Did You Know Salesforce Vulnerabilities Are Your Responsibility?

CodeScan - Did You Know Salesforce Vulnerabilities Are Your Responsibility__

Did You Know Salesforce Vulnerabilities Are Your Responsibility_CodeScanEvery Salesforce user is responsible for securing their own environment. This includes accounting for Salesforce vulnerabilities.

Why It Matters: Salesforce is secure. However, the way we interact with orgs has the potential to introduce vulnerabilities. And if you rely on Salesforce to secure your org, you’re leaving yourself open to costly outages and data exposures.

  • Planned and unplanned outages lead Salesforce users to lose connectivity with their environment.
  • A comprehensive data security strategy is critical to remaining secure in the face of evolving cybersecurity threats.
  • Consumer trust, regulatory compliance, and costly losses can all result from failing to account for Salesforce vulnerabilities.

1. Identify Salesforce Security Vulnerabilities

These security vulnerabilities were recently reported in Salesforce:

  1. CVE-2023-34362 and CVE-2023-35036: These two vulnerabilities could lead to unauthorized access to the MOVEit file transfer product and environment. However, there is no impact to Salesforce customer data at this time. 
  2. CVE-2022-22128: This issue affected the Tableau Server Administration Agent. 
  3. Tableau Security Update: This was an issue with Tableau Server logging Personal Access Tokens into internal log repositories.
  4. CVE-2022-22127: This was a broken access control vulnerability in Tableau Server. 
  5. Heroku Security Notification: There was an issue with GitHub repositories connected to Heroku. 
  6. Spring4Shell Security Update: The Spring4Shell vulnerability published in March 2022 affected multiple Salesforce products, including Tableau, Slack, Service Cloud, Salesforce Einstein, Salesforce Core, Sales Cloud, Quip, Pardot, MuleSoft, Marketing Cloud, Hyperforce, Heroku, Experience Cloud, Commerce Cloud, and ClickSoftware.

2. Understand Your Salesforce Data Security Responsibilities

Did You Know Salesforce Vulnerabilities Are Your Responsibility_CodeScan

The delineation of responsibilities between platform and user is important to understand. Failing to account for your responsibilities creates gaps that can be exploited by bad actors or simply leave your organization open to costly mistakes.

The shared responsibility model illustrates where the onus of security lies for both Salesforce as well as those who use the platform.

Salesforce is responsible for everything on the platform side—physical infrastructure, application-level security, and network security—whereas users are responsible for anything that happens within their orgs—access controls, permission settings, and the overall success of their data security strategy.

3. Learn What You Can Do to Protect Yourself

An overabundance of caution is always beneficial when considering data security. When in doubt, assume it’s your responsibility and put together a plan to account for any potential security risks. A complete analysis of your current approach, potential vulnerabilities, and a flexible plan should follow.

Utilize automated scanning tools to address existing threats while also verifying the proper structure of updates and new applications to avoid introducing vulnerabilities.

Static code analysis and policy management are two critical aspects of addressing these problems. Open communication is also essential. All of your team members need to work together to find, flag, and address potential data security issues.

4. Realize the Benefits of Working Off-Platform

Did You Know Salesforce Vulnerabilities Are Your Responsibility_CodeScanWorking outside the Salesforce platform clears up a lot of confusion about where responsibility falls for data security considerations. When it comes to DevOps, most environments exist directly within the Salesforce platform. And while this might seem like an advantage, it opens organizations up to outages—both planned and unplanned—from Salesforce itself.

Working outside the Salesforce platform ensures continuous connectivity—even when Salesforce itself goes down.

Outages cost companies around $5,600 per minute on average. Avoiding the loss of connectivity to your system is a major win for data security teams, and this can largely be accomplished by working off-platform.

5. Find Out How to Prepare for the Future

Data security threats are constantly evolving. The best thing organizations can do is implement a continuously updated approach to data security. This is accomplished by frequently auditing your current approach and making adjustments as they are needed.

A flexible approach, strong communication, and the utilization of automated tools give organizations the best chances at remaining operational and secure in the face of evolving threats.

Salesforce offers its users amazing benefits. But when it comes to data security, you can’t rely on the platform to save you and your data. Take the time to ensure your bases are covered—your future self will thank you.

Next Step…

Now that you have a better understanding of what you need to do to solidify Salesforce security, let’s look at your options for tooling. It’s tempting to source generic tools because of their low cost and ease of access, but you’ll be leaving yourself open to a lot of mistakes.

Read our blog, The Problem with Generic Code Quality Tools in Salesforce, to learn more.

FAQs

Third-party integrations and other customizations can significantly impact how Salesforce vulnerabilities threaten your org. Additional layers of complexity are introduced alongside third-party applications, which also adds security risks. These customizations have the potential to house their own vulnerabilities, which are then connected to your Salesforce environment. Thorough security assessments should always be conducted for any new integrations.

The shared responsibility model describes the distribution of security responsibilities between the platform provider—in this case, Salesforce—and its customers. Salesforce is responsible for the security of the platform itself, including its physical infrastructure, network security, and application-level security controls. Customers, on the other hand, are responsible for things like configuring access controls, setting user permissions, applying data security settings, as well as monitoring and managing their data and application configurations. This model emphasizes that, while Salesforce maintains a robust and secure platform, customers must actively engage in configuring and managing their Salesforce instance to ensure the security of their specific data and applications.

Compliance and regulatory requirements set the standards and guidelines that organizations must adhere to when handling sensitive data and conducting business operations. These requirements, which can vary by industry and geography, often dictate specific security measures, data protection protocols, and audit procedures that must be integrated into Salesforce deployments. Meeting these standards not only helps safeguard sensitive information but also helps organizations avoid legal liabilities and fines.

Develop high quality, secure code!

RELATED BLOG POSTS
Setting Up and Using CodeScan Effectively
Setting up and CodeScan in your salesforce org

Running CodeScan on your Salesforce Org is a great first step towards quality code, but maintaining that quality is a Read more

Estimating ROI with CodeScan
Estimate ROI using static code analysis tool CodeScan

Every Software Development Professional knows the following fact: the later bugs are found, the more expensive they are to fix. Read more

SFDX Tutorial | Setting Up CodeScan
CodeScan with Salesforce DX

Salesforce DX is a new focus on source-driven, collaborative development. The Salesforce CLI (Command Line Interface) easily integrates into your Read more

CodeScan and Visual Studio Team Services
continuous integration visual studio

Visual Studio Continuous IntegrationVisual Studio Team Services (VSTS) is a quick and powerful tool to set up continuous integration and Read more