Security for Legal SaaS
A podcast series covering every layer of security required to build, deploy, and operate a production legal technology SaaS product. From first principles of threat modelling through to SOC 2 audits and incident response runbooks — each episode is a self-contained deep dive, typically 7–9 minutes, that builds on the last. For educational purposes only — does not constitute legal or security advice. About →
62 episodes · 12 modules · ~11 hours · Watch on YouTube
Module 1 — Foundations: Thinking Like an Attacker
Episode 1
What Is a Threat Model?
Why “we’ll add security later” is the most expensive sentence in software. The four questions every threat model answers. Assets, adversaries, and attack vectors for a product that handles privileged documents. A real-world example: an adversary-supplied contract containing hidden instructions.
Episode 2
The STRIDE Framework
Six categories of threat — Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege — each demonstrated through legal tech scenarios. Walking through a STRIDE analysis of a document review workflow.
Episode 3
Attack Surfaces in Legal Tech
Comprehensive attack surface mapping for legal AI SaaS. Document ingestion as critical attack vector. The distinctive threat profile where users handle confidential information belonging to adversarial parties.
Episode 4
Defence in Depth
The medieval castle model applied to SaaS architecture. Practical layering from network perimeter to audit logging. Assume-breach mentality and the single-provider trap. Case study: plaintext API key turns SQL injection into account takeover.
Episode 5
The CIA Triad Meets Legal Privilege
Reframing confidentiality, integrity, and availability for legal technology. Privilege-preserving architecture that goes beyond encryption. Case studies: Panama Papers, DLA Piper NotPetya, Grubman Shire Meiselas & Sacks.
Module 2 — How the Web Works
Module 3 — Application Security
Episode 7
Input Validation and Sanitisation
Allowlists versus denylists. Server-side versus client-side validation. Domain-specific patterns for legal citations, court codes, and statute references. Why silent sanitisation masks attacks and validation failures are security signals.
Episode 8
SQL Injection and ORM Safety
The attack that won’t die — from the MOVEit breach to second-order injection. Parameterised queries, ORM escape hatches, PostgreSQL Row-Level Security, and why this solved problem keeps causing catastrophic breaches.
Episode 9
Cross-Site Scripting
Stored, reflected, and DOM-based XSS. Context-aware output encoding, Content Security Policy, DOMPurify for rich text sanitisation. Why legal SaaS — with matter notes, document previews, and email rendering — has elevated XSS risk.
Episode 10
File Upload Security
Every uploaded file is an opaque blob crossing a trust boundary. Polyglot files, zip bombs, magic byte validation, sandboxed processing pipelines, storage isolation, and the specific attack vectors in PDF, DOCX, and TIFF formats that make legal document management uniquely exposed.
Episode 11
Webhook Security and SSRF
Every webhook endpoint is a door in your perimeter. SSRF and the Capital One breach. HMAC signature verification, DNS rebinding, timestamp validation, and why legal integrations with courts and payment processors demand layered defences.
Episode 12
Browser Security Headers
CORS, CSRF, CSP, HSTS, X-Frame-Options — the alphabet soup that turns your users’ browsers from liability into defence. Clickjacking, cross-origin data theft, and why a single misconfigured header can expose every privileged document.
Module 4 — Transport Security
Episode 13
TLS and HTTPS from Scratch
The TLS 1.3 handshake, forward secrecy, certificate lifecycle, Let’s Encrypt automation, cipher suite selection, and why supporting TLS 1.0 for a legacy court system should never degrade your entire application’s security posture.
Episode 14
API Gateway Patterns and Rate Limiting
API gateways as a single security enforcement point. Rate limiting algorithms (fixed window, sliding window, token bucket, leaky bucket), per-user and per-endpoint limits, circuit breakers, and legal-specific attack scenarios — document download abuse, search enumeration, and e-filing deadline denial.
Episode 15
Service-to-Service Authentication
Mutual TLS, service mesh architecture, JWT service tokens, and network segmentation. Why internal services need to prove their identity to each other — and what happens when “trust the network” meets a breach.
Module 5 — Authentication & Identity
Episode 16
Email Security for SaaS
SPF, DKIM, and DMARC — the email authentication triad. Magic link vulnerabilities, account recovery as the nuclear option, BIMI brand indicators, MTA-STS for forced TLS, and multi-tenant email isolation with per-firm subdomains.
