How do I secure my SaaS startup?

Alright, this answer is by no means exhaustive as this is a large question, but just off the top of my head here are some thoughts:

GIT:
That's good that you're doing the merges yourself, does that mean you're going to handle all the diffs? If you're not going to, the trust of the coder could be a POF, but if you are going to depending on the amount of merges expect to spend a lot of time doing all the diffs yourself.

Programming/Framework:
Might want to be careful disabling CSRF, whenever you do that and have flash there can be some nasty exploits. Best bet to prevent those is to make sure you have really solid session handling, and verify verify verify any time a user is accessing a resource. You can find some more info on common CSRF stuff here: CSRF FAQs. Also, watch out for this vulnerability. I don't have a ton of familiarity with CakePHP, but best rec is to make sure to sanitize, whitelist if possible, use ACLs, etc. Here is a very basic way to add a bit of additional security to your CakePHP instance.

Server Security:
I don't have a ton of experience with Capistrano, but from what I've heard it's a pretty solid tool, as long as you've grabbed a reliable fork. I would be more cognizant of vulnerabilities in the SSH handling itself, as it seems to me that is where capistrano could most likely be exploited. As for web server security, I think Amazon is one of the best choices out there.

SSL:
I would be very wary of a wildcard cert. If one of your subdomains is compromised, so will your entire network. All it takes is one certificate authority having a vulnerability and all of your customers and their data will be compromised. Since you're doing e-commerce, it's really important to have the highest levels of security for customer data.

Summary:
All in all, I would really recommend hiring a web app security professional who is credible in the field and has experience to take a look at your application. Since you will be dealing with financial data, which is one of the most sensitive types, a solid exhaustive look at your software is very important. I know it's hard when you're just starting out, but if you don't take the time to secure your app thoroughly one exploit could bring down your entire business.

Hope that helps :)


1)First and foremost master the OWASP Top 10.

2)Install a Web Application Firewall. They are requried by the payment card industry for a reason (PCI-DSS).

3)Lockdown PHP with PHPSecInfo.

5) Lockdown your database.

6)Use static code analysis like RIPS-PHP to track down serious vulnerabilities in your code.

7)Use Linux, especially Ubuntu, because AppArmor breaks exploits.

8) Last but not least, test your code web application for vulnerabilities. This doesn't have to cost a lot of money, Sitewatch has a free vulnerability scanning service.


In addition to @Rook's comments, if I were running a server on the Internet, I would strongly recommend using OSSEC. Great free log analysis/HIDS software. I run it on all my public facing kit.