Why DevOps Security in Salesforce Can No Longer Be Ignored

Most Salesforce professionals spend their days thinking about features, deployments, and UI – often leaving security as an afterthought. However, Pablo Gonzalez, Director of Product Management at  AutoRABIT, is looking to change that. AutoRABIT’s latest product, Guard, is the first “security posture management tool for Salesforce”.

But what does security posture actually mean? And why should developers and architects pay attention to it now? To explore these questions, I sat down with Pablo to discuss the problems that Guard solves, why most developers don’t always take security seriously, and what makes this tool different from the typical flood of alerts and warnings we’ve come to ignore.

“Salesforce Is Secure… Until You Touch It”

As previously mentioned, security is not always at the forefront of the minds of Salesforce professionals, although it really should be. As Salesforce becomes more complex and business-critical, the risks that are tied to misconfiguration, excessive permissions, and overlooked settings can catch up to you. That’s where Guard comes in.

As the first of its kind in terms of a “security posture management tool”, Guard enables companies to assess how secure their org actually is (rather than how secure they think it is) and maintain its security.

“Salesforce is secure… until you touch it,” Pablo explained. “The moment an admin customizes Salesforce, they become responsible for its security. This means you could expose data portals, or have internal users with too much access, with too many permissions.

“Guard gives you visibility into all the areas of Salesforce that relate to security – configurations, user permissions, and system changes – all through a security lens. That includes things like password policies, session settings, super admin privileges, and permission changes. It even flags risky permission combinations that could unintentionally provide too much access.

“The goal is to help you first understand: do I have a problem? Are there misconfigured settings that could expose us to vulnerabilities? And then, how can we resolve those automatically?”

One of the most exciting areas of the product is a data classification engine that can automatically scan and categorize Salesforce data according to regulatory requirements like GDPR, HIPAA, and child data protection laws. It’s a feature designed to take the manual burden off teams and help them quickly understand where sensitive data lives and who has access to it.

“We built a solution that can automatically categorize data in less than 10 minutes. Most tools don’t do it for you – Guard does.”

Automation is a standout aspect of Guard, as the tool focuses on being actionable for its users instantly, rather than bombarding teams with alerts whenever an issue is discovered. Every flagged issue comes with a defined resolution – automated when possible – and runs quietly in the background while you work. 

Pablo went on to explain what “security posture” really means and how it relates to risk tolerance in Salesforce: 

“Security posture is essentially about how much risk your company is willing to tolerate. Risk exists on a spectrum, from high to low, and your posture reflects where you fall on that spectrum. Are you OK with a lot of risk? Or do you aim to minimize it as much as possible? That’s your posture. It applies to any information security domain, whether it’s Salesforce, your servers, or even your physical devices. It’s a general way of defining your risk tolerance and where you choose to stand.”

As Salesforce environments become harder to secure, the potential for accidental exposure increases. Most orgs, according to Pablo, don’t actually realize how much access internal users have, or how easy it can be to leak data through a misconfigured portal. This is especially important for companies in regulated industries, like finance, healthcare, or government, where security must be prioritized. 

As such, Guard makes Salesforce security more manageable and picks up on any flaws in your org before it’s too late.

A Case Study in Salesforce Security Failure

While clearly detailing the benefits of a security posture tool like Guard, Pablo also outlined some real-life examples where his tool would have prevented some disastrous mishaps in the past – including a story of a Salesforce leak during COVID.

In May 2021, the Health Service Executive in Ireland fell victim to a major ransomware attack, which had a crippling effect on HSE’s IT infrastructure and led to the closure of many IT systems, subsequently impacting appointments and patient records.

It was discovered that HSE’s vaccination portal – built using Salesforce – had a configuration flaw that enabled anyone to register and view personal information.

Pablo explained that this leak was caused by poor foresight. “It had been built like any other basic Salesforce project, with little to no attention to security,” he explained. “No formal security review was conducted, and it turned out that sensitive data was being exposed. 

“The portal was likely built by contractors working under tight deadlines, without proper oversight or security protocols.”

