Expert Tips for Salesforce Security Assessment and Health Check

How often do you see news announcing hackers successfully attacked a large company having exploited their security vulnerability?

Based on the 2021 Risk Based Security report, there were over 1,700 publicly reported data breaches in the first six months, which resulted in 18.8 billion exposed private records like:

• Credit card details
• Social security information
• Personal emails,
• Phone numbers,
• Addresses.

 

What does customers’ data leakage mean to a company? On average, insecure software costs businesses millions per incident and the lack of trust of existing and potential customers. Because we use technology daily in our personal lives and at work, especially now, when most of the activities have moved online, cybercriminals are constantly on guard.

Based on the same report, the leading data breach source is still hacking accounting for 1201 cases out of 1, 767. And it means that your company should be double watchful in terms of system safety and how your users access the platform.

Especially, as your business grows, your org and security measures should adapt to the increasing demands as well. You can ensure that your CRM still aligns with your companies initiatives by tweaking some of the settings or a complete system overhaul.

The threat landscape is more complex than ever, and it’s increasingly difficult for security teams to prevent, detect, analyze, and respond to threats in time.

Apart from hacking risks, there are other dangers that can result in stealing your company and clients’ data, caused by virus attacks and phishing. It takes only one employee opening a phishing email to set off a chain of events that may compromise your company’s data. Relying on the data given in the same report, most of the data leakage happens because of web breaches, hacking, and fraud.

 

And since your company evolves and has more and more complex data flowing across your departments and integrated third-party systems, the size of the data leakage catastrophe seems to be more than impressive.

Salesforce, as one of the leading and versatile CRM solutions providers, offers the ability to audit your platform to detect any security issues that might have gone unnoticed. These issues are put together in a form of a report that can be used to identify possible risks that can be further addressed case-by-case.

 

 

Together with Salesforce, we at Ascendix take system security particularly seriously and put organization health and security as one of our top priorities during the full cycle of development and support.

Besides ensuring the reliability of our products, we guarantee the safety of our clients’ information by employing preventive security measures company-wide.

We combine top-level security best practices offered by the most secure CRM platform on the market – Salesforce – and compliment them with our time-tested and trusted approaches collected over years on the CRM consulting and custom software development markets.

Today, I’m going to reveal some of our tips on the Salesforce security assessment and how to increase the security of your org with:

• CRM security assessment best practices
• Salesforce health check tools: Health Checker, Salesforce CLI Scanner Plug-in, Checkmarx Code Scanner, Apex PMD Tool
• More CRM health check tips and links to resources for further reading and practicing

Benefits of CRM Regular Audit and Security Assessment

 

It goes without saying that revising critical areas of Salesforce solution are as important as regular medical checkups to ensure data protection and data loss prevention and stable CRM performance in the future. Thanks to this, you and your company will be able to rely on Salesforce to hold sensitive information and use the solution with confidence.

Regular org check-ups enable you to stay informed about actual vulnerabilities, prioritize remediation roadmap, and adjust change strategy accordingly.

This, in turn, will help accelerate user adoption, develop an effective user training program, and understand existing processes. Besides this important factor, you will be able to manage your investments and costs associated with your current infrastructure better, exceed all industry technology development standards, reduce operation costs, and improve solution scalability. In the end, it will elevate sales management, effectiveness, and results.

How to Know If You Need Salesforce Health Check And Security Assessment

 

You can see if you need to assess your Salesforce org health by answering the following questions:

• Does original Salesforce implementation still align with your company initiatives?
• Do you have a lot of technical debt accumulated over the years?
• Has the amount of data entering your CRM increased over time?
• Do you have a lot of duplicate records that require data cleansing?
• Do many departments use your Salesforce instance as a single source of data?
• Do you want to know licenses purchased vs actual usage ratio?
• Are your users noticing errors because of processes time outs or are hitting governor limits?
• Are you not sure if all users have the right security setup?

Salesforce Security Assessment Best Practices

 

The first and foremost step toward making your Salesforce org healthier is to critically assess all the existing and hypothetical system vulnerabilities. You can do it with the help of specialized tools or manually.

To be completely sure of your org’s health, especially the one that involves lots of custom coding, you may require external assistance from professional consultants.

Salesforce consulting agencies like Ascendix will evaluate the weak points of your existing solution from a security standpoint or provide you with a comprehensive validation checklist, audit strategy, and a list of the best-of-breed tools for any budget to diagnose it yourself.

