Principal Engineer, Hangar Last year, one of our startups needed to buy a SaaS product (case management and workflow software). There were several promising vendors, all with products that looked impressive. Technically, all had the features and APIs we were looking for. However, we had security concerns. We planned on storing extremely sensitive data in this tool, and wanted to understand their security posture before we selected a vendor. This a common problem; you’ve probably ran into it yourself. With SaaS software, how do you verify its security? As an industry, our answers are … poor. We have various certifications (PCI, HIPAA/HITECH, FedRAMP, etc), but all too often these are box-ticking exercises with no real security value – just ask SolarWinds.