Secure Development in the Salesforce Ecosystem – Key Findings

Share this article...

Secure development means making sure that when you build something on the Salesforce platform, you are not introducing flaws that could compromise the security of the data you have in your org (or in your customers’ org, if you are a partner).

How do teams in the Salesforce ecosystem deal with security in the development lifecycle? What are the risks of having insecure code in your org? And which problems are commonly overlooked?

“Gearset”

We interviewed Lorenzo Frattini, a Salesforce CTA and the founder of Clayton, to discuss his latest report “The State of Secure Development in the Salesforce Ecosystem”.

Doesn’t Salesforce take care of security for us?

It’s more complicated than that.

Salesforce is one of the most trusted cloud platforms out there. However, it’s so flexible that vulnerabilities can be introduced whenever code is involved. Developments with Apex, LWC, Aura, Visualforce, etc, are not secure by default: you need to actively check them to ensure they are secure.

What can possibly happen if I have insecure code in my org?

As an example, one could have a well-architected role hierarchy with extremely granular object and field-level permissions in place, and assume that’s their security sorted. Yet, those restrictions could be completely bypassed by users in the presence of a security flaw. This means users may access or manipulate information they shouldn’t even see, which could be a very serious issue when dealing with customer data.

So everyone in the ecosystem must take security very seriously, right?

Yes, yet surprisingly that’s not what we see. We discovered that 78% of professionals haven’t even attended any recent security training, which is concerning.
Our findings suggest that, apart from ISVs that are typically more diligent, the majority of customers and partners tend to be very relaxed when it comes to secure development. It’s surprising how few companies actually do this properly.

Salesforce provides a free security scanner: doesn’t that help?

The Force.com Scanner is a vulnerability scanner provided by Salesforce in partnership with Checkmarx.

It’s a great resource to help teams with secure development. However, we found that only 7% of those who have used it had a satisfactory experience. There is a clear list of pains that professionals have with this tool, which inevitably translates into a lot of companies not getting secure development right.

How common are security flaws in Salesforce orgs?

We find security problems in almost every Salesforce org where we see code. In 66% of the cases, problems are potentially serious. Not every flaw is equally dangerous, but some problems pose real risks and should be taken seriously, as they could be extremely damaging to any organisation.

What security problems are most commonly overlooked?

The risk of data leaks appears to be dominant, however, we find that traditional web application vulnerabilities (the so called “OWASP Top 10”) – such as code injections, use of libraries with known vulnerabilities, etc – are also quite common.

I would recommend checking out our full report for more insights. We hope it will help many organisations, architects, and developers out there to do more to keep their customers data secure.

Find out more

The “State of Secure Development in the Salesforce Ecosystem” is a report published by Clayton and explores how teams, customers and partners in the Salesforce ecosystem are dealing with security in the development lifecycle. The report combines survey results from professionals from all over the world, with aggregated data derived from analysing millions of lines of Salesforce code every day.

You can download the full report at getclayton.com/security-report

About Clayton

Clayton is the world’s first developer-friendly robot that helps Salesforce teams catch security vulnerabilities and design flaws early, before they become problems. We help companies like Sage, 8×8 and Deliveroo keep their developments secure on the Salesforce platform. For more information: getclayton.com

Leave a Reply