Stopping Hackers in their Tracks

How S4 identiﬁed over 2000 vulnerabilities in a public, tech

company’s Salesforce environment.

Identifying risks to data in Salesforce with S4

A public tech company known for its ability to manage digital transactions securely has been

customizing and developing on Salesforce since 2008. When the General Data Protection Regulation

(GDPR) came into effect in late May of 2018, the company’s internal security team reached out to

DigitSec, Inc. to perform a security scan of their entire Salesforce environment. They had previously

relied on a third-party to handle all of their Salesforce customizations, but were not sure whether or not

the third-party has used security best practices during the development process. DigitSec, Inc. was

chosen to perform the scan, due to S4’s ability to analyze all code directly in the organization.

Within hours of launching its security scan of the company’s Salesforce environment, S4 was able to

rapidly identify over 2000 threats to their data. S4’s speed and efﬁciency stems from its unique

application of static code analysis and runtime testing. Static code analysis is used by creating call ﬂows

to identify CRUD/FLS ﬂaws. Runtime testing plays a role by utilizing white-box fuzzing to identify

injection ﬂaws. After these ﬂaws are identiﬁed, they are backed up with Proof of Concept (PoC) exploits

to ensure there are no false positives.

S4 - SaaS Security Scanner for Salesforce (S4), is a security tool developed by DigitSec, Inc. that protects

Salesforce organizations from hackers and data breaches. S4 does this by utilizing static code analysis

and runtime testing to identify threats and vulnerabilities in Apex code written in the Force.com

development environment. As the leading SaaS application security provider, S4 is committed to

providing scans which are both robust and thorough. In accordance with that, S4 can be easily scaled out

for large organizations and provides Proof of Concept (PoC) exploits for all injection ﬂaws uncovered.

S4 - SaaS Security Scanner for Salesforce

Stopping Hackers in Their Tracks

DigitSec, Inc.

Failure to meet GDPR compliance can result

in ﬁnes as large as £20 million or 4% or your

company’s annual global turnover - whichever

is higher.

The GDPR is a legal framework that sets

guidelines for the collection and processing of

personal information of idividuals within the

European Union.

S4 uncovered the following risks and vulnerabilities

In total, S4 discovered 1820 high risk issues, 192 medium risk issues, and 42 low risk issues. Among the

medium and low risk issues, the risks identiﬁed ranged from injection ﬂaws to misconﬁgurations. The

1820 high risk issues included authorization bypass, injection ﬂaws, cross-site request forgery, cross-site

scripting, insecure APIs, and weak credentials. High risk issues are vulnerabilities S4 recommends be

dealt with immediately. These are easy target areas for hackers and security openings which if exploited,

could have a disastrous result for the company involved.

Case Study

Company had been customizing and

developing on Salesforce for 10 years

Company relied on a 3rd party developer

who did not use security best-practices

Once the company realized their Salesforce data was in danger, they further enlisted the help of S4 in

order to fully understand the threats uncovered and learn how to ﬁx the issues effectively. S4 was able

to do this by providing clear vulnerability tracking in Salesforce, and by matching each threat uncovered

with an expert remediation recommendation. This allowed the company’s internal security team to work

through the threats in the order of most importance and resolve each threat with conﬁdence.

S4 provides remediation recommendations

Because of the internal security team’s diligence in complying with GDPR regulations and S4’s robust

security scanning, the company escaped imminent threats to their data in Salesforce.

Engagement overview

DigitSec, Inc.

Medium risk

Low risk

High risk

89%

Types of issues detected in the

company’s Salesforce instance

2054 total risks and vulnerabilities

discovered

Expert remediation recommendations

provided for each threat

1 less company at risk from an attack on

their Salesforce data

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Sign up to get updates and security insights from DigitSec