Salesforce Security Assessment
How often do you see news announcing hackers successfully attacked a large company, exploiting their security vulnerability?
Based on the 2021 Risk Based Security report, there were over 1,700 publicly reported data breaches in the first six months, which resulted in 18.8 billion exposed private records like:
- Credit card details
- Social security information
- Personal emails,
- Phone numbers,
- Addresses.
Based on the same report, the leading data breach source is still hacking accounting for 1201 cases out of 1, 767. And it means that your company should be double watchful in terms of system safety and how your users access the platform.
Apart from hacking risks, there are other dangers that can result in stealing your company and clients’ data, caused by virus attacks and phishing. It takes only one employee opening a phishing email to set off a chain of events that may compromise your company’s data. Relying on the data given in the same report, most of the data leakage happens because of web breaches, hacking, and fraud.
Salesforce, as one of the leading and versatile CRM solutions providers, offers the ability to audit your platform to detect any security issues that might have gone unnoticed. These issues are put together in a form of a report that can be used to identify possible risks that can be further addressed case-by-case.
Today, I’m going to reveal some of our tips on the Salesforce security assessment and how to increase the security of your org with:
- CRM security assessment best practices
- Salesforce health check tools: Health Checker, Salesforce CLI Scanner Plug-in, Checkmarx Code Scanner, Apex PMD Tool
- More CRM health check tips and links to resources for further reading and practicing
Benefits of CRM Regular Audit and Security Assessment
It goes without saying that revising critical areas of Salesforce solution are as important as regular medical checkups to ensure data protection and data loss prevention and stable CRM performance in the future. Thanks to this, you and your company will be able to rely on Salesforce to hold sensitive information and use the solution with confidence.
Regular org check-ups enable you to stay informed about actual vulnerabilities, prioritize remediation roadmap, and adjust change strategy accordingly.
This, in turn, will help accelerate user adoption, develop an effective user training program, and understand existing processes. Besides this important factor, you will be able to manage your investments and costs associated with your current infrastructure better, exceed all industry technology development standards, reduce operation costs, and improve solution scalability. In the end, it will elevate sales management, effectiveness, and results.
Salesforce Security Assessment Best Practices
The first and foremost step toward making your Salesforce org healthier is critically assessing all the existing and hypothetical system vulnerabilities. You can do it with the help of specialized tools or manually.
Salesforce consulting agencies will evaluate the weak points of your existing solution from a security standpoint or provide you with a comprehensive validation checklist, audit strategy, and a list of the best-of-breed tools for any budget to diagnose it yourself.
If you’ve decided to assess your platform’s health manually, there is a list of aspects that you need to consider for the accurate Salesforce security assessment:
- Data storage options
- License usage
- Batch classes and scheduler per object
- Workflows and triggers the implementation
- Custom setting /metadata configuration for controlling Triggers
- Standard vs Custom development
- Record ownership
Here are some of the most common signs of unhealthy Salesforce org, that need immediate action:
- Data storage limits exceeded
- Frequent system issues
- Record locking & controversy
- Pointlessly installed packages
If you are just planning to build your Salesforce-based solution or to modify it to fit your needs completely, you have to think about ensuring security on all the levels of the development and customization cycle.
The Open Web Application Security Project (OWASP) discloses a comprehensive list of the most common web attacks. The top three risks are:
- Broken Access Control: unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits.
- Cryptographic Failures: sensitive data exposure.
- Injection: a query sends bad data to a system in an attempt to cause damage.
Note*: Use OWASP Top 10 List as a guide to developing a minimum level of security in your solution.
Salesforce is a great platform in terms of security and its support both of the Salesforce instance and custom apps. It provides considerable flexibility of security control to meet your individual business requirements.
Also, thanks to its multitenancy and cloud-based nature, and compliance with the certifications and attestations like HIPAA, GDPR. IRAP and others, it is safe to store your data in Salesforce.
Salesforce security features empower you and your users to do your work safely and efficiently. It constantly improves its security functionality with minor updates and major releases three times a year.
Salesforce Health Check Tools
Salesforce Health Checker
This is one of the top Salesforce health check tools to ensure overall system sustainability and security.
Health Check is used to display your org’s vulnerabilities info on a dashboard, which can be fixed from the same page. Thanks to this tool, you can have a quick look at your org’s overall security. The health score is calculated based on a security baseline: standard or custom.
Standard Baseline — pre-configured org’s security settings for various risk levels suggested by Salesforce.
Custom Baseline — as it’s highlighted by its name, is used for a more specific view of security for such highly regulated industries like health care or finances, where the system should comply with quite strict requirements to protect sensitive, personally identifiable information or to comply with certain regulations (for example GDPR standards) that can’t be met with the standard baseline.
