Expert Tips for Salesforce Security Assessment and Health Check

April 4, 2024
11 min

How often do you see news announcing hackers successfully attacked a large company having exploited their security vulnerability?

Based on the 2021 Risk Based Security report, there were over 1,700 publicly reported data breaches in the first six months, which resulted in 18.8 billion exposed private records like:

  • Credit card details
  • Social security information
  • Personal emails,
  • Phone numbers,
  • Addresses.
Number of Data Breaches Reported by Q2 Each Year

Number of Data Breaches Reported by Q2 Each Year


What does customers’ data leakage mean to a company? On average, insecure software costs businesses millions per incident and the lack of trust of existing and potential customers. Because we use technology daily in our personal lives and at work, especially now, when most of the activities have moved online, cybercriminals are constantly on guard.

Number of Records Lost Reported by Q2 Each Year Infographics by Ascendix

Number of Records Lost Reported by Q2 Each Year

Based on the same report, the leading data breach source is still hacking accounting for 1201 cases out of 1, 767. And it means that your company should be double watchful in terms of system safety and how your users access the platform.

Number of Data Breaches by Breach Type Infographics Ascendix

Number of Data Breaches by Breach Type

Especially, as your business grows, your org and security measures should adapt to the increasing demands as well. You can ensure that your CRM still aligns with your companies initiatives by tweaking some of the settings or a complete system overhaul.

The threat landscape is more complex than ever, and it’s increasingly difficult for security teams to prevent, detect, analyze, and respond to threats in time.

Apart from hacking risks, there are other dangers that can result in stealing your company and clients’ data, caused by virus attacks and phishing. It takes only one employee opening a phishing email to set off a chain of events that may compromise your company’s data. Relying on the data given in the same report, most of the data leakage happens because of web breaches, hacking, and fraud.

Number of Data Breaches by Breach Type Reported by Q2 2021 Infographics Ascendix

Number of Data Breaches by Breach Type Reported by Q2 2021


And since your company evolves and has more and more complex data flowing across your departments and integrated third-party systems, the size of the data leakage catastrophe seems to be more than impressive.

It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.

Stephane Nappo, a Vice President and Global Chief Information Security Officer at Groupe SEB

Salesforce, as one of the leading and versatile CRM solutions providers, offers the ability to audit your platform to detect any security issues that might have gone unnoticed. These issues are put together in a form of a report that can be used to identify possible risks that can be further addressed case-by-case.


Learn about Salesforce Pros and Cons According to Customer Reviews


Together with Salesforce, we at Ascendix take system security particularly seriously and put organization health and security as one of our top priorities during the full cycle of development and support.

Besides ensuring the reliability of our products, we guarantee the safety of our clients’ information by employing preventive security measures company-wide.

We combine top-level security best practices offered by the most secure CRM platform on the market – Salesforce – and compliment them with our time-tested and trusted approaches collected over years on the CRM consulting and custom software development markets.

Today, I’m going to reveal some of our tips on the Salesforce security assessment and how to increase the security of your org with:

  • CRM security assessment best practices
  • Salesforce health check tools: Health Checker, Salesforce CLI Scanner Plug-in, Checkmarx Code Scanner, Apex PMD Tool
  • More CRM health check tips and links to resources for further reading and practicing

Get Started with Salesforce Checklist

Download the e-book and get your team ready for Salesforce migration and CRM implementation while avoiding common pitfalls.

Full Name
Work Email

Benefits of CRM Regular Audit and Security Assessment


It goes without saying that revising critical areas of Salesforce solution are as important as regular medical checkups to ensure data protection and data loss prevention and stable CRM performance in the future. Thanks to this, you and your company will be able to rely on Salesforce to hold sensitive information and use the solution with confidence.

Regular org check-ups enable you to stay informed about actual vulnerabilities, prioritize remediation roadmap, and adjust change strategy accordingly.

This, in turn, will help accelerate user adoption, develop an effective user training program, and understand existing processes. Besides this important factor, you will be able to manage your investments and costs associated with your current infrastructure better, exceed all industry technology development standards, reduce operation costs, and improve solution scalability. In the end, it will elevate sales management, effectiveness, and results.

How to Know If You Need Salesforce Health Check And Security Assessment


You can see if you need to assess your Salesforce org health by answering the following questions:

  • Does original Salesforce implementation still align with your company initiatives?
  • Do you have a lot of technical debt accumulated over the years?
  • Has the amount of data entering your CRM increased over time?
  • Do you have a lot of duplicate records that require data cleansing?
  • Do many departments use your Salesforce instance as a single source of data?
  • Do you want to know licenses purchased vs actual usage ratio?
  • Are your users noticing errors because of processes time outs or are hitting governor limits?
  • Are you not sure if all users have the right security setup?

Want to Adapt Salesforce to the Growing Needs of your Business?

We have 20+ years of experience in Salesforce customization, configuration, and best custom development practices.