Episode 17
Password Hashing Done Right
Why “encrypted passwords” is the wrong mental model. Argon2id versus bcrypt versus scrypt, salt generation, timing attacks, NIST SP 800-63B password policies, credential stuffing defence, and calibrating work factors for legal SaaS.
Episode 18
JWT Anatomy and Pitfalls
Inside the three-part structure of JSON Web Tokens. Algorithm confusion attacks, the “none” algorithm vulnerability, token revocation strategies, refresh token rotation, and why JWTs work for API access but fail for session management.
Episode 19
Session Management
Server-side sessions versus client-side tokens. Session fixation, rotation on privilege changes, concurrent session limits, idle and absolute timeouts, and the legal-specific requirement for immediate termination when a lawyer leaves a firm.
Episode 20
OAuth 2.0 and OpenID Connect
The Authorization Code flow with PKCE, why Implicit flow is dead, scope design for legal SaaS, OpenID Connect identity layer, and the unique challenges of court system and legal database integrations that don’t speak OAuth.
Episode 21
Multi-Factor Authentication
In Episode 17, we examined how passwords are stored securely using hashing algorithms like bcrypt and Argon2id. But even a perfectly hashed password has a fundamental limitation: it is a single factor. If an attacker obtains a user's password — through phishing, credential stuffing, a breach of another service, or simple guesswork — they have everything they need to impersonate that user.
Episode 22
SSO, SAML and Enterprise Identity
When a 200-lawyer firm evaluates your legal SaaS platform, Single Sign-On is rarely optional. SSO — the ability to log in once through the firm's own identity provider and gain access to every connected application — is a security requirement, not a convenience feature. And from a vendor's perspective, saying yes to SSO is one of the smartest security decisions you can make, because it shifts authentication management to the client's own IT team.
Module 6 — Authorization & Access Control
Episode 23
RBAC — Roles, Permissions and Scopes
Authentication answers "who are you?" Authorization answers "what are you allowed to do?" In Episode 22, we covered how SSO and SAML let firms manage who can log in. But once a user is authenticated, your application must decide what they can see, edit, delete, and administer. Get this wrong, and a junior paralegal can access partner-level billing data — or worse, a client can view another client's privileged litigation strategy.
Episode 24
ABAC and Policy Engines
In Episode 23, we built a role-based access control model with five or six roles: Firm Admin, Partner, Associate, Paralegal, Client Viewer. That covers 80% of access decisions. This episode is about the other 20% — the decisions where a role alone doesn't carry enough information. Consider this scenario: an associate in the M&A practice group needs access to M&A matter documents during business hours from the firm's network. RBAC can tell you they're an associate.
Episode 25
Ethical Walls and Matter-Scoped Access
Two partners at the same firm. One advises the acquiring company. The other advises the target. Same firm, opposite sides of the same transaction. If either partner sees the other's client communications — deal strategy, negotiation positions, privileged legal advice — it's not just a security incident. It's a professional ethics violation that can result in disqualification, sanctions, and malpractice liability.
Episode 26
Zero Trust Architecture
For decades, network security operated on a simple assumption: everything inside the corporate network is trusted, everything outside is not. The firewall was the castle wall. If you were inside — physically in the office or connected to the VPN — you could access internal resources freely. That model is dead. Remote work, cloud services, and SaaS applications mean that the "inside" and "outside" distinction no longer exists.
Episode 27
Multi-Tenant Data Isolation
Your legal SaaS platform stores data for 50 law firms. Firm A's privileged litigation strategy. Firm B's M&A deal terms. Firm C's client communications about a pending regulatory investigation. If Firm A ever sees Firm B's documents, you don't have a bug — you have a lawsuit, a breach notification obligation, and likely the end of your company. Multi-tenant data isolation is the architectural foundation that prevents this.
Module 7 — Data Protection & Encryption
Episode 28
Encryption at Rest vs. in Transit
Data exists in two states: at rest (stored on a disk, in a database, on a backup tape) and in transit (moving between your browser and a server, between microservices, between data centres). Each state faces a different threat: You need both. Encrypting data in transit without encrypting it at rest means a stolen database backup exposes everything in plaintext. Encrypting at rest without encrypting in transit means an attacker on the network can read data as it flows between services.