It’s examples like these that encouraged AutoRABIT to begin working on a rigid security tool that picks up on these issues, noticing a big gap in the market that needed more attention.

“As I dug deeper, I realized there’s a real underappreciation of security risk among Salesforce customers. When we started building our prototype and showing it to customers, their reactions confirmed it: one of the most common issues is excessive permissions. We’ll show customers who has access to what, and they’re often shocked: ‘We didn’t know that person could do that.’ We’ll ask why someone can export data from Salesforce, and they’ll say, ‘We don’t know.’

“That’s where Guard comes in. It’s not a tool people use every day like a deployment product. You configure it once – set your policies and access controls – and then it continuously monitors your org in the background. Every five minutes, it scans for policy violations and automatically remediates any issues it finds.”

Do Developers Not Care Enough About Salesforce Security?

The example Pablo provided above had a huge ripple effect on thousands of people across Ireland – and he attributed it to one key thing: underappreciation of risk. When the right protocols aren’t followed, it can lead to a breach of extremely sensitive healthcare data, or other sensitive information. 

We went on to discuss the fact that the importance of security in Salesforce isn’t really understood or cared about enough, and Pablo used himself as an example from when he first started with AutoRABIT.

“When I joined AutoRABIT, they gave me this booklet – kind of like a company story – explaining who they are, what they stand for, and who their customers are. There was a huge emphasis on security. So much so that I remember thinking, ‘Did I join a bank or a DevOps company?’ I didn’t really understand it,” Pablo detailed. “Why was there such a strong focus on security?

“They positioned themselves as the only DevOps product that puts security first, and honestly, I didn’t understand it. I thought, ‘Salesforce is already secure, what are we even talking about?’”

It wasn’t until Pablo started really working on Guard and carrying out deeper research that he realized how easily misconfigurations and overprivileged users can cause vulnerabilities.

“When I later began working on Guard, I started digging into it and researching what could actually go wrong. I realized there is substantial risk, and it’s often undermanaged. The security risks in Salesforce aren’t like traditional app vulnerabilities. It’s not that someone’s going to ‘hack Salesforce’ because Salesforce, the platform, is quite secure. The problem is more nuanced. 

“One of the biggest and most common issues is over-privileged users. As a developer, you might think it’s harmless – ‘We’re all employees, what’s the problem?’ But it becomes a real issue when internal users have access to sensitive data they shouldn’t, like customer credit card details, data protected under GDPR, or even HIPAA-regulated patient data.

“If you don’t stay on top of that, you open yourself up to internal vulnerabilities. People can leak data, initiate ransomware attacks, or even engage in corporate espionage. These risks are just as serious as external hacks you see in the news. They might happen less often, but they’re no less damaging when they do.”

“Most Developers Don’t Care About Security…”

As developers are mostly focused on delivery, functionality, and deadlines, security can often feel abstract or maybe even optional – not really an urgent matter until it’s too late.

For Pablo, this is the reality of security in Salesforce, and he hopes this product starts to turn the ship around. 

“Developers don’t think about security. I never did, and most developers don’t. However, the same developers often work in regulated industries, and those environments have internal infosec policies and external compliance requirements that need to be met across their entire system landscape.

“Our job is to help make sure those policies are enforced correctly in Salesforce and that their security posture aligns with what’s expected.” 

What’s Next for Guard?

The need for a tool like Guard has never been more relevant, and AutoRABIT has big plans for its future, with a long-term business plan in mind.

And what excited Pablo most is the freedom he will have to build something meaningful in a space that has largely been ignored. Guard gives AutoRABIT room to keep innovating where others haven’t.

“We’re able to think deeply about the real gaps in Salesforce security and explore creative ways to solve them,” Pablo explained.

“It might not be the most exciting thing for the average Salesforce Developer, but for our customers, we’re delivering an incredible amount of value that simply didn’t exist before and that most competitors are overlooking.”

Final Thoughts

With Guard, the goal is to bring more awareness to the Salesforce ecosystem on how to secure their environment, their investment, and protect their most sensitive data.

A big thank you to Pablo for contributing his insight to this discussion – be sure to follow or connect with him on LinkedIn. Watch this space!