S4 for Salesforce reviews the configurations of a Salesforce org and identifies flaws.

S4 uses a robust client-side static code analysis engine to create call flows to identify CRUD/FLS flaws. It uses data flow analysis to associate Visualforce components to their associated controllers. This information is then used by a white-box fuzzer to identify injection vulnerabilities.

S4 uses white-box fuzzing to rapidly identify injection flaws within Force.com code. All vulnerabilities identified during run-time testing contain Proof of Concept (PoC) exploits. This ensures there are no false positives.

S4 launches the custom fuzzer in the installed organization and can be scaled out to as many organizations as needed. All code analyzed remains within the organization preserving intellectual property of the code base.