Episode 29
Key Management and Rotation
In Episode 28, we covered encryption at rest and in transit — the two fundamental layers that protect legal data from eavesdroppers and stolen disks. But encryption without proper key management is theatre. A key stored next to the data it protects is like locking a filing cabinet and taping the key to the front. The lock exists, but the security does not.
Episode 30
Secrets Management
In Episode 29, we covered cryptographic key management — the infrastructure protecting your encryption keys. But encryption keys are only one type of secret your application depends on. Every legal SaaS platform runs on dozens of secrets: database passwords, API keys for e-filing integrations, LLM provider tokens, OAuth client secrets, SMTP credentials, and webhook signing keys. If any of these leak, an attacker doesn't need to break your encryption — they walk through the front door.
Episode 31
PII Handling and Anonymisation
Most SaaS platforms handle personally identifiable information (PII) — names, email addresses, phone numbers. Legal SaaS platforms handle PII that is often simultaneously legally privileged. A client's name attached to a litigation strategy memo. A witness's home address in a deposition transcript. Financial records produced in discovery.
Episode 32
Database Security Hardening
Every security control we have discussed in this series — authentication, encryption, input validation, access control — exists to protect the data that ultimately lives in your database. Client communications, case strategy, financial records, privileged documents — they all converge in one place. If an attacker reaches your database with unrestricted access, every other defence has failed.
Module 8 — AI-Specific Security
Episode 33
Prompt Injection Attacks
This episode begins a new module focused on security threats unique to AI-powered legal technology. Over the next several episodes, we will cover prompt injection, RAG poisoning, embedding security, model inversion, and governed writes. We start with the vulnerability that the OWASP Top 10 for LLM Applications ranks as the number one risk: prompt injection. We first introduced prompt injection in Episode 1 as part of the threat modelling overview.
Episode 34
RAG Poisoning and Document Trust Tiers
Retrieval-Augmented Generation (RAG) is the most common architecture for AI-powered legal tools. Instead of relying solely on the model's training data, a RAG system retrieves relevant documents from a knowledge base and includes them in the model's context before generating a response. This is how legal research tools find relevant case law, how contract review systems reference clause libraries, and how document summarisation tools pull from firm knowledge bases.
Episode 35
Embedding Security and Vector Database Isolation
In Episode 8, we covered Row-Level Security (RLS) in PostgreSQL — the database engine automatically filtering queries so that Tenant A can never see Tenant B's data. In Episode 32, we hardened the database with network isolation, audit logging, and least-privilege access. Your relational database has decades of security architecture behind it. Your vector database does not. Vector databases — Pinecone, Weaviate, Qdrant, Milvus, pgvector — are the storage layer for AI-powered legal tools.
Episode 36
Model Inversion and Membership Inference
In Episode 35, we explored how vector databases can leak tenant data through embedding similarity queries. This episode moves one layer deeper: what happens when the model itself becomes the leak? Model inversion and membership inference are two classes of privacy attack that target machine learning models — not their infrastructure, not their APIs, but the mathematical patterns the model learned during training.
Episode 37
Governed Writes and Human-in-the-Loop
In Episode 36, we examined how models can leak training data through inference attacks. This episode addresses a different risk entirely: what happens when AI doesn't just analyse — it acts. The principle is simple: AI systems in legal practice should propose, never dispose. They can draft a contract clause, suggest edits to a brief, classify a document, or flag a compliance risk.
Episode 38
LLM API Key Isolation and Inference Gateways
In Episode 37, we established that AI should draft and humans should approve. This episode focuses on the infrastructure connecting your legal AI to the cloud providers that power it — specifically, the API keys that authenticate every request and the gateways that should sit between your application and those providers.
Episode 39
Redaction Pipelines for Cloud AI
In Episode 38, we built the inference gateway that controls access to cloud AI providers. This episode addresses what flows through that gateway: the actual content of your prompts. Before you send a contract, a legal memo, or a case summary to a cloud LLM, you should ask a simple question — does the AI provider actually need to see your client's name, their social security number, the dollar amount of the deal, or the names of the parties in litigation?
Episode 40
Local vs. Cloud AI — Security Boundaries
In Episode 39, we built a redaction pipeline to strip sensitive data before sending prompts to cloud AI. This episode asks the next logical question: what if you skip the cloud entirely and run the AI model on your own hardware? Local AI deployment — running large language models on servers you own and control — is increasingly practical. Models like Llama, Mistral, Qwen, and Gemma can run on consumer-grade GPUs.
