A practical checklist for reviewing SaaS application security across authentication, tenant isolation, access control, API behavior, user workflows, integrations, billing logic, and sensitive data exposure.
SaaS Security Review Areas
SaaS security extends far beyond authentication. Modern products rely on tenant isolation, authorization, APIs, integrations, billing workflows, and business logic all working together. Use this checklist to review the areas where real-world SaaS security failures most commonly occur before releasing new features or onboarding customers.
Authentication & Account Security
- Protect signup, login, password reset, and recovery flows
- Require strong authentication for admin and sensitive areas
- Prevent account enumeration through response differences
- Review MFA enrollment and recovery logic
- Validate email change and account ownership workflows
Session & Token Management
- Use Secure, HttpOnly, and SameSite cookie settings where applicable
- Invalidate sessions after logout, password change, and account removal
- Review token lifetime, refresh behavior, and scope
- Prevent session reuse after role or tenant changes
- Validate token state server-side on sensitive actions
Tenant Isolation
- Confirm users cannot access another tenant’s data
- Review workspace, organization, account, and team boundaries
- Test tenant filters across dashboards, search, reports, and exports
- Validate tenant context in background jobs and integrations
- Confirm inactive or deleted tenant records are not accessible
Access Control & Roles
- Document role and permission boundaries
- Enforce permissions server-side for every sensitive action
- Test Admin, Manager, Member, Viewer, Guest, and invited roles
- Verify demotion, removal, and suspension behavior
- Prevent client-controlled role or permission changes
Object Ownership & IDOR/BOLA
- Validate ownership on every object-level request
- Review files, reports, invoices, users, teams, comments, and billing records
- Confirm authorization applies across GET, POST, PATCH, PUT, and DELETE
- Test nested objects and related resources
- Add regression coverage for ownership validation
API & GraphQL Exposure
- Review REST and GraphQL endpoints for authorization gaps
- Validate resolver-level access control and mutation permissions
- Prevent overly broad API and nested GraphQL responses
- Review rate limits, pagination, and query complexity controls
- Confirm mobile, legacy, and internal APIs enforce the same rules
Invite & User Management
- Test invite creation, acceptance, cancellation, and resend flows
- Prevent invited users from selecting unauthorized roles or tenants
- Review team membership and role assignment logic
- Invalidate old invites and removed-user sessions
- Validate user management actions server-side
Billing, Plans & Usage Limits
- Validate plan limits and seat limits server-side
- Review billing, upgrade, downgrade, and cancellation workflows
- Prevent direct API calls from bypassing payment or entitlement checks
- Confirm usage counters cannot be manipulated by client-controlled values
- Protect invoices, payment metadata, and subscription state
Business Logic & Workflow Abuse
- Review approval flows and state transitions
- Prevent repeated use of one-time actions
- Validate workflow order and required steps server-side
- Test direct API calls against product-critical actions
- Confirm business-rule failures deny state changes safely
Sensitive Data Exposure
- Remove unnecessary fields from API responses
- Protect emails, billing data, tokens, metadata, roles, and hidden fields
- Review error messages for internal details
- Confirm exports and reports only include authorized data
- Validate access to deleted, archived, or inactive records
Integrations & Third-Party Connections
- Review OAuth, API key, and connected-account flows
- Protect integration tokens and webhook secrets
- Validate tenant boundaries in sync jobs and webhooks
- Confirm third-party actions require current authorization
- Review connector permissions and data-sharing scope
File Uploads, Exports & Reports
- Validate upload ownership and file access permissions
- Restrict export endpoints by role, tenant, and object ownership
- Review generated reports for cross-tenant data leakage
- Protect attachments, invoices, and bulk downloads
- Log sensitive export and report generation activity
Logging, Monitoring & Audit Trails
- Log failed authorization and tenant-boundary checks
- Alert on object-ID probing and repeated denied access
- Capture audit trails for admin, billing, invite, and export actions
- Monitor unusual workflow and integration activity
- Document evidence for remediation and retesting
Security Headers & Browser Protections
- Review Content Security Policy coverage
- Confirm HSTS is enabled where appropriate
- Use Secure, HttpOnly, and SameSite cookie protections
- Add clickjacking protection for sensitive app areas
- Validate CORS origins, methods, and credentials behavior
Release Readiness & Retesting
- Review new features before release and customer onboarding
- Retest fixes across related endpoints and roles
- Verify alternate routes, mobile APIs, and legacy paths cannot bypass fixes
- Document affected roles, objects, tenants, and workflows
- Add regression tests for critical SaaS security paths
SaaS Security Review Flow
Every sensitive SaaS action should pass authentication, session validation, tenant isolation, authorization, ownership validation, and business-rule enforcement before data is returned or state changes are accepted.
Common SaaS Security Mistakes
Frontend-only authorization
Review this behavior across roles, tenants, workflows, APIs, and customer-facing product paths.
Weak tenant isolation
Review this behavior across roles, tenants, workflows, APIs, and customer-facing product paths.
Missing ownership checks
Review this behavior across roles, tenants, workflows, APIs, and customer-facing product paths.
Overly broad API responses
Review this behavior across roles, tenants, workflows, APIs, and customer-facing product paths.
Unsafe exports
Review this behavior across roles, tenants, workflows, APIs, and customer-facing product paths.
Invite workflow abuse
Review this behavior across roles, tenants, workflows, APIs, and customer-facing product paths.
Billing bypasses
Review this behavior across roles, tenants, workflows, APIs, and customer-facing product paths.
GraphQL authorization gaps
Review this behavior across roles, tenants, workflows, APIs, and customer-facing product paths.
Stale sessions
Review this behavior across roles, tenants, workflows, APIs, and customer-facing product paths.
Integration token leakage
Review this behavior across roles, tenants, workflows, APIs, and customer-facing product paths.
When to Request a Manual Review
Automated scanners frequently miss SaaS weaknesses because the risk depends on tenant context, roles, object relationships, workflows, integrations, and business rules.
- IDOR/BOLA
- Tenant isolation failures
- Business logic flaws
- Role boundary issues
- Invite workflow abuse
- Billing bypasses
- GraphQL authorization gaps
- Cross-tenant data exposure
Need a Manual SaaS Security Review?
The Hidden Finds performs manual SaaS security reviews focused on access control, tenant isolation, APIs, business logic, integrations, and product-specific abuse paths that automated scanners frequently overlook.