If you’ve decided to assess your platform’s health manually, there is a list of aspects that you need to consider for the accurate Salesforce security assessment:

• Data storage options
• License usage
• Batch classes and scheduler per object
• Workflows and triggers implementation
• Custom setting /metadata configuration for controlling Triggers
• Standard vs Custom development
• Record ownership

Here are some of the most common signs of unhealthy Salesforce org, that need immediate action:

• Data storage limits exceeded
• Frequent system issues
• Record locking & controversy
• Pointlessly installed packages

 

If you are just planning to build your Salesforce-based solution or to modify it to fit your needs completely, you have to think about ensuring security on all the levels of the development and customization cycle.

The Open Web Application Security Project (OWASP) discloses a comprehensive list of the most common web attacks. The top three risks are:

 

• Broken Access Control: unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits.
• Cryptographic Failures: sensitive data exposure.
• Injection: a query sends bad data to a system in an attempt to cause damage.

 

Note*: Use OWASP Top 10 List as a guide to developing a minimum level of security in your solution.

 

Salesforce is a great platform in terms of security and its support both of the Salesforce instance and custom apps. It provides considerable flexibility of security control to meet your individual business requirements.

Also, thanks to its multitenancy and cloud-based nature, and compliance with the certifications and attestations like HIPAA, GDPR. IRAP and others, it is safe to store your data in Salesforce.

 

 

Salesforce security features empower you and your users to do your work safely and efficiently. It constantly improves its security functionality with minor updates and major releases 3 times a year.

If you chose to maximize your organization security with standard Salesforce health check tools, we recommend using:

Salesforce Health Check Tools

 

Salesforce Health Checker

 

This is one of the top Salesforce health check tools to ensure overall system sustainability and security.

Health Check is used to display your org’s vulnerabilities info on a dashboard, which can be fixed from the same page. Thanks to this tool, you can have a quick look at your org’s overall security. The health score is calculated based on a security baseline: standard or custom.

Standard Baseline – pre-configured org’s security settings for various risk levels suggested by Salesforce.

Custom Baseline – as it’s highlighted by its name, is used for a more specific view of security for such highly regulated industries like health care or finances, where the system should comply with quite strict requirements to protect sensitive, personally identifiable information or to comply with certain regulations (for example GDPR standards) that can’t be met with the standard baseline.

Here are some of the noteworthy guidelines on how to set up the custom baseline from Chitiz Agarwal.

* Note: Before importing a custom baseline to the Salesforce Health Check tool, it’s highly recommended to discuss it with your IT or Compliance departments.

Typically, this score is calculated by measuring how closely your platform’s security settings correspond to Salesforce’s recommended settings, on a scale from 0 – 100%, where:

• 0% – 54% – Very poor settings configuration
• 55% – 59% – Poor
• 60% – 79% – Ok
• 80% – 89% – Good
• 90%  – 100% – Excellent

This gradation helps to identify the issues that should be addressed as a top priority with quick fixes or workarounds.

You can configure your security settings as you want, but it’s better to keep this score over 85%. My suggestion is to run Health Checker every month to identify symptoms of an unhealthy Salesforce org.

 

 

Health Checker Pros:

 

• A free and easy-to-use tool that gives fast results
• Integrated into your Salesforce Org and is available out-of-the-box
• Recommended values are shown next to the actual values for an easy configuration via the Edit link.
• Enhances the security of the org and, as a result, how the custom code of your custom apps runs in your org.

 

Health Checker Cons:

• Not all settings are available
• Request preliminary testing before changing all the settings

 

If you need to assess multiple Salesforce orgs at a time, you can orchestrate it via the Salesforce Security Center, a paid tool that can give you more insights into the system usage. For example, you can track how many users log in with multi-factor authentication (MFA).

If you plan to make customization for your solution via code, there are some tools we use that might help you a lot.

 

Salesforce CLI Scanner Plug-in

 

The Salesforce CLI Scanner plug-in is a unified tool for static analysis of source code in multiple languages (including Apex). This scanner can create HTML or CVS reports that will show you possible vulnerabilities or even bad code quality.

Great news that, due to CLI, this tool can be included in your CI/CD. We recommend you do this so that each build will have reports with the issues.

