Security is all too often the last thing on a Salesforce Developer’s mind, with project deadlines looming and pressure always mounting to deliver results in time – without any unnecessary roadbumps.
But, as recent headlines have shown us, security should very much be one of the Salesforce professional’s priorities, and the consequences for overlooking it can be absolutely catastrophic for an unprepared business – and the people responsible for its Salesforce org.
It’s Not Just Your Responsibility
While developers are arguably at the frontline of Salesforce security, it’s important to know that it’s not just their responsibility to make sure catastrophe is avoided.
Salesforce CTA and Founder & CEO EzProtect, Matt Meyers, told Salesforce Ben that while security is a particular concern for developers – especially with new developments in AI capabilities – it is still nonetheless everyone’s responsibility.
He stressed the importance of questioning everything and verifying twice, particularly concerning AI code, emphasizing that developers cannot blindly take AI-generated code as it comes.
Dev and Engineering Community Builder Tristan Lombard cited a DevSecOps report indicating that as many as 48% of developers do not have the proper time for security, highlighting the gap between project teams and the C-suite regarding the need to address time allocation for security.
It would benefit every developer to get to grips with Salesforce’s Shared Responsibility Model. Ultimately, a Salesforce org is something that both the customer and Salesforce itself have a responsibility to protect.
Our recent Salesforce Ben surveys indicated a low understanding of the Shared Responsibility Model among developers (45%) and admins (26-27%) – a particularly troubling revelation in light of recent security breaches.
E-commerce sites make for attractive cyber attack targets. Salesforce uses and makes available the following tools and practices to help strengthen customers’ security:
Have Hard Conversations… and Learn Soft Skills
Developers should not be afraid to report security issues when they pop up. Attempts to “sweep it under the rug” or take shortcuts will eventually cause bigger problems, project delays, or even worse consequences.
Matt said it is best to foster a culture where finding security issues is rewarded rather than punished, and encouraged developers to educate their teams on how to properly raise security concerns. Matt also stressed the importance of questioning directives and raising security risks, whether from a human or AI.
As AI advances and the role of the developer continues to evolve, one way devs can make themselves indispensable is by learning so-called ‘soft skills’ – which can help them communicate effectively when a security issue arises.
Matt warns that AI should not be blindly trusted because it can be wrong and overlook security checks.
Salesforce Developers and Admins alike would benefit from working together to boost each other’s security knowledge – and lean on each other’s expertise in the worlds of soft skills and technical ability.
Matt said: “I think, going back to the soft skills, I think that’s where admins and developers – especially from a security perspective and soft skill perspective – should be working together.
“The admins typically have those soft skills, the business skills – that’s why they’re an admin, they’re connectors. Then you have the devs who have the technical skills that the admins don’t have. If they pair together, I think the devs can help teach the admins a little bit more about what they should be looking for.
“And then at the same time, the, you know, the devs can be learning a little bit more about those people skills… like you don’t just paste a block of code to business users and say, ‘Here, I fixed the issue.’
“I’ve actually seen that done before where a dev would email all the executives and the business users, ‘Yeah, as you can see, I fixed the issue in the code’, and they just sent a whole page of code to like, you know, project managers and business executives and product owners and who had no idea what that was, which is basically just showing that they they don’t understand… that most people don’t understand that.”
Think Like a Hacker – and Fight Fire With Fire
Attackers are already leveraging and weaponizing AI tools to compromise businesses, and we could be said to be in something of an AI “arms race” between bad faith actors and security teams defending would-be targets.
“I like to think of AI [agents] as interns, and the interns are going to do all the heavy lifting for you, but you still need someone in the end to review that work and get it done.”
Matt Meyers said developers and admins should “think like a hacker” and create “anti-personas” representing nefarious people who are trying to access the system.
He told Salesforce Ben: “You’re starting to see more and more people using AI for attacks, right? So like, you see, you know, like robo-dialers – more like that kind of thing. Actually, it’s scary, as people have been, for a while, using AI to send email campaigns out for marketing and sales purposes.
“Well, now you’re seeing more people send you more attacking groups using AI, the same tools, maybe even using AI phishing emails, and they’re getting more and more sneaky every day.”
Matt said that in previous years, when you get a phishing email, this was typically one email that you would then delete – and that’s it. But now, he says he is starting to get phishing email campaigns where it looks as if it’s an invoice reminder, and he’s receiving this every few days.
He said: “So the question is: How do you combat that? I have this thought that maybe you have to combat AI with AI, and it’s not that AI is this end all and it’s going to solve everyone’s problems, but I like to think of AI [agents] as interns, and the interns are going to do all the heavy lifting for you, but you still need someone in the end to review that work and get it done, but it’s going to help make things faster.”
Matt described one incident where he received a phishing email which had a PDF telling him to call an 800 number.
“How will a virus scanning or any kind of tool catch that, right?” he said. “It’s a very human type of thing, and that’s the reason that they do that.”
Make Use of AI – Because Hackers Certainly Are
Matt Meyers said that combating AI-driven attacks like advanced phishing campaigns might require using AI against AI, pointing out that agents can expose data if not configured with the right guardrails and prompts.
He stressed that the prompt configuration is critical and developers should ensure agents are only given the necessary access, similar to how a support user would not have full admin access.
“Security concerns aren’t necessarily completely different than they always have been. They are becoming much more acute and scaling with, effectively, what is becoming much more automation.”
You might view artificial intelligence tools as “interns” that can perform heavy lifting – but still require human review, Matt said.
Senior Vice President of Product Management for Security, Privacy, and Data Protection at Salesforce, Marla Hay, told Salesforce Ben that while security concerns are not entirely new for developers, they are becoming much more acute and scaling because of automation around data and tasks generated by AI.
She highlighted the need for admins and developers to bake security in from the beginning and to carefully consider the level of automation and access they allow when introducing AI experiences into their Salesforce instances.
Marla said: “The security concerns aren’t necessarily completely different than they always have been. They are becoming much more acute and scaling with, effectively, what is becoming much more automation around data and tasks.
“So what we’re seeing is a need to ensure that and a savviness for both admins and developers of really baking security in from the beginning – making it a foundational component and then ensuring that as they’re thinking through those AI experiences that they are going to bring into their Salesforce instances, what it means to allow that level of automation and access, and to think through all of those things ahead of time.”
Final Thoughts
Salesforce Developers could do with a shift in mindset. Security is everyone’s responsibility, and it should never be an afterthought. Try thinking like a hacker, developing your soft skills, and treating security like a core part of your role.
It’s not the sexiest topic, but I hope you can agree that it is a very important one.