Here are some of the noteworthy guidelines on how to set up the custom baseline from Chitiz Agarwal.
* Note: Before importing a custom baseline to the Salesforce Health Check tool, it’s highly recommended to discuss it with your IT or Compliance departments.
Typically, this score is calculated by measuring how closely your platform’s security settings correspond to Salesforce’s recommended settings, on a scale from 0–100%, where:
- 0% — 54% — Very poor settings configuration
- 55% — 59% — Poor
- 60% — 79% — Ok
- 80% — 89% — Good
- 90% — 100% — Excellent
This gradation helps to identify the issues that should be addressed as a top priority with quick fixes or workarounds.
You can configure your security settings as you want, but it’s better to keep this score over 85%. My suggestion is to run Health Checker every month to identify symptoms of an unhealthy Salesforce org.
Salesforce Health Checker
Health Checker Pros:
- A free and easy-to-use tool that gives fast results
- Integrated into your Salesforce Org and is available out-of-the-box
- Recommended values are shown next to the actual values for an easy configuration via the Edit link.
- Enhances the security of the org and, as a result, how the custom code of your custom apps runs in your org.
Health Checker Cons:
- Not all settings are available
- Request preliminary testing before changing all the settings
If you need to assess multiple Salesforce orgs at a time, you can orchestrate it via the Salesforce Security Center, a paid tool that can give you more insights into the system usage. For example, you can track how many users log in with multi-factor authentication (MFA).
Salesforce CLI Scanner Plug-in
The Salesforce CLI Scanner plug-in is a unified tool for static analysis of source code in multiple languages (including Apex). This scanner can create HTML or CVS reports that will show you possible vulnerabilities or even bad code quality.
Great news that, due to CLI, this tool can be included in your CI/CD. I recommend you do this so that each build will have reports with the issues.
Salesforce CLI Scanner Plug-in
Salesforce CLI Scanner Plug-in Pros:
- Free to use
- Instant results
- Can be integrated into your CI/CD
Salesforce CLI Scanner Plug-in Cons:
- Can show false positive errors
- Scan your local solution instead of org
When you move your project to release, especially if you want to create a product that you want to sell or put into AppExchange, this solution is necessary to use.
Checkmarx Code Scanner
Checkmark Code Scanner is a tool powered by Salesforce. It runs a security scan on your Salesforce org and gives a detailed report on risks and vulnerabilities. You must fix any errors classified as Low, Medium, or High.
Checkmarx Code Scanner
Checkmarx Code Scanner Pros:
- Free with limitations
- Scans all code of your Salesforce org
- Recommended by Salesforce
Checkmarx Code Scanner Cons:
- You must pay if you want to scan more than 360000 lines of code per year
- It takes time to get a report
Apex PMD Tool
You may have already worked with the PMD (Programming Mistake Detector) tools that are a famous source code analyzer for Java and similar programming languages. Salesforce offers its own tool — Apex PMD for testing the Apex language. With the help of the Apex PMD tool, you can generate Salesforce org errors reports.
It’s aimed to find two core issues: DML operations inside a for-loop and software query within a for-loop. Also, the Apex PMD tool helps to locate programming bugs like unnecessary object creation, unused variables, and empty catch blocks and, as a result, improve quality and avoid maintenance, performance, and bug problems in your Apex code.
Apex PMD Tool Pros:
- It’s a free and open-source solution
- You can set your own custom rules
- It can be a part of the ANT build script to generate error reports
More Salesforce Health Check Tips
1. Test your Organization
Salesforce has major updates 3 times per year and small updates during the year. These updates make improvements to the organization and provide new features. However, during this period, some of the functionality may be outdated and not supported, especially, if you have a highly customized legacy system.
To prevent seeing your clients unhappy when something goes wrong in the production process after a new major update, I recommend that you prepare your solution for an update in advance. This can be done with the simple strategy:
- Read release notes and check critical updates
- Create sandbox with new release and critical updates enabled
- Test all your scenarios of work
- Fix all possible issues beforehand!
- Setup Coding Standard for code review
- Document the Apex and Test class best practices
- Categorize the issue based on priority and complexity
2. Set Up Security Configuration
One of the most important things in your organization is the security model. It must be very well defined to whom you must provide access and which information must be hidden.
3. Validate Data
Data is an integral part of any CRM platform, and to maximize the effectiveness of your sales and marketing activities, you need to ensure that your data is healthy, accurate, and consistent. To prevent data loss and corruption, you should perform regular data backups, and ensure its hygiene — regular deduplication, and enrichment.
