so are those SAAS are well secured? so i won't need to care about DDOS, sql injections and all that a basic application firewall would have achieved for me?
There are some kind of security issues, such as SQL injection, that cannot be prevented or fixed by an infrastructure provider. It's completely up to you to make sure that the code you develop is not buggy.
Talking about security in general, it's easy to understand that these major players have all the interest to make their platform as secure as possible. Your question it's extremely generic and it's hard to provide a specific answer.
You may want to check the documentation provided by the providers, such as the Heroku Security page to learn more about their security policy.
Generally speaking, PaaS providers have team of security experts working for them to secure their application and it's likely that they will be able to provide a better level of security compared to a single person managing an entire infrastructure, no matter how good is this person.