our Salesforce development supply chain can either be an asset to your DevOps efforts or a liability. Data security was a major focus throughout the last year, and this trend will continue into 2022.
Salesforce developers need to keep three factors in mind when managing risk:
- Toolchain: The SolarWinds breach brought into focus the risk associated with development supply chains.
- Code: You need to think holistically about accrued technical debt and the risks it creates across the codebase fromdevelopment to production.
- Data: As the crown jewels of any organization, constant changes to the data create a constant risk of exfiltration.
Keeping these factors in mind, we’ll look into seven steps you need to take to secure your Salesforce development supply chain.
1. Uncover Your Hidden Salesforce Org Debt
Before you start new development projects, you should always:
- Assess the technical debt in existing production organizations.
- Map your metadata dependencies to understand the downstream or upstream impact.
- Prioritize the resolution of technical debt before beginning new projects.
Analyzing your code, managing configurations and more can be handed off to security automation tools.
2. Model Your Threat Vectors
Use threat modeling to understand the risks you face across your toolchain, development practices and data governance. Modeling your data threats helps align mitigation strategies and tactics.
The annual Verizon data breach report for 2021 showed some of the biggest causes of risk come from privilege abuse and data mishandling. Look at your permissions structure and approach and take advantage of Salesforce’s built–in health check to analyze and correct potential threats.
A large portion of your development activity happens outside of Salesforce, from desktop IDEs to version control repositories, test tools, integration frameworks and CI/CD pipelines. The recent Log4j zero-day vulnerability affected not only the Salesforce platform but the commonly used Salesforce desktop data loader and many, if not all, vendors in your toolchain.
Understand the state of your existing production organizations and the hidden risk associated with accumulated technical debt. Performing static code analysis on your existing organizations gives you the opportunity to shift left your approach to quality and security while enabling code review automation.
3. Assess Your Data Governance
All data is not created equal. This is why DevOps teams need to incorporate governance policies across their entire data estate.
While often confused with data management, a solid data governance policy offers an additional benefit—providing a framework for interacting with your Salesforce data. This, in turn, reinforces secure practices to protect against leaks, corruption or tampering.
Data storage in Salesforce can be very expensive. These practices should extend beyond Salesforce to any third-partydata storage solution where backups or data might be archived.
From a business continuity perspective, ensuring that you don’t have all your eggs in one basket is critical. Revisit your governance policies as your company’s needs evolve.
Keep lines of communication open so team members can suggest improvements and alert management about potential issues.
4. Secure the Supply Chain
Every access point to your Salesforce system and coding environment is a potential vulnerability. There are a series of threats from both outside and inside your organization.
Your DevOps management team should provide clear instructions for how your team members interact with your systems. Proper employee behavior is the simplest and cheapest way to protect your Salesforce system.
Protect the edge of your supply chain. Deploy and maintain endpoint protection. Many documents uploaded to Salesforce are infected with malware, and Salesforce doesn’t provide native protection.
Maintain consistent permissions policies across your sandboxes, version control repositories, DevOps pipelines and automated testing tools. Open access might seem attractive, but it opens your system up to being compromised if any of your team members are hacked.
Update older versions of development tools and clients that may use out-of-date encryption standards, making them vulnerable to attack.
Third-party libraries and packages are potentially vulnerable to substitution attacks (also known as dependency confusion). A key risk in 2022 is Salesforce functions allowing for arbitrary use of third-party, open source libraries and packages.
5. Adopt Development Best Practices
Many customers struggle to enforce Salesforce best practices. Adhering to these standards provides a series of benefitsthat help maintain:
- Internal code documentation
- Unit testing for Apex code
- Trigger best practices
- Query behavior—particularly at scale
- Data handling practices in Lightning components
Automated code analysis tools are essential for optimizing DevOps efforts, especially considering the rapid growth of Salesforce development teams. This empowers developers by providing advice within their IDEs to reduce waste while continuously improving their quality gates.
6. Continuously Audit Organization Health
Automating security checks greatly reduces vulnerabilities. However, DevOps systems are always running a wide variety of processes. Security issues are liable to pop up at any stage.
Scheduling frequent security audits and health checks provides another layer of oversight to find security challenges either before they become a problem or shortly thereafter.
Attending to these issues as quickly as possible is the best way to keep them from becoming major problems. The frequency of these Salesforce system checks will vary depending on the amount of change your organization is undergoing either administratively or from new releases. Perform a quarterly review, at minimum.
7. Ensure Business Continuity
Salesforce is not too big to fail. There were multiple outages in 2021. Business continuity goes beyond simply having backups—it’s about being able to access the data in the event of various levels of outages.
Losing data can interrupt services, create redundant work for team members and cost the company a lot of money. Accidental deletions, cyberattacks and system failures are, unfortunately, impossible to completely guard against.
Be prepared for worst-case scenarios by instituting a schedule of frequent data backups, as well as a plan for data recovery.