Security flaws in your production org are high stakes – issues can be difficult to detect, lengthy to fix, and have catastrophic business consequences. So, the security of your live environment is paramount.
However, focusing on security in production without ensuring your whole development cycle is security-driven is like locking your front door while leaving your back door wide open. Security needs to be built into every step of the DevOps lifecycle – from planning to deployment and beyond – to safeguard your data, protect your users and customers, and avoid costly breaches.
In this article, we’ll look at where security is falling short in the ecosystem, steps for assessing how robust your security processes are, and the key behaviors of teams that focus on security throughout the DevOps lifecycle.
The Current State of Play for Salesforce Security
Salesforce’s flexibility and low-code capabilities make it a powerful platform for businesses. However, this flexibility also introduces risk.
For orgs with custom code, complex configurations, and multiple sandboxes, there are lots of opportunities for vulnerabilities to creep in. In fact, the 2024 State of Salesforce Development Report found 76% of Salesforce orgs have insecure Apex that the last OWASP Top 10 categorize as critical risks. On average, teams take 20 months to begin addressing these risks – an incredibly long time for orgs to be left vulnerable.
| Anti-Pattern | Incidence | Inaction |
|---|---|---|
| Sharing Violations | 62.8% | 24 Months |
| CRUD and FLS Bypass | 62.3% | 18 Months |
| Unrestricted Flow Access | 47.0% | 10 Months |
| Cross-Site Scripting (XSS) | 41.8% | 20 Months |
| Insecure Storage of Sensitive Data | 40.0% | 23 Months |
As Salesforce orgs grow to handle more complex processes and larger datasets, teams also need to comply with a broader array of compliance demands and frameworks. The 2024 State of Salesforce DevOps Report found that 82% of teams are already aligned with one or more security frameworks, and over half were working toward additional compliance goals in 2024. All the more reason to make sure security is a proactive priority for your team.
Unmask and Fix Security Risks in Your Release Pipeline
So, how can you begin to identify where your security measures are falling short to build a development process that prioritizes security at every step?
Security risks exist in every part of the DevOps lifecycle – by understanding how vulnerabilities can emerge at different points, you can take steps to mitigate risks and build a robust security posture. Let’s explore the potential pitfalls at each stage and how to address them.
Plan
- Risk: When you’re in the planning phase, it’s tempting to push security considerations into the long grass. But without outlining clear security requirements, you risk neglecting secure architecture or falling short on compliance.
- Fix: Incorporate security into your planning discussions from the outset. Collaborate across teams to agree on shared expectations and make security a joint priority from the start.
Build
- Risk: Security analysis isn’t included in the review – or simplistic code scans that aren’t context-aware are limited or inaccurate in the vulnerabilities that they can catch.
- Fix: Implement robust code review with automated analysis of code and configuration. Also, masking production data before copying it into a sandbox serves to protect sensitive information while still allowing for realistic testing.
Validate
- Risk: Security analysis isn’t included in the review – or simplistic code scans that aren’t context-aware are limited or inaccurate in the vulnerabilities that they can catch.
- Fix: Implement robust code review with automated analysis of code and configuration. Also, masking production data before copying it into a sandbox serves to protect sensitive information while still allowing for realistic testing.
Release
- Risk: Tight deadlines in the release phase often lead to security being overlooked. Misconfigured permission sets, unchecked changes, or inadequate testing can leave your system exposed.
- Fix: Protect your releases by integrating automated security checks into your deployment pipeline. Set up appropriate guardrails and permissions models to control who can deploy to production.
Operate
- Risk: Security doesn’t stop when you deploy – production orgs need ongoing vigilance. Weak permission sets, broad access controls, or outdated workflows can become critical vulnerabilities if ignored, yet 60% of orgs lack consistent auditing processes for permissions and workflows, leaving critical gaps in production security.
- Fix: Regularly audit your permissions, workflows, and configurations, and keep your patch management process up to date. Data backup also ensures that you’re protected against malicious deletions of data and other data incidents.
Observe
- Risk: Staying secure means keeping an eye on the bigger picture. Without effective monitoring, you risk missing the early warning signs of breaches or failing to adapt to emerging threats.
- Fix: Invest in observability tools that deliver real-time insights into system performance and security.
The Key Behaviors of the Most Secure Teams
Alongside the DevOps lifecycle, there are some key behaviors and tactics used by teams with the most secure orgs. Let’s take a look…
Shifting Left: Catch and Fix Issues Early
Shifting left involves moving tasks like testing and quality assurance as early in the development lifecycle as possible rather than holding off testing until just before release. This approach catches problems much sooner, improving efficiency and reducing the time cost of fixing big security issues.
Organizations that adopt a shift-left security approach report 30% fewer vulnerabilities in their Salesforce environments. A proactive, end-to-end approach ensures that security is not an afterthought but a fundamental part of your DevOps strategy.
Derisking AI: Ensure Proper Oversight to Balance Risk
The rise of AI-driven tools like GitHub Copilot and Einstein for Developers is reshaping the way teams approach Salesforce development. These tools offer incredible opportunities to accelerate coding and improve efficiency, but they also introduce new security risks.
Snyk’s report found that AI-generated code is significantly more likely to include vulnerabilities like insecure configurations or weak input validation. To harness the benefits of AI without compromising security, you’ll need to adopt a balanced approach. Pair AI-driven development with static code analysis tools to catch flaws early, conduct thorough peer reviews of AI-generated code, and provide training to help developers recognize potential weaknesses.
Building a Culture of Security
Ultimately, security is a team effort. It’s about creating a culture where every team member – from developers to admins – feels responsible for keeping Salesforce environments secure. With the growing trend of democratizing DevOps, it’s more important than ever to ensure the team shares a focus on security to avoid vulnerabilities slipping through to production.
Regular training, open communication, and a shared commitment to best practices go a long way to developing a security-focused culture. By thinking of security well upstream of production and embedding security into every stage of the DevOps lifecycle, you can reduce risk, protect your data, and build trust with users and customers. Security isn’t a final step; it’s a continuous process – one that starts long before your changes ever reach production.
Summary: Secure at Every Step
It’s time to rethink your approach to Salesforce and commit to making security a priority at every stage. Explore tools and practices that help automate and enforce security standards, and join the conversation to learn from others.
After all, a secure Salesforce environment isn’t just good practice – it’s essential for safeguarding customer data, establishing trust and compliance, and driving long-term business success.