Salesforce Security Assessment Best Practices


The first and foremost step toward making your Salesforce org healthier is to critically assess all the existing and hypothetical system vulnerabilities. You can do it with the help of specialized tools or manually.

To be completely sure of your org’s health, especially the one that involves lots of custom coding, you may require external assistance from professional consultants.

Salesforce consulting agencies like Ascendix will evaluate the weak points of your existing solution from a security standpoint or provide you with a comprehensive validation checklist, audit strategy, and a list of the best-of-breed tools for any budget to diagnose it yourself.

If you’ve decided to assess your platform’s health manually, there is a list of aspects that you need to consider for the accurate Salesforce security assessment:

  • Data storage options
  • License usage
  • Batch classes and scheduler per object
  • Workflows and triggers implementation
  • Custom setting /metadata configuration for controlling Triggers
  • Standard vs Custom development
  • Record ownership

Here are some of the most common signs of unhealthy Salesforce org, that need immediate action:

  • Data storage limits exceeded
  • Frequent system issues
  • Record locking & controversy
  • Pointlessly installed packages


If you are just planning to build your Salesforce-based solution or to modify it to fit your needs completely, you have to think about ensuring security on all the levels of the development and customization cycle.

The Open Web Application Security Project (OWASP) discloses a comprehensive list of the most common web attacks. The top three risks are:


  • Broken Access Control: unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits.
  • Cryptographic Failures: sensitive data exposure.
  • Injection: a query sends bad data to a system in an attempt to cause damage.


Note*: Use OWASP Top 10 List as a guide to developing a minimum level of security in your solution.


Salesforce is a great platform in terms of security and its support both of the Salesforce instance and custom apps. It provides considerable flexibility of security control to meet your individual business requirements.

Also, thanks to its multitenancy and cloud-based nature, and compliance with the certifications and attestations like HIPAA, GDPR. IRAP and others, it is safe to store your data in Salesforce.



Salesforce security features empower you and your users to do your work safely and efficiently. It constantly improves its security functionality with minor updates and major releases 3 times a year.

If you chose to maximize your organization security with standard Salesforce health check tools, we recommend using:

Salesforce Health Check Tools


Salesforce Health Checker


This is one of the top Salesforce health check tools to ensure overall system sustainability and security.

Health Check is used to display your org’s vulnerabilities info on a dashboard, which can be fixed from the same page. Thanks to this tool, you can have a quick look at your org’s overall security. The health score is calculated based on a security baseline: standard or custom.

Standard Baseline – pre-configured org’s security settings for various risk levels suggested by Salesforce.

Custom Baseline – as it’s highlighted by its name, is used for a more specific view of security for such highly regulated industries like health care or finances, where the system should comply with quite strict requirements to protect sensitive, personally identifiable information or to comply with certain regulations (for example GDPR standards) that can’t be met with the standard baseline.

Here are some of the noteworthy guidelines on how to set up the custom baseline from Chitiz Agarwal.

* Note: Before importing a custom baseline to the Salesforce Health Check tool, it’s highly recommended to discuss it with your IT or Compliance departments.

Typically, this score is calculated by measuring how closely your platform’s security settings correspond to Salesforce’s recommended settings, on a scale from 0 – 100%, where:

  • 0% – 54% – Very poor settings configuration
  • 55% – 59% – Poor
  • 60% – 79% – Ok
  • 80% – 89% – Good
  • 90%  – 100% – Excellent

This gradation helps to identify the issues that should be addressed as a top priority with quick fixes or workarounds.

You can configure your security settings as you want, but it’s better to keep this score over 85%. My suggestion is to run Health Checker every month to identify symptoms of an unhealthy Salesforce org.


Salesforce Health Checker

Salesforce Health Checker


Health Checker Pros:


  • A free and easy-to-use tool that gives fast results
  • Integrated into your Salesforce Org and is available out-of-the-box
  • Recommended values are shown next to the actual values for an easy configuration via the Edit link.
  • Enhances the security of the org and, as a result, how the custom code of your custom apps runs in your org.


Health Checker Cons:

  • Not all settings are available
  • Request preliminary testing before changing all the settings


If you need to assess multiple Salesforce orgs at a time, you can orchestrate it via the Salesforce Security Center, a paid tool that can give you more insights into the system usage. For example, you can track how many users log in with multi-factor authentication (MFA).

If you plan to make customization for your solution via code, there are some tools we use that might help you a lot.


Salesforce CLI Scanner Plug-in


The Salesforce CLI Scanner plug-in is a unified tool for static analysis of source code in multiple languages (including Apex). This scanner can create HTML or CVS reports that will show you possible vulnerabilities or even bad code quality.

Great news that, due to CLI, this tool can be included in your CI/CD. We recommend you do this so that each build will have reports with the issues.