Module 9 — Audit, Logging & Provenance
Episode 41
Audit Log Design
Welcome to Module 9 — Audit, Logging, and Provenance. Every security control we've discussed across 40 episodes depends on one thing: a reliable record of what happened. If you can't prove a human reviewed that AI-generated filing (Episode 37), if you can't show that a prompt was redacted before reaching the cloud (Episode 39), if you can't demonstrate that API key access was properly scoped (Episode 38) — then those controls exist only in theory.
Episode 42
Hash-Chained Immutable Logs
In Episode 41, we designed audit logs that capture who did what, when, and to which resource. This episode adds the critical property that makes those logs trustworthy: tamper evidence. Specifically, we'll implement hash chains — a technique where each log entry is mathematically linked to every entry before it, so that modifying any single entry breaks a chain that is trivially detectable.
Episode 43
Provenance Chains for AI Outputs
Legal technology is moving fast. Contract review tools suggest edits. Research platforms summarise case law. Document automation systems draft entire clauses. But when a lawyer sends that AI-generated clause to a client, a question follows: where did this come from? Which documents informed it? Which model version produced it? Which user triggered the generation? And if a regulator asks six months later, can you reconstruct the chain?
Episode 44
Correlation IDs and Distributed Tracing
A lawyer using your legal SaaS platform clicks "Generate Summary" on a 200-page disclosure bundle. The spinner runs for thirty seconds. Then an error: "Something went wrong. Please try again." The lawyer contacts support. Your team opens the logs. The request touched the API gateway, the authentication service, the document parser, the AI summarisation engine, the billing service, and the audit logger. Six services, six separate log files, six different timestamps.
Module 10 — Infrastructure & Deployment
Episode 45
Docker Security and Container Hardening
Welcome to Module 10. For the next several episodes, we shift from application-level security to the infrastructure your application runs on — the containers, pipelines, dependencies, configuration, and cloud services that make up the deployment environment. A perfectly secure application deployed on poorly configured infrastructure is still vulnerable. We start with containers.
Episode 46
CI/CD Pipeline Security
CI/CD — Continuous Integration and Continuous Deployment (first introduced in Episode 12) — is the automated pipeline that takes your source code, builds it, tests it, and deploys it to production. Every time a developer pushes a code change, the pipeline runs: compile, test, package into a container (as we discussed in Episode 45), deploy.
Episode 47
Supply Chain Security — Dependencies, SBOM and Build Provenance
A modern legal SaaS platform — a contract review tool, a case management system, a document automation service — is built on hundreds or thousands of open-source packages. The Express web framework. React for the frontend. A PDF parsing library. An encryption library. An ORM for database access. Each of those packages depends on other packages, which depend on others still.
Episode 48
Environment Configuration and Secure Defaults
Your legal SaaS platform runs in multiple environments. Development, where engineers build and test features. Staging, where the team validates before release. Production, where real law firms use the platform with real client data. The security controls in each environment should be identical. The only differences should be credentials (each environment has its own database passwords, API keys, and service accounts) and scale (production has more servers, more capacity).
Episode 49
Cloud IAM and Least Privilege
Every cloud resource your legal SaaS platform depends on — databases, storage buckets, message queues, AI services, compute instances — is protected by an Identity and Access Management (IAM) system. IAM determines who can access what, under what conditions, and with what permissions. It is the control plane for your entire cloud infrastructure. The theory is straightforward: every principal (user, service, application) should have only the minimum permissions required to perform its function.
Episode 50
Developer Workstation Security
Your production servers sit behind firewalls, intrusion detection systems (IDS — software that monitors network traffic for suspicious activity), and strict access controls. Your staging environment mirrors production security policies. But the laptop sitting on your developer's desk — the one with an SSH key to every environment, saved cloud console sessions, and a browser full of logged-in admin panels — has antivirus software from 2019 and no disk encryption.
Episode 51
Trusting the AI Developer — Verifying Agent-Generated Code
AI coding agents — tools like GitHub Copilot, Cursor, Claude Code, and Amazon Q Developer — have fundamentally changed how software is written. Developers describe what they want in natural language, and an AI generates the code. For legal tech teams building contract review tools, case management systems, and e-filing integrations, these tools accelerate development dramatically.
