A flurry of excitement and schadenfreude has flown around the SaaS community as apparently serious security flaws were highlighted in the beta version of SageLive. This is a clear example of the seriously difficult technical challenges that face anyone trying to build your own Saas platform from the ground up. Recognizing that our domain expertise is firmly Accounting rather than web security CODA decided that a better route was to build on an established Saas platform with best practices designed, implemented and managed by one of the proven Saas leaders.
As a result the CODA 2go application inherits strong security features including password encryption, access restricted by IP address, anti-phishing e-mail challenge/response mechanisms. The platform’s SAS 70 Type II certification shows that a rigorous 3rd party audit has confirmed that industry best practices are being adhered to on salesforce.com.
Another key benefit we see is that as new best practices and authentication methods come along in the future our application can simply inherit those capabilities from the platform. Whenever the question “how do I know your platform is secure?” comes along I point them in the first instance to http://trust.salesforce.com/ which does a great job describing all the security mechanisms in place on Force.com and how seriously salesforce.com takes this issue.