Salesforce DevSecOps Game Changer: Full S4 CLI Integration with SFDX

Full Speed Ahead: DigitSec SFDX integration accelerates development and reduces cyber risk by shifting security left.

DigitSec has integrated the full S4 CLI with SFDX allowing developers to utilize the complete features of S4 and develop securely from the ground up. This matters because Salesforce development adds new vulnerabilities which are difficult to detect with general-purpose application security testing (AST) tools. S4 was purpose-built to detect SaaS security vulnerabilities with a high level of automation, reducing false positives, unnecessary development delays, and cyber risks occurring during the development phase.

S4 identifies application security vulnerabilities in Salesforce source code (i.e. Apex, VisualForce, LWC, and related Javascript), Salesforce runtime injection flaws, 3rd-party software libraries, and Salesforce security configurations, all within a continuous DevSecOps process. With simple and seamless integration, Salesforce developers and admins can utilize S4 as part of their regular testing process.

DevOps Security is Key To SaaS Development

Baking security in as developers and admins work on Salesforce is even more important given that dev and test environments are exposed weak points. It is no longer acceptable to have vulnerabilities in the early stages of development because “it’s just the dev environment”. SaaS vulnerabilities trickle throughout the development pipeline and then delay development if they need to be fixed prior to release, or even worse, while in production.

One of the most important elements in DevSecOps revolves around Salesforce repository branching strategy. In addition to the master branch, every developer uses their own separate branch or feature branch. They develop their code and then merge it back into that master branch. A key requirement for secure development is to ensure that the master branch maintains zero unresolved high-risk security vulnerabilities so that it passes all functional testing. Developers can now use S4 to check their code prior to merging with master so that they do not introduce security vulnerabilities during merge requests.

Shift-Left Security is Essential

The concept of shift-left, which is an effort to bring security testing closer to the developers, is essential. By providing faster security analysis and results to new code and customizations, developers can avoid slowdowns. When working on Salesforce customizations, if security tests run several hours or days after a block is submitted and reveal defects, it is more difficult for developers to recall what exactly they worked on. Faster responses and results that happen in minutes, not hours or days, improves quality and security at the same time.

In this way, shift-left is a central component of DevSecOps for Salesforce. S4 enables this shift-left with ease, try it for yourself.

Once you have the S4 SFDX plugin installed, all you have to run S4 is issue the following command:

sfdx digitsec:s4

The results look like the following:

Checking scan status ...
    status: 'completed',
    version: 'Summer 2021 v 99',
    autoscan: false,
    Findings_new: false,
    _id: '6064f07b463afa5b0d83cd6b',
    Org_Id: '5f454f9593a0272c26dcf33d',
    Created_date: '2021-03-31T21:58:19.704Z',
    Initiated_Scan_date: '2021-03-31T21:58:19.704Z',
    __v: 0,
    size: 13890241,
    Critical: 3,
    High: 36,
    Medium: 11,
    Low: 20
Scan completed ...
Generating report ...
S4 Scanning ... \
Report downloaded ...
View Results Online at S4 ...

Reach out to us to accelerate your development today.

Picture of digitsec



DigitSec brings four scans to protect Salesforce: Source Code Analysis, Custom Runtime Testing, Software Composition Analysis, & Cloud Security Configuration Review. #DevOps

Recent Posts

Sign up for our Newsletter

Get security tips sent to your inbox.

Sign up to get updates and security insights from DigitSec