Cyberattacks are becoming rampant day by day and the data breach cases have escalated over 15 million in the 3rd quarter of 2022 alone. These statistics are not only shocking but also a big threat to the confidentiality of any organization’s data. As a Salesforce Instance carries all kinds of sensitive information about your organization, customers, and partners. Any vulnerability in the system can put your data and files in danger. Therefore, it is high time to invest in a Security Health Check.

Like your regular body checkups, Salesforce also needs to stay efficient and perform at its best. With a Security Health Check, you can know the health score of your Salesforce Org The better the score, the lower the risk of security concerns. But what exactly is Security Health Check and how to perform it on Salesforce Instance? Learn all the details about it by diving deeper into this blog.

What is a Security Health Check and Do You Need It?

From easy customization to countless third-party apps, Salesforce offers many things that an organization depends on. But with all facilities, the spectrum of security control also widens. Fortunately, Salesforce has come up with a native solution called Health Check, which keeps the security of your Org intact.

In simple words, a Health Check identifies all vulnerabilities of your Salesforce Instance and analyzes the efficacy of the system. It rates the overall health of your Org and provides score from 0 to 100. Moreover, it will give you recommendations to enhance your score. However, if you think your Instance doesn’t need a security check, here are some scenarios when going for a Health Check becomes necessary.

• Long-term Gap after Salesforce Implementation: If your Salesforce has been implemented over the past six months or your business has already evolved a lot, then you need a security check.

• Changing Security Needs: There is no denying that organizations change with time. Likewise, security needs change too. By fixing the vulnerabilities in the security settings, you will lower the risk of a breach.

• Having Complex Data: Be it marketing or sales, most organizations use Salesforce as their go-to tool. But as they grow, the complexity of the data shoots up, as do the chances of error. With a regular security health check, you can eradicate the possibilities of vulnerability.

• Low Operating Efficiency: Not getting the results from Salesforce as you expected? Then, you should evaluate whether you are leveraging the capabilities of Salesforce correctly. Every now and then, Salesforce releases new features, and a complete health check will ensure all functionalities remain up-to-date. It is best if you do a security health check every three to four months.

• Data leaks in your Salesforce Digital Experiences: Poor coding practices, and/or improperly configured settings could lead to opening your Salesforce Digital Experiences to attacks.

Matt Meyers, a Salesforce CTA from EzProtect will be demonstrating in a session at Cactusforce exactly how an attacker could hack a Salesforce.digital experience to steal customer data 

Benefits of Performing a Security Health Check for Salesforce Instance

It is imperative that your business growth aligns with the Salesforce Org and the data stored in it. Salesforce administrators have to make sure the complexity in settings should not give room for errors or challenges. This is where periodic Health Checks act as a helping hand.

More benefits of doing security Health Check of Salesforce Instance include:

• The overall security of your Instance starts improving with Health Check. You can identify which settings are necessary and make changes quickly.

• With the report of Health Check, pinpointing the vulnerabilities is easier.

• It keeps the custom applications safe by securing the Org on which the app runs.

• Regular security checking helps streamlining new technology deployments.

• Health Check boosts the system efficiency, thus increasing the ROI.

• Productivity and the user adoption rate increases largely with security checks.

Methods to Perform a Security Health Check for Salesforce Instance

When it comes to the Health Check tool, Salesforce gives administrators complete control. They can analyze the health of their Salesforce instance by simply scanning the security settings. After finding out all the vulnerabilities and risks, they can resolve all the issues in just one go. Want to know more about it? Keep reading to learn the easy steps for performing a Salesforce Instance security Health Check.

Step 1: Create a Custom Baseline

You may already find various risk level recommendations in the Salesforce Baseline Standard option. But if you want to create a new customized baseline for a security check, the solution allows up to five baselines. For any industry that is highly regulated, meeting the compliance requirement is a must, and here, a custom baseline helps you a lot.

Follow the process to create a customized baseline

1. The first step begins with exporting the baseline. Go to the Baseline Controls menu and click on the Export Baseline option.

2. The administrators now have to use the text editor for editing the XML file. In this process, they can make adjustments in the category of risks to customize the scoring pattern. However, you cannot modify certain restricted value options.

Also, keep in mind not to delete or add risk categories, quotation marks, or names, as these can result in the import failing.

1. After saving the file, you have to import it, and the guidelines to import Baseline are similar to the export ones. But here you have to click on the Import Baseline.

2. A dialog box pops up on the screen after importing the file, and here you have to name the baseline. It allows special characters and spaces as well.

3. Now provide an API name for the baseline, but it should not have special characters or spaces, and your custom baseline is ready.

4. If you set your new Baseline as default, the Baseline will appear in the dropdown menu after the completion of import stage.

Step 2: Run the Health Check Scan

Now that you have opted for the custom baseline, go to the Salesforce Org and log in. Then, click on the setup menu in the Security Settings and there you search for Quick Find box. Once you get the box, choose Health Check. In every section, you can find an Edit link that allows you to make changes in the settings and set it to the standard value.

