Are Static Resources Exposing Your Salesforce Community to Cyber Attacks
With the help of Salesforce Experience Cloud, you can design branded digital interactions for sharing information and working together with individuals who are essential to your business operations, such as clients, partners, or staff. An Experience Cloud site is a fantastic location to connect with the significant people in your life, regardless of what you choose to call it—a portal, help forum, community, or something else.
It is imperative that you design a security architecture strategy when it comes to your data in Salesforce Digital Experiences and site. There are various locations where the security settings can be changed; some have an impact on all sites, while others are site-specific. The majority of settings may be accessed in three different places: the Experience Workspaces Settings tile, user permissions in your Salesforce org, and your overall Experience Cloud settings in Salesforce Setup. But have you ever considered the security implications of using static resources with Salesforce Digital Experiences?
In Salesforce, static resources act as a helpful tool for developers, allowing them to upload assets to the Salesforce org. This can include CSS, static HTML, or JavaScript, which could help your site function properly.
To begin, let’s look at open-source assets and how they could affect Salesforce security if uploaded into your static resources.
In this article, we will discuss how open-source assets in Salesforce Digital Experiences can be the entry point for attackers, and why you should care.
Almost 95% of companies are actively using open-source code, which makes it a reason to worry about. Also, a wide-reaching vulnerability was recently discovered in an open-source Java library called Log4j that impacted many Salesforce customers and AppExchange vendors.
Open source libraries have the ability to devastate a business since the code is being developed by individuals outside of an organization, and is subject to social engineering and injection of malicious code. Then why can’t companies just no use such code?
The truth is nothing is entirely secure over the internet. If it’s not open-source code, it could be something else. Also, leaving out working with open-source code can make a company miss out on many benefits. A few of these are mentioned below.
1. Provides extended flexibility
Although it could be scary to use open-source code after reading so much about its associated vulnerabilities, you can’t deny the ease and flexibility it adds for developers to work with less familiar code to develop complex applications.
2. Improves developer efficiency
Accessing open-source code can save time for developers in sprints while they develop using the agile methodology. This proves helpful for companies rushing to develop solutions faster to meet customers’ needs.
3. Enables remote collaboration
We are in the age when working from home has become a trend using remote collaboration among teams. This collaboration is possible only because of open-source repositories that have enabled teams to scale up for development and down for handling maintenance.
Enough reasons to keep using open-source code? So, the only way here is to understand these attacks better and devise ways to safeguard your data while using open-source code.
You have probably heard that in cyber security, there’s nothing that is 100% secure. This is actually true. As we develop new security tools or measures, attackers simultaneously advance how they perform their attacks. The same is true for open-source code as well.
Now the real question is how are they doing this?
Social engineering:
Consider a developer working on an open source library such as JQuery. Before finalizing it, the code gets reviewed multiple times for any structural deficiencies, threats, etc. Initially, the review process remains stringent, but the developer earns the trust with the passing days. And sooner or later, the review process becomes more streamlined and less thorough than it was earlier, thus leaving room for errors. Suppose a hacker targets a developer who has already acquired the trust of peers and convinces them to pass their open source repository credentials to the attacker so they can “help” the developer to make updates to the open-source code. In that case, the hacker can gain access to it and exploit the loopholes that have been missed due to the review process gaps.
A Salesforce developer could end up downloading a code or library that has malicious content, and uploading it as a Salesforce static resource. It could be in the form of a trojan or a backdoor keystroke logger, opening a Salesforce Digital Experience for an attack.
Structural Integrity:
Another potential risk that you might encounter while using an open-source code is structural integrity. Once an issue is found that can be exploited on an open-source code, it can be exploited anywhere it was used, making it a source for mass exploitation. For example, if you are using the same open-source code across multiple sites.
It can be devastating for a business to face a malware attack because of a loophole in their Salesforce static resource assets. What’s more threatening is that Salesforce Digital Experiences aren’t just used by customers but also include data about and for partners and employees. All of this sensitive data could be up for grabs because of vulnerabilities. That’s quite scary!
How to Overcome Risks Associated with Open-Source Assets
It’s pretty clear that using open-source code is essential for Salesforce developers. We can’t completely skip it even when we know its vulnerabilities. Then what else can we do?
Writing all the code in-house and altogether leaving out the open-source code isn’t a long-term solution to this problem. What’s needed here is to understand the risk and find a way to save the data from it. We’ve covered a few examples below on preventing attacks and saving your data while using static resources.
1. Follow strict open-source protocols
The kind of flexibility open-source code adds for developers is unmatched. So when you know open-source is vital for you, you need to scrutinize the code and ensure that the code is safe for use by running comprehensive security reviews on all open source code and approving it prior to allowing it to be uploaded to Salesforce.
2. Implement a Strict DevOps Deployment Process
Creating a strict review process is not enough. It still is possible that a piece of code that was not reviewed makes it into a production environment. It is because of this that you must also implement strict deployment procedures with additional review gates to ensure that only code that has been properly reviewed makes it into production environments.
3. Use trusted malware mitigation tools
As malicious actors and hackers attempt to exploit web apps and applications, technology brings us new ways to secure our systems and data. One way here is to use a trusted tool to scan and mitigate malware before it does any damage. One such tool is EzProtect, the only virus scanning application for Salesforce that supports scanning of static resources in Salesforce.
To learn more about scanning threats, learn about EzProtect, which is one such tool designed by experienced Salesforce professionals to scan threats like ransomware, virus, malware, etc., embedded in an open-source code. EzProtect is the state-of-the-art solution to enable cybersecurity in your company for your Salesforce environments, enabling developers to access open-source code while being able to detect and remove vulnerabilities from Salesforce.
If you are concerned about your data being exposed or unsafe, Book a FREE Salesforce security assessment, to see if you are at risk.