Platinum7 helps protect client Salesforce data with automated security scanning.
View and download the full article or read it below.
Doug Merrett of Platinum7 helps protect his clients from security risks in Salesforce by conducting security assessments of their environments.
CISOs, CIOs, CTOs and other security leaders hire Platinum7 because they want more visibility into their security posture, which oftentimes is lacking as a result of companies not focusing on security as a priority.
Interesting Results
- Too many people have too much data visibility. Less than half of clients are using private read rights on sensitive data, and some have external users with public access as default.
- There are too many users with privileges they don’t need.
- Clients are giving 3rd-parties complete admin access not realizing some have bad security practices, use outdated libraries, or use insecure code.
- Most issues are found around code quality and taking shortcuts with code security.
Why This is Happening
A primary contributor is the lack of understanding of the Salesforce Shared Responsibility Model. It states that Salesforce is secure out-of-the-box and is responsible for core applications, network controls, physical servers, etc.
But as soon as you customize and/or develop on the platform, you’re responsible for your data security, as well as user configurations.
Companies need to understand that their role in Salesforce security is a primary one that requires constant vigilance.
Another factor is the lack of understanding of the customizations and development happening on the platform. Salesforce can permeate throughout an entire organization, with different departments adding their own customizations and code.
Platinum7 confirms the majority of issues found in client assessments are based on a lack of understanding of the settings in place, what those settings mean, and if they achieve the client’s intended goal.
How Platinum7 Helps Provide Visibility into Salesforce Security
Doug utilizes automated security testing as part of his detailed assessments to accurately find real risk hidden within his client’s Salesforce environments.
This testing is especially useful at finding outdated libraries that contain security vulnerabilities. Most of the time, these are in managed packages from 3rd-party vendors, which makes it difficult for the customer to correct directly.
Most other security issues Doug has seen are related to code quality and shortcuts. People take shortcuts when coding and customizing on Salesforce, resulting in low quality code that’s not secure. Doug uses DigitSec to accurately surface the security vulnerabilities that result from bad coding practices.
“I love DigitSec’s robust scanning capabilities and how they help find real risk in my client’s environments. DigitSec does especially well with finding vulnerabilities from outdated libraries and catching issues resulting from shortcuts.
Automated security scanning is the main tool I use in my detailed assessments to help my clients secure their Salesforce environments.”
– Doug Merrett, Platinum7