Step 3: Know the Score and Status

After running the Health Check, a health score is produced on the screen, which provides recommendations about the Instance’s vulnerabilities. It showcases the score on the basis of percentage. If the score is

• Less than 55 percent: Very Poor

• Between 55 and 59 percent: Poor

• Between 70 and 79 percent: Good

• Between 80 and 90 percent: Very Good

• From 90 to 100 percent: Excellent

The baseline also provides certain values describing the amount of risks your system possesses. It has four categories representing High, Low, and Medium risk as well as Informational Security Settings.

Step 4: Flags and Recommendations to Look for

Along with the categories of risk, it shows Critical, Complaint, and Warning signals to prioritize items that need to be fixed first. If there is any violation of restrictions, the tool will display a high-risk vulnerability flag. Hence, you will look into the risk quickly and mitigate it. Some other flags that the Health Check app may include are:

• Setting the complexity of the password

• Clickjack protection

• Forced logout after session timeout

You can also see some recommendations like Session Settings, Password Policies, and Network Access.

Step 5: Fixing Risks

Once you run the Health Check scan, all your issues come up on the screen. You just need to click the "Fix Risk" option to modify all the settings to the suggested value. However, do not change all settings at once as you may accidentally delete important ones. First, test it in the sandbox and then make changes individually.

Best Practices to Improve Salesforce Instance Data Security

1. Turn On the Private Button for External Access: Keep the default settings restrictive and provide access to the necessary ones.

2. Data Backup is a must: A backup of the system’s data helps in restoring all important information in case of an attack. This also prevents financial loss when there is downtime.

3. Go for the File Upload and Download feature: Salesforce has designed an amazing security setting called File Upload and Download, which restricts the user’s access to upload or download risky files.

4. Try Salesforce Sandbox: For verifying untested codes and experimenting with various variables, Sandbox is the right environment.

5. Choose XSS and Clickjack Protection: Enabling Cross-Site Scripting or XSS and Clickjack protection prevents users from accessing malicious scripts or links.

6. Update Your System to the Latest Version: Every technology evolves, and so does Salesforce. With regular updates, the chances of attack from new malware or threats diminish.

A security health check is not something to be taken lightly. The main goal of performing a health check more often is to identify risks in Salesforce Instance and resolve them faster. Everyone wants a high ROI, and it is only possible with a highly efficient system, which a Health Check can provide. In short, follow best practices and fix the gaps or vulnerabilities in your Salesforce Instance to get the best results.

Salesforce doesn’t scan files uploaded for viruses. Even with all the proactive protections that Health Check provides, you are still open to attack if you allow users to upload files in Salesforce.

Salesforce Digital Experiences are especially vulnerable since most times, user whom you do not trust or control their devices are free to upload files. Those files are then passed along to your internal teams and, at times even worse, your customers and partner.

EzProtect helps to close the gap, giving you peace of mind that you are protected from viruses and other threats in Salesforce.

If you are concerned about your data being exposed or unsafe, Book a FREE Salesforce security assessment, to see if you are at risk, or better yet, come visit us at our booth at Cactusforce.

If you are a Salesforce user, you would know that is a valuable business tool. What you may not know is Salesforce is storing gigabytes over gigabytes of private data of your users, customers, and partners. As exciting as it sounds, it could be dreadful when a single data breach can threaten the reputation of your business.

Did you know that 60% of all small business go out of business after just a single attack, and in the US a single attack on average, costs a large enterprise over 9 million, and that doesn’t even include the cost to repair your reputation after an attack.

With the dawn of remote work, there has been a significant increase in companies using Salesforce to enable business mobility. But with more and more Salesforce adoption, there’s also a need for adopting cybersecurity measures to ensure the utmost data security.

The speed at which Salesforce is being adopted comes along with companies overlooking the safe utilization of CRM. They tend to overlook the facts associated with Salesforce security, keeping their data exposed to vulnerabilities. 

Salesforce is an inviting target for hackers, and while the platform is reasonably secure, making it robust depends upon the internal efforts taken by each company. Still, organizations usually miss out on giving attention to this aspect.

Mistakes that could Threaten your Data in Salesforce

If you are a Salesforce user, data security is something you should always be thinking about. But are you making the necessary efforts to protect yourself and your company? If you just said yes, maybe you’d should read through the points mentioned below to check if you are actually doing it right.

1.   Depending Entirely on Salesforce for Security

Experienced security professionals do not entirely depend on Salesforce to protect their data. What’s required here is to understand that maintaining data security in Salesforce is a shared responsibility.

According to the 2020 State of Salesforce Security Report, research conducted by OwnBackup states that companies sometimes create vulnerabilities while developing customized applications through unique use cases. This is something Salesforce itself will not be able to protect completely.

2.   Not Classifying Data

Salesforce users should know that not all data is the same, so different attempts must be made to secure data at different levels. Users overlook classifying their data, thus failing to evaluate what data is essential to protect. Companies must have explicit and real-time knowledge about the data they maintain in their Salesforce org. 

Not classifying data would lead users to implement numerous random protective measures that might not even target the security of the data, which was at high risk. Blindly adding measures would create a mess without delivering the expected security.

Salesforce offers data classification features that help you to classify and secure your more sensitive data.

