Dive into Salesforce Org Health Inspectors !
Salesforce Org Security Check:
Salesforce added a few tools to assess org security and suggest ways to improve. These tools evaluate instances of Salesforce and set security settings to industry standards. There are many settings and parameters that Salesforce Administrators can activate and adjust to guarantee a protected Salesforce org. Instead of waiting for issues to push forward into your salesforce org, proactively running a org health check helps you keep security risks at bay also it gives a reality check on where Salesforce org stands currently in terms of security and performance. It is also done to ensure the productivity and efficiency of the working system. Salesforce handles the vast majority of anything security-related for us. However, it’s still our job to turn on these security protections.
What is org health?
A Salesforce org health check gives a detailed view of your org’s processes, security settings, and workflows enabling you to understand and resolve all associated vulnerabilities and offer recommendations on how you can improve security. Health Check is not a one-time admin task! The health check can be conducted monthly or quarterly basis and reassess your score.
Org health check benefits:
Ø It improves the efficiency of Salesforce org.
Ø It helps with the optimization of Salesforce org.
Ø Provides Salesforce org data security understanding.
Ø Improves user adoption and productivity.
Ø It helps to find security and performance issues.
Org Health Check Process:
We will cover a few important org health check tools, that will help to diagnose issues in your Org.
1. Salesforce Health Check Tool:
As a Salesforce Administrator, you can use Salesforce’s own health checker tool to analyze vulnerabilities in your Salesforce Org, all from a single page.
In Setup, Quick Find head over to Security > Health Check. It will be an overview and assessment of your current security set-up.
Using the health check tool you can compare and calculate the total health check scores against a Salesforce Baseline standard. Security settings are categorized as “High-Risk”, “Medium-Risk” and “Low-Risk;” these will guide you on what to tackle first. Within each section, you’ll have settings to review that are also categorized into statuses such as “Critical”, “Warning” and “Compliant.” If you want to tread in a different direction from the Salesforce Baseline standard, you can even upload a customized set of baselines with a limit of five.
Once Click on Fix Risks Button you can be redirected to the below popup where you can enable or disable Your values as per Standard values.
Advantages:
Ø Great Salesforce features and quick results.
Ø Provides a detailed report on your Salesforce org issues.
Ø Easily set medium to high-risk settings to Salesforce Baseline standard with a few clicks.
2. Apex PMD Tool:-
You may be already familiar with the PMD tool which is a popular source code analyzer for Java and similar languages. Salesforce joined hands with open source developers to create this powerful tool Apex PMD which supports the Apex language. It is a great tool to create Salesforce org error reports. The Apex PMD will look out for these two key issues :
Ø DML operations: Salesforce recommends not to conduct DML operations inside a for loop due to governor limits.
Ø Software query within a for loop: Salesforce recommends not to perform a software query within a for loop.
I have installed VS code setup first and then search and install the Apex PMD from extensions so that we can perform static analysis on files as well as the workspace.
Advantages
Ø It’s free and open source.
Ø You can define your own custom rules.
Ø It can be part of the ANT build script to generate error reports.
Ø All programming bugs like unnecessary object creation, unused variables, empty catch blocks, etc can be found using Apex PMD.
3. Checkmarx Apex Code Scanner: -
Checkmarx Apex Code Scanner is a tool which is powered by Salesforce. It runs a security scan on your Salesforce org and gives a detailed report on risks based on your code quality and security. It figures out every loophole present in your apex code and checks if it aligns with Salesforce best practices. All you need to do is to go to the portal and type the username of your Salesforce instance (sandbox or production) and choose the type of scan. You can choose Security Profile or Quality Profile or both before scanning using Checkmarx Apex Code Scanner. Upon submission, your code will be queued and scanned. A notification of successful job creation as well as the final PDF report will be sent to the email address for the username submitted. The PDF would not only mention the flaws in your code, but it would also explain what the issue is with each of the code blocks and suggests the best way to fix it. Checkmarx is a paid tool and its licensing cost is more however features are very useful.
Force.com Code Scanner Portal URL: https://security.secure.force.com/security/tools/forcecom/scanner
Fill out the scan submission form and Scan your org.
Requirements to use the scanner:
Ø Should contain less than 2 million lines of code (excluding static resources and packages which are not scanned).
Ø Meta-data API needs to be enabled.
Ø Do not use IP access controls that prevent access from Salesforce IP ranges.
Ø The username submitted must correspond to a user that has “Author Apex” permission.
Ø Make sure you give an email address that the submitter can access.
You can refer to this URL for Force.com Code Scanner: Source Scanner Customer Portal — Salesforce.com
The scanner will help to detect the following security & quality vulnerability types:
Ø Cross Site Scripting (reflected, stored, and DOM-based)
Ø SOQL/SOSL Injection
Ø Access Control Issues (Sharing, FLS)
Ø Cross-site request forgery attacks
Ø Arbitrary Redirects
Ø Overly permissive postMessage targets
Ø DML statements inside loops
Ø SOQL/SOSL inside loops
Ø Hardcoding Trigger. new[0]
Ø Hardcoding Trigger.old[0]
Ø Multiple triggers on the same object
Ø Static Resource referencing
Ø Multiple Visualforce forms in the same page
Ø Test methods without assert
Advantages:
Ø Scans through each and every line of your code in your Salesforce org.
