Spotlight on Compliance and Common Weakness Enumeration Overlays

Montage of icons designed to convey sense of checklists

The DigitSec S4 Winter22 release introduced a number of new features and improvements, but I’d like to focus your attention on two very important data overlays that we’ve added to our findings report. In particular, the ability to query our findings to identify vulnerabilities that correspond to policies in a number of compliance frameworks. We’ve also added filters that allow you to reference vulnerabilities by their Common Weakness Enumeration ID. CWE is a universal identifier and reference for software weaknesses.

Just as the Rosetta Stone once helped archeologists finally decipher Egyptian hieroglyphs by using a Greek primer, these overlays help S4 users by providing a greater degree of context for the vulnerabilities found in their Salesforce environment. 

Many organizations invest substantial time and resources to make sure they align with different compliance frameworks. As an example, Payment Card Industry Data Security Standard (PCI DSS compliance) is very important to companies that rely on processing credit card transactions. Credit companies like Visa or Mastercard mandate that users of their systems comply with these standards. If companies don’t comply, those credit card companies would likely refuse to work with them, or shift more liability to them in the event of a data breach.

We often talk about “Shifting Left,” making Security considerations an important component of the Software Development Lifecycle occur earlier in the timeline. We believe that having your frontline developers check their code for Salesforce security vulnerabilities before they submit it for review can yield enormous benefits. But, under tight deadlines, it may be important to prioritize the remediation of vulnerabilities. Perhaps a vulnerability finding might only be classified as a medium severity data security risk, but would violate a compliance rule? In that case, a developer would have greater context for how to prioritize their work.

The compliance overlays also provide companies with a valuable “point-in-time” report that reflects their fidelity to the standard. Managers can keep track of their results and use them to communicate with different stakeholders and auditors that they are monitoring compliance efficiently and can point to a reliable track record.

S4 now provides compliance overlays for GDPR, HIPAA, ISO27001, PCI DSS and APPI. We have additional compliance frameworks in our product roadmap as well.

Focusing on software development, our vulnerability detail findings also now indicate a Common Weakness Enumeration ID value. These references allow developers to fully understand the nature of the vulnerability not just in the Salesforce context that we describe in each finding, but also within the greater context of Software Development in the abstract. 

This can help managers and developers better understand how these vulnerabilities might put their data and systems at risk because these weaknesses can be applied to any development environment. These references can help teams group findings and assign them to other teams in such a way that each team might be responsible for remediating similar vulnerabilities that align best with their backgrounds. Moreover, it can help differently specialized developers discuss the impact of the findings and how to approach remediation.

These overlays provide a greater depth of context for each vulnerability that lets different teams better understand their Salesforce security posture within a diverse landscape of business priorities. 

Phil Lepanto

Phil Lepanto

Phil Lepanto leads DigitSec's Customer Success Team. His goal is to help developers, administrators and executives to be proactive and engaged on preventing, identifying and remediating security vulnerabilities on SaaS platforms. He is currently lives in Seattle, WA and is formerly of Washington, DC.

DigitSec

DigitSec brings four scans to protect Salesforce: Source Code Analysis, Custom Runtime Testing, Software Composition Analysis, & Cloud Security Configuration Review. #DevOps

Recent Posts

Sign up for our Newsletter

Get security tips sent to your inbox.

Sign up to get updates and security insights from DigitSec