasources to the template simultaneously. When Windward is merging the data into a template, it processes the template by handling each tag in order, and each tag pulls from different datasources. (As opposed to processing all of one datasource, then processing the next.)

This allows the select tag to use data from another datasource in its select. For example, if you are pulling customer information from one data source, you can then pull data from the sales datasource using the customer ID of the customer presently processing to pull the sales information for that customer. If you're interested in patching together your data from multiple datasources, read this post on our blog.

Genesis Abel

Written by:_
Genesis Abel
Windward © 2021 All Rights Reserved.

Contact

Got questions about reporting and document generation? We've got answers—let's connect!
Send a note
messaging, phone, or email contact optionsclose out button