Today I’m going to answer a question from Ronan, the Product Director of a growing startup in the transport industry. His question is…

How can a startup build a high-standard SaaS software for large companies?

Before answering this question, let’s add a bit of context.

Ronan and his team recently developed a new solution. This solution went through the pilot phase and now needs to be deployed for large companies. But large companies’ expectations are usually higher than those of startups’.

So to make it through, let’s see what high expectations entail and how to achieve them.

Are you compliant?

Reaching high standard means providing the reliability and the security required to protect your customers’ interests.

There are literally hundreds of certifications, and you will not need all of them, of course. The good news is that by applying “best practices,” you will become compliant with most of them. But that is going to require some work, for sure.

This channel is not called “My CISO Friend” because I’m not a Chief Information Security Officer (CISO). But I can definitely give you a few principles that are worth following, and that will help you live up to large companies’ expectations.

Best practices

1. Personal data belongs to the end user

One of the best-known rules is to give every individual access to their own data, with the ability to modify it or delete it. This came up recently with the GDPR (General Data Protection Regulation).

2. Set up quality assurance/testing process

The software quality will always depend on software testing. So having a test process before pushing software in production is a requirement.

Theses days, we talk a lot about continuous deployment and continuous integration, which consists of deploying new features of your app after performing automatic tests. 

That’s great, and I highly recommend this principle. But they are not required to reach a high-quality standard. 

What is a requirement is to have a well-defined process.

Quality assurance

  • Developers deliver packaged versions 
  • Product team runs conformity and quality checks 
  • Production team deploys the app and keeps it up and running 24/7 
  • Customer support team handles customer requests 

Behind that quality assurance process, there are several recommendations to consider.

3. Control your employees

Most of the security issues are usually because of bad account management. So when an employee leaves your organization, you should have a script that removes all access they might have.

These rules include

  • Physical access to your office 
  • Password renewal policies 
  • Security training for your employees, etc. 

4. Log everything

Another rule is to log everything. Whenever an intrusion has been performed by a hacker, the first thing to do is to analyze what happened, then fix the vulnerabilities, and correct the eventual impact of the intrusion.

None of these are possible without logs. If you don’t know what logs are, they’re just simple text files where a new line is added for every request, every change, every connection or event that took place in a software or a server.

5. Have external backups with multiple versions

Let’s talk about backups now.

I recently came across a startup that had to perform a backup restoration. Unfortunately, they realized that the backups were erased every time they loaded a new version. It still worked as a backup for said version; but if you need to restore a previous file and it was deleted two days ago, this type of backups are useless. So, double-check that your backups are stored on a second hosting provider and with multiple versions.

6. Control access to your infrastructure

This next one is the most obvious but is still the most important.

External connections to your infrastructure should only come from secure connections with multiple authentication layers.

Good standard

  • Deploy a VPN to control which computers are allowed to connect to your production network. VPN or Virtual Private Network is a secure network connection usually established over the internet.
  • Use a bastion server. A bastion server should be the only server accessible through your VPN. Then only people working for you might use an individual account to access this server. Once connected, your team will get access to the real servers or the database where you store software and user information.
  • Use an application layer or server authentication.

7. Run stress tests and security checks

Another good practice after controlling authorized access to your server will be to search for unauthorised access and test your app’s behavior in high trafic. These types of tests are very important and lead the team to improve their development methodologies.

8. Apply best practices on development

Talking about security brings me to development best practices. Young developers are often the ones responsible for security breaches.

To help your team develop a better app, they need to study the OWASP project at owasp.org that will enable them to better understand software security and develop more secure apps.

9. Deploy a WAF (web application firewall) 

Once you’ve done everything possible to secure your application, the last thing to do is to put in place a WAF. 

A web application firewall is like an anti-virus. It will analyze every connection to your app and detect suspicious behavior. If someone tries to send unusual code or log in hundreds of times in a single minute, the WAF will deny any similar connections for a certain amount of time. That will dramatically increase your solution‘s security. 

10. Gather all your technical information in a DRP (disaster recovery plan) 

Finally, after building a secure software and infrastructure, setting up backups, etc., you will need a clear procedure to restore your app in the event something happens. 

If the data center where your infrastructure is runs out of electricity, or if there’s an earthquake or something similar—data centers do their best, but life is unpredictable. 

That’s why I recommend you to have a backup in a second hosting provider. This way, you can rebuild your entire infrastructure with updated data in the quickest way possible. 

Here’s where the disaster recovery plan comes to play: it’s THE entire procedure to rebuild everything from scratch, restoring the last application and available synced data. 

Conclusion

Now that we’ve covered the main principles to reach a high standard, make sure you look out for the next video where I will go deeper into the process of building the DRP so you can better secure and sell your solution to bigger companies.

In the meantime, if like Ronan, you have a specific question for your project, just go ahead and post them on myctofriend.co/ask.

I will do my best to answer your question in a video or redirect you to any existing content that will answer it.

Also, be sure to go through our other content here at myctofriend.co to learn more from real startup growth experiences and better manage your startup development.

I’ll be waiting for your questions, and I look forward to seeing you in other videos.