Is your Salesforce custom code housing security risks?
AUTHOR: Mike Bogan, Director of Product Strategy, Hubbl Diagnostics
If you’re reading this article, chances are you write your own code for Salesforce, or work in an org that utilizes custom code. Which (according to the latest data) means there’s a good chance your Salesforce org has security vulnerabilities that could expose sensitive information, or even provide malicious users the opportunity to infiltrate your system.
Custom code is the most powerful type of metadata. Whether it’s Aura, Lightning Web Components (LWC), Visualforce, Apex, or triggers, custom code provides superpowers to your users. However, with those superpowers comes some risk that must be managed.
You are responsible for the security of your custom code, not Salesforce. It’s time to get your security issues prioritized by severity and level of effort to address.
Is my Salesforce org at risk?
The simple answer: most likely, yes. According to the 2023 Benchmark Report on Salesforce Optimization, on average, we found that:
The average org has ~2000 custom code security issues.
Visualforce pages have at least one security issue.
33% of Apex classes have a security issue.
20% of Visualforce components and triggers have security issues.
Approximately 10% of custom code in Salesforce orgs is running on API versions >10 years old. Of this, 61% come from installed packages.
“Brand loyalty is based on trust. The health of your Salesforce org is crucial to enhancing the constituent experience and protecting their data. Ineffective and vulnerable orgs can erode constituent confidence, decreasing committed supporters. Ensuring a healthy and efficient org demonstrates respect for constituent time and data, strengthening relationships and increasing revenue and impact.” —John Vega, Nonprofit Portfolio Delivery Lead, Huron Consulting Group
What are the risks to my organization?
Custom code can be an unintended insecure entry point for malicious abuse. The impact of these vulnerabilities can range from the wrong staff gaining access to sensitive data to external leaks of regulated information that can be an existential threat to an organization.
They can take on many forms, these are some of the most critical:
SOQL Injections: This vulnerability in code allows hackers to manipulate the SOQL query to execute any command they want to run. This is critical to address as it can provide hackers unauthorized access to your data.
Cross-site scripting (XSS) vulnerabilities: XSS occurs when a hacker can inject malicious scripts into a web page viewed by others. Uncovering XSS vulnerabilities from URL parameters in your Apex code is critical to reduce your site vulnerabilities.
Improper Authorization: Apex code that grants excessive privileges to users, or code, does not properly validate user inputs. Highlighting these issues in your code reduces potential authorization issues.
How to identify Salesforce custom code issues
You wouldn’t be wrong for thinking that manually reviewing all past development for custom code issues would be time consuming.
That’s why we built Hubbl Diagnostics, a free monthly org monitoring solution that allows you to scan all the custom code in your org to identify security risks as defined by source code analyzers, PMD, and ESLint. It also helps you identify out-of-date installed packages that may be contributing to your security risks.
Automate prioritization of your risks
Where do I start? Hubbl Diagnostics not only identifies your security risks, it automatically categorizes your risks by severity and level of effort to address. This means that you can quickly filter down to the highest risk/lowest effort issues and get them addressed right away. Recommended solutions for each issue are also provided.
Mitigate the risks of Salesforce custom code
So, you’ve come to the realization that you may have some security risks. Now what? We recommend the following:
Review development best practices: Work with your Admin and Development teams to ensure they’re following the Salesforce Well-Architected best practices for custom development.
Review past development: With that framework in mind, review past development to understand whether critical security risks exist. Leverage Hubbl Diagnostics to kickstart your review.
Update out-of-date installed packages: These updates should address and help reduce the significant amount of code that remains at risk for containing security issues.
Track your progress: Hubbl Diagnostics allows you to monitor your org monthly. Show up at your next review with executive-level visuals that quickly explain the progress you’ve made.
How secure is your Salesforce org?
Custom code is a powerful tool that can provide significant benefits to your users. However, it also comes with significant risks that must be managed. By following the best practices outlined above and leveraging tools like Hubbl Diagnostics, you can help ensure that your custom code is secure and your organization is protected from potential security breaches.