Episode 52
Day Zero — Bootstrapping Security for a New Project
Day one is too late. The security posture of your legal SaaS platform is largely determined by decisions made before the first feature is built: which framework, which authentication library, which hosting provider, how secrets are stored, whether logging exists. These choices compound. A good foundation makes every subsequent security decision easier. A poor one creates debt that grows faster than feature code — because every feature built on an insecure foundation inherits its weaknesses.
Module 11 — Monitoring & Incident Response
Episode 53
Monitoring and Alerting Design
You've built your legal SaaS platform with secure authentication, encrypted transport, input validation, and proper access controls. But security is not a static property — it's a continuous process. Attackers don't announce themselves. A credential stuffing attack (automated login attempts using leaked passwords, as covered in Episode 14) generates thousands of failed login events over minutes. A data exfiltration attempt looks like normal API calls until you notice the volume.
Episode 54
Incident Response Playbooks
The worst time to figure out what to do during a security incident is during the incident. Adrenaline is high, information is incomplete, and every minute of delay means more data exposed or more systems compromised. Incident response playbooks — pre-written, rehearsed procedures for specific types of security events — transform a chaotic scramble into a structured process.
Episode 55
Disaster Recovery and Business Continuity
On a Monday morning, the cloud region hosting your legal SaaS platform experiences a catastrophic failure. Power outage, network partition, natural disaster — the cause doesn't matter. What matters is that hundreds of lawyers at dozens of firms cannot access their case files, their court deadlines are in hours, and your phone is ringing.
Episode 56
Security Testing in Your Development Process
If your security testing happens once a year in a penetration test, you're finding bugs 364 days too late. Every vulnerability that exists in production between pen tests is a vulnerability an attacker can exploit. The modern approach — and the only one that scales — is continuous security testing embedded in your development process, from the moment code is written to the moment it runs in production.
Episode 57
Access Reviews and Least Privilege Audits
Every legal SaaS platform accumulates permissions like a law firm accumulates filing cabinets — slowly, silently, and with nobody tracking what went in six months ago. A contract developer gets database access for a migration project. An associate joins a matter team and receives case file permissions. Both move on. The access stays. This is permission drift, and it is one of the most common findings in every compliance audit.
Episode 58
Insider Threats and Employee Access
External attackers must find a vulnerability, exploit it, and establish persistence. An insider skips all three steps. They have a valid account, they know where the data lives, and they pass every perimeter control by design. The 2024 Verizon Data Breach Investigations Report (DBIR) found that insider-driven incidents accounted for approximately 20% of all breaches, with privilege misuse as the leading action type in internal threat scenarios.
Module 12 — Compliance & Governance
Episode 59
GDPR, PDPA and Data Protection Compliance
You can have excellent security and fail a data protection audit. You can pass a data protection audit and have terrible security. The two overlap substantially but are not the same thing. Data protection law asks a different question from security engineering: not "is this system hard to breach?" but "does this system respect individuals' rights over their personal data, and can you prove it?" For legal SaaS vendors, data protection compliance sits at an uncomfortable intersection.
Episode 60
SOC 2, Penetration Testing and Security Certification
You have implemented access controls, encrypted data at rest and in transit, deployed audit logging, and built an incident response plan. Your system is genuinely secure. Now a prospective client — a 200-lawyer firm evaluating your contract management platform — asks a single question: "Can you prove it?" This is where security certifications enter the picture. They are not security controls themselves. They are structured, externally validated evidence that your controls exist and work.
Episode 61
Customer Trust and Security Reviews
It arrives in your inbox at 4:47pm on a Friday. A 300-question security questionnaire from the procurement team at a firm you've been courting for six months. Your answers — and how fast you deliver them — will determine whether you close the deal on Monday or lose it to a competitor who was ready. According to a 2026 industry survey by Tribble AI, the average enterprise SaaS vendor receives hundreds of security questionnaires per year, each containing 50 to 400 questions.
Episode 62
Security Roadmapping — From Here to Production (Series Finale)
The series finale. Sixty-one episodes of security fundamentals condensed into a practical roadmap. How to match your security posture to your company stage, three prioritisation frameworks for deciding what to build first, and the five actions to take Monday morning. Security is not a project with a finish line — it is a continuous practice.