 

 

Salesforce CLI Scanner Plug-in Pros:

• Free to use
• Instant results
• Can be integrated into your CI/CD

 

Salesforce CLI Scanner Plug-in Cons:

• Can show false positive errors
• Scan your local solution instead of org

 

When you move your project to release, especially if you want to create a product that you want to sell or put into AppExchange, this solution is necessary to use.

 

Checkmarx Code Scanner

 

Checkmark Code Scanner is a tool powered by Salesforce. It runs a security scan on your Salesforce org and gives a detailed report on risks and vulnerabilities. You must fix any errors classified as Low, Medium, or High.

 

 

Checkmarx Code Scanner Pros:

• Free with limitations
• Scans all code of your Salesforce org
• Recommended by Salesforce

 

Checkmarx Code Scanner Cons:

• You must pay if you want to scan more than 360000 lines of code per year
• It takes time to get a report

 

 

Apex PMD Tool

 

You may have already worked with the PMD (Programming Mistake Detector) tools that are a famous source code analyzer for Java and similar programming languages. Salesforce offers its own tool – Apex PMD for testing the Apex language. With the help of the Apex PMD tool, you can generate Salesforce org errors reports.

It’s aimed to find two core issues: DML operations inside a for-loop and software query within a for-loop. Also, the Apex PMD tool helps to locate programming bugs like unnecessary object creation, unused variables, and empty catch blocks and, as a result, improve quality and avoid maintenance, performance, and bug problems in your Apex code.

 

Apex PMD Tool Pros: 

• It’s a free and open-source solution
• You can set your own custom rules
• It can be a part of the ANT build script to generate error reports

 

More Salesforce Health Check Tips

 

1. Test your Organization

 

Salesforce has major updates 3 times per year and small updates during the year. These updates make improvements to the organization and provide new features. However, during this period, some of the functionality may be outdated and not supported, especially, if you have a highly customized legacy system.

To prevent seeing your clients unhappy when something goes wrong in the production process after a new major update, we recommend that you prepare your solution for an update in advance. This can be done with the simple strategy:

 

• Read release notes and check critical updates
• Create sandbox with new release and critical updates enabled
• Test all your scenarios of work
• Fix all possible issues beforehand!
• Setup Coding Standard for code review
• Document the Apex and Test class best practices
• Categorize the issue based on priority and complexity

 

2. Set Up Security Configuration

 

One of the most important things in your organization is the security model. It must be very well defined for whom you must provide access and which information must be hidden.

We will not explain how it can be configured because this is very specific to your company structure, but here in Ascendix, we’ve created our own tool that helps us check and configure a security model to fit the particular needs of a project:

 

 

3. Validate Data

 

Data is an integral part of any CRM platform, and to maximize the effectiveness of your sales and marketing activities, you need to ensure that your data is healthy, accurate, and consistent. To prevent data loss and corruption, you should perform regular data backups, and ensure its hygiene – regular deduplication, and enrichment.

 

 

Keep your system clean by storing your data in the right way, applying data normalization and deduplication best practices.

 

 

Further Recommended Reading:

 

• Trailhead Module: How to Use Health Check to Scan Your Security Configurations
• Trailhead Module: How to Run Health Check
• Help.Salesforce.com: Security Health Check
• Help.Salesforce.com: How Is the Health Check Score Calculated?
• Help.Salesforce.com: Security Status Control
• Help.Salesforce.com: Salesforce Security Vulnerability Assessment and Penetration Test
• Apex Hours: Salesforce Health Check
• Salesforce Ben: Salesforce Security Health Check: How to Find Vulnerabilities

How Ascendix Can Help with Salesforce Health Check and Security Assessment 

 

We, at Ascendix, provide a broad spectrum of Salesforce assessment services like:

• Surface-level audit of the orgs’ risks, performance, and adoption
• Comparison of your Org’s security and system configuration with Salesforce standards
• Evaluation of user security within the system
• Platform limits lookup
• Generation of reports to measure user adoption
• Review of Apex code quality
• Analysis of Lightning readiness and mobile compatibility check
• Analysis of system integration and recommendations on the best solutions to install
• Business processes review for sales, service, and marketing automation opportunities
• Revision of data quality and consistency
• Detailed documentation on process builder and flow development standards

 

Since Ascendix’s inception, we have led more than 200 projects of different complexity to the technology’s success. Sounds convincing? Then just request free consultancy from our Salesforce-savvy team!