Salesforce CLI Scanner Plug-in

Salesforce CLI Scanner Plug-in


Salesforce CLI Scanner Plug-in Pros:

  • Free to use
  • Instant results
  • Can be integrated into your CI/CD


Salesforce CLI Scanner Plug-in Cons:

  • Can show false positive errors
  • Scan your local solution instead of org


When you move your project to release, especially if you want to create a product that you want to sell or put into AppExchange, this solution is necessary to use.


Checkmarx Code Scanner


Checkmark Code Scanner is a tool powered by Salesforce. It runs a security scan on your Salesforce org and gives a detailed report on risks and vulnerabilities. You must fix any errors classified as Low, Medium, or High.


Checkmarx Code Scanner

Checkmarx Code Scanner


Checkmarx Code Scanner Pros:

  • Free with limitations
  • Scans all code of your Salesforce org
  • Recommended by Salesforce


Checkmarx Code Scanner Cons:

  • You must pay if you want to scan more than 360000 lines of code per year
  • It takes time to get a report


Read more about another Salesforce health check app: Salesforce Org Doctor and an app to ensure data hygiene – Duplicate Check in the post: 8 Must-Have Salesforce Apps


Apex PMD Tool


You may have already worked with the PMD (Programming Mistake Detector) tools that are a famous source code analyzer for Java and similar programming languages. Salesforce offers its own tool – Apex PMD for testing the Apex language. With the help of the Apex PMD tool, you can generate Salesforce org errors reports.

It’s aimed to find two core issues: DML operations inside a for-loop and software query within a for-loop. Also, the Apex PMD tool helps to locate programming bugs like unnecessary object creation, unused variables, and empty catch blocks and, as a result, improve quality and avoid maintenance, performance, and bug problems in your Apex code.


Apex PMD Tool Pros: 

  • It’s a free and open-source solution
  • You can set your own custom rules
  • It can be a part of the ANT build script to generate error reports


Best Salesforce License Optimization Strategies 

Download our e-book with our selected strategies for Salesforce license optimization and contract price negotiation to maximize Salesforce investment.

Full Name
Work Email

More Salesforce Health Check Tips


1. Test your Organization


Salesforce has major updates 3 times per year and small updates during the year. These updates make improvements to the organization and provide new features. However, during this period, some of the functionality may be outdated and not supported, especially, if you have a highly customized legacy system.

To prevent seeing your clients unhappy when something goes wrong in the production process after a new major update, we recommend that you prepare your solution for an update in advance. This can be done with the simple strategy:


  • Read release notes and check critical updates
  • Create sandbox with new release and critical updates enabled
  • Test all your scenarios of work
  • Fix all possible issues beforehand!
  • Setup Coding Standard for code review
  • Document the Apex and Test class best practices
  • Categorize the issue based on priority and complexity


2. Set Up Security Configuration


One of the most important things in your organization is the security model. It must be very well defined for whom you must provide access and which information must be hidden.

We will not explain how it can be configured because this is very specific to your company structure, but here in Ascendix, we’ve created our own tool that helps us check and configure a security model to fit the particular needs of a project:


Salesforce Security Configuration

Salesforce Security Configuration


3. Validate Data


Data is an integral part of any CRM platform, and to maximize the effectiveness of your sales and marketing activities, you need to ensure that your data is healthy, accurate, and consistent. To prevent data loss and corruption, you should perform regular data backups, and ensure its hygiene – regular deduplication, and enrichment.


Discover 5 Free Salesforce Data Cleansing Tools in Our Guide 


Keep your system clean by storing your data in the right way, applying data normalization and deduplication best practices.


Check How to Improve Your Data Quality with Salesforce Data Management Tips & Tricks


Further Recommended Reading:


How Ascendix Can Help with Salesforce Health Check and Security Assessment 


We, at Ascendix, provide a broad spectrum of Salesforce assessment services like:

  • Surface-level audit of the orgs’ risks, performance, and adoption
  • Comparison of your Org’s security and system configuration with Salesforce standards
  • Evaluation of user security within the system
  • Platform limits lookup
  • Generation of reports to measure user adoption
  • Review of Apex code quality
  • Analysis of Lightning readiness and mobile compatibility check
  • Analysis of system integration and recommendations on the best solutions to install
  • Business processes review for sales, service, and marketing automation opportunities
  • Revision of data quality and consistency
  • Detailed documentation on process builder and flow development standards


Since Ascendix’s inception, we have led more than 200 projects of different complexity to the technology’s success. Sounds convincing? Then just request free consultancy from our Salesforce-savvy team!


1 Star2 Stars3 Stars4 Stars5 Stars (28 votes, average: 5.00 out of 5)

Leave a comment

Your email address will not be published. Required fields are marked *

First name *
Email *

Need Expert Guidance on How to Introduce Salesforce Functionality Into your Day-to-day Activities?

You found the right place! We provide a detailed Salesforce CRM assessment for your business purposes and advise on the selected approaches to configuration & customization of your Salesforce solution!