Ø Reduces the chance of an array of bugs before the next upgrade.
4. Salesforce Accelerator:
Although not commonly heard of, Salesforce Accelerator is a great tool to help you get your Salesforce org back up and running. This tool is available on demand. It allows users who face technical issues in their Salesforce instance to get individualized technical support on demand. This expert guidance will then help you figure out your Salesforce org issues and solve them. Once you run a health check using a Salesforce Accelerator, you will get a list of issues and recommendations on possible ways of fixing them.
Salesforce Accelerator can be availed by organizations that are part of a Salesforce Premier Success Plan. Once you submit a request for a Salesforce Accelerator on the Help and Training portal you will get in touch with certified specialists. They go through your current challenges over a particular time period (which is 3–4 weeks) and provide you with a report on what’s wrong and how you can get better outputs.
Advantages:
Ø Enhances on-time delivery of business requirements
Ø Churns out reasons behind the decrease in performance and deep-rooted technical debt.
Ø Amplifies Salesforce platform value.
5. Salesforce Optimizer:
Salesforce Optimizer gives you detailed data right inside your org on more than 50 metrics covering everything from storage, fields, custom code, custom layouts for objects, reports and dashboards, and much more. Optimizer is native to Salesforce, and can help highlight problem areas with your build. Namely, it helps identify Fields, Profiles, Permission Sets, and Roles that are not being used. Run Salesforce Optimizer in sandbox or production to get recommendations for feature improvement, clean up customization, reduce complexity, and drive feature adoption. Receive a personalized report with advice and recommendations about how you can improve your implementation. It also provides suggestions for ways to remedy the problem. The tool does have limitations, and it produces some false issues.
Navigate to Setup > Optimizer to run it, and then analyze the results. Allow access and Open Optimizer to schedule a run.
6. Manual Org Assessment:
If you don’t prefer tools, you can always conduct a manual org assessment to analyze the health of your Salesforce Org. But be mindful that there needs to be a method to your madness. You cannot directly go into the Salesforce system, hunt down specific issues and start resolving them right away. It’s best to follow a pattern while doing so.
You can start preparing your org assessment report with the below-given criteria:
Ø Data Storage
Ø License Usages
Ø Workflows v/s Triggers Implementation
Ø Standard vs Custom Development
Ø Unfiltered Automation on objects
Once you have prepared the report, the next step is to categorize these issues based on priority and complexity. Some issues can be fixed quickly while others need specific workarounds. While these tools are great for getting an aerial view of your Salesforce org issues, it is always best to take assistance from an experienced Salesforce partner to make the most out of your Salesforce org Health check-up.
Multi-Factor Authentication (MFA):
MFA is hands down the best way to protect your org from unauthorized users gaining access. It pairs something you know (the password) with another factor (like your email or a text). You can find this here: Setup > Session Settings > Session Security Levels > Multi-Factor Authentication.
Turning this on in session settings will require all users (when using a new device or new browser session) to sign into their Salesforce accounts — they will need a code from an email or a text (if they have registered a mobile device). Most of the orgs should already have this one, but if yours does not, I would highly recommend it.
Taking it one step further, by February 1st, 2022, Salesforce will require an even more secure version of MFA to be turned on. This authentication requirement will eliminate the ability to use text/email as the 2nd authentication method. Instead, it will require the use of an authentication app or security key. This authentication app (downloaded to a Salesforce user’s phone) produces six-digit codes that are only valid for about 30 seconds.
My Domain :
My Domain makes your Salesforce URL specific to your org/company. So, instead of login.salesforce.com, it becomes mycompany.lightning.force.com. Not only is this required to use many of the newer features, it also helps secure your org — unauthorized users would first need to know your “my domain” before even attempting to gain access to your org. I won’t get into the details here, but you will find this in Setup > My Domain, and if you don’t already have it turned on, I would recommend doing so.
The only thing to be aware of here is the “prevent login from login.salesforce.com” option, which you can turn on after enabling My Domain — this essentially blocks logins at the generic login page. Just make sure that all integration in your org is set up to handle this (and is not pointed at the generic login).
Salesforce Health Check Best Practices:
Ø Salesforce recommends that health checks should be done at least once every year.
Ø Identify the symptoms of an unhealthy Salesforce org.
Ø Setup Coding standard for code review.
Ø Document the Apex and Test class best practices.
Ø Categorizing the issue based on Priority and Complexity.
I hope this blog will help you to make your Salesforce org healthier !!
If you need to perform Load testing on your org you can refer to this blog :
Salesforce Experience Cloud Load Testing Using JMeter | by Nilesh Patil | Cloudwerx | Medium
