After running a SaaS for 10 years, here's what I have to say about security:
1) Use a web-firewall-enabled CDN. We use Cloudflare. The web-firewall will immediately block all the scans, attacks and kids probing your server for known holes etc. If your customers are using the "cusomerXXX.yoursaasapp.com" format for their accounts - you can create those via cloudflare's API by the way. The $20 a month you spent on cloudflare (or alterntive) - will save you much more on AWS traffic bills, so it's basically free. They also have a free plan by the way...
2) Run stuff on Windows. Yeah, no kidding. While the consumer side of Windows is full of viruses and malicious tools indeed, on the server side it's the other way around... 99% websites are based on linux, so 99% of known attacks target *nix-holes. Also, Windows will be more expensive at the beginning but it scales really well. With your 1000th customer - you will still be running the same windows server. Also, .NET is jit-compiled to native code, while all linux stuff is interpreted (python, ruby, php, node.js, you name it...)
3) The biggest security hole will always be cross-customer isolation. Like, in "DeleteItem.php?ItemID=123" - making sure that that "ItemID" actually belongs to the current customer, not some other customer. Probably, the best way would be to come up with some framework, that intercepts all requests, before they reach business logic, and check, where they belong... (of course, not needed if you spawn a separate DB for every customer)
P.S. once you get "popular" you will get a lot of "white hat hackers" reporting "vulnerabilities" to you, hoping to get paid, even if you don't have a bug-bounty program. I found, the best way to deal with them is: "thanks-thanks, of course, we will gladly pay you, please provide a formal invoice with your real name and address on it"... You won't hear form them again hehe