there's so many cool SaaS tools you can use to check security configurations... so if ur not into running nix command line tools and custom scripts you can see go take a look at common low hanging fruit! I've been using shields up since many many many years ago

so let's do a quick thread.. inbound traffic... use https://www.grc.com/default.htm  SHIELDS UP!

you wanna check a sites TLS head over to use https://www.ssllabs.com/ssltest/ 
now the main limitation here is that it won't scan custom ports (so back to sslscan etc. on nix if that's ur scenario)

See easy peasy and it doesn't take that long.... at the end you will see a GRADE score (a letter) now the devil is in the detail because A+ is great it doesn't mean u'll get pwn3d if not everything is configured.

so whilst that runs we should go check out MX records over at : https://mxtoolbox.com/ 
CONFIGURE DMARK/DKIM and SPF policies! go do it now! stop people impersonating ur brand! :) also move to hard fail rules... all those soft fails are pointless (ok monitor first)

so our TLS/SSL scan has completed for this IP. so we can see here everything is good except it supports TLS 1.0 and 1.1 - there's probably a reason - they want to support legacy browsers. if u can migrate totally to TLS 1.3 u should by some people will choose not to

see u can see here there's all these weak ciphers.. so if ur concern is people with many SUPERCOMPUTERS then disable them :P

so that's MX, TLS and ingress ports (to ur egress IP, so remeember to check all of them, also think about agress u wanna be blocking risky ports e.g. (21,25, 22, 445, 138, 139, 3389) to the internet really (from endpoints not specific server roles)

ok so what else can we do (security on a SaaS budget :P ) well we can check content security policies! look weeeeeee! now these can protect against UI Redress (clickjacking) and cool stuff like XSS. be careful tho u can break ur site if u get these wrong so TUNE the config :)

now let's go further... let's hunt for other web tools! Immuniweb offer a site scanner https://www.immuniweb.com/websec/ 
clearly it says free so ur the product :P lol but if ur using saas ur almost always the product anyway :P

now's the time to get another cup of tea whilst this runs. it runs ALOT of checks... well it says i t does (i'm not monitoring it coz its too fkin early)

take thosse headings with a pinch of salt... being GDPR compliant here DOES not mean anything in reality to ur data controller/processes risks and obligations in reality. the technical controls u use r up to u

nearly ready.. its not super fast :P

while that runs - no SaaS explore will be complete without @shodanhq so get ur buts checking ur exposed ports! shodan also has a vuln detection capability which is supert awesome ( u need to validate them coz it uses passive checks) https://www.shodan.io/ 

lol this tool is err... i think broken :P but yolo its free

so at the end you get a summary and you can download a PDF :)

my overall point here is that you can kill some low hanging fruit with low cost. but like with anything just knowing there's some configuration changes required etc doesn't make them occur!

but u can run these as an anyone in the world :P litterally i'll go round a conference checking things from an iphone :) whilst i'm getting a sales pitch in one ear from AI pentesting firms i'm checking their shit :)