3.   Misconfigured APIs

Some of the security issues in Salesforce originate because of Salesforce API misconfiguration. Even though it’s quite relevant to maintain a keen eye on the data coming in and out of Salesforce, users still tend to miss out on paying attention to the APIs.

According to research by SANS Institute, attacks due to APIs are increasing, which is why companies are worried about data being exposed due to API configuration mistakes.  

4.   Not Broadening your Security Effort

Many Salesforce security issues in companies are faced as people cannot take ownership of the security at their firm. Organizations fail to emphasize building security awareness among the internal teams and implementing a standard Salesforce usage policy to ensure all employees are using the platform safely.

Not only this, but there has also been a lack of effort to enable visibility of the risk exposure of SaaS applications, as companies fail to integrate their CRM with their monitoring and response plans. That’s mainly because users are not making the most of Salesforce Shield and the different logging capabilities brought up by Security Information and Event Management (SIEM), which can help to enhance Salesforce data security.

All these points might have made you wonder if your data is actually secure in Salesforce. You may be overlooking these points, which could put your sensitive Salesforce records at risk. With all the work on the plate, it’s quite easy to miss out on additional measures you could take to secure your data in Salesforce.

So, while you are focused on developing and customizing Salesforce solutions or using them to manage your operations, it’s essential to stop for a while and access the data security to take the needed steps before something goes wrong.

Salesforce Data Security Best Practices You Can Follow

So far, we’ve realized that Salesforce has some issues when it comes to cybersecurity, but that doesn’t mean we can’t do anything about it.

While Salesforce is making continuous attempts to make the platform secure for its users, we can also follow some best practices to ensure data security. So, let’s look at some best practices you can follow to enhance Salesforce security.

1.   Enable Multi-Factor Authentication

According to research, 90% of data breaches are phishing attacks, making it essential for companies to protect their data against third parties. Even if you ensure proper training of your employees to follow a standard usage approach, it is the human tendency to make mistakes. This is where Multi-factor Authentication can be helpful.

Enabling MFA within the organization can secure you from such attacks, as even if the attacker has the username and password, it will not matter. The person can get into Salesforce org without confirming the identity with authentication through a mobile phone or any security key.

2.   Tackle User-Introduced Weakness

It is essential to secure the last layer, which is user-facing. This includes having insecure settings of the org or having weak passwords. Although these points don’t seem very prominent, they require much attention when ensuring complete data security.

What’s needed here is to set up a strong password policy in the organization. It will enable your employees to set passwords that can’t be easily guessed or cracked.

Salesforce recommends the following points as minimum strong password policies:

●      The password must include 3 of the following: uppercase letters, lowercase letters, numbers, and special characters.

●      The password must have a minimum length of 12 characters.

●      The user should set the password history as ‘24 passwords remembered’.

●      Set passwords will expire at least every 90 days.

You can ensure additional security policies too that you want to be followed in your firm to better last-layer protection.

3.   Conduct Salesforce Security Health Check

When you want to keep your Salesforce org shielded from attacks, it is essential to identify loose ends and fix problems immediately. That’s something Salesforce Health Check makes possible.

Salesforce provides a recommended baseline standard to ensure your Salesforce org is secured from potential threats. Your health check score will denote how secure your org is. It will also help you identify areas where security can be at risk, so you can pay attention before anything goes sideways.

4.   Set Privileged-Based Access

Salesforce allows you to set privileged-based access so that authorized people would have permission to access the Salesforce environment.

Salesforce simplified maintaining security by setting up a data security model, breaking it down into four layers through which administrators could set rules and access levels for the different users accessing the org.

5.   Focus on Data Storage and Backup

Salesforce, as a CRM, is quite vulnerable to ransomware attacks. This makes it imperative to maintain regular backups of your data. Maintaining a backup will give you the peace of mind of having complete data with you, even if you face any attack.

Storing data and maintaining regular backups will also preserve your company from any financial loss that might incur due to downtime or extortion. Even during a critical ransomware attack, having a backup maintained will save you from huge losses.

6.   Install EzProtect

Despite all your efforts, you won’t be able to determine when a virus or malicious content enters Salesforce. This is because Salesforce does not scan files uploaded to Salesforce for viruses. To ensure you are protected, all you need is just one tool that could help you catch the virus before any harm is done.

With EzProtect, you can scan files for threats like malware, virus, or ransomware in your system, and block users from accessing any of these files, until they are determined to be safe, thus keeping your Salesforce org safe from cyberattacks.

Wrapping Up

For all the companies using Salesforce, one thing that definitely matters is to ensure complete data security. Still, despite it, they fail to focus on several aspects that could help protect their data. It’s a fact that despite every attempt made by Salesforce to enhance data security, you can’t sit relaxed until you make the needed attempts at your end.

All the steps mentioned above will help you set up a secure foundation for your Salesforce data, saving you from data exposure.

If you are concerned about your data being exposed or unsafe, Book a FREE Salesforce security assessment, to see if you are at risk, or better yet, come visit us at our booth at Cactusforce.

Managing Salesforce security is quite similar to driving a car. Just like there are blind spots that you have to identify while driving, the same goes for Salesforce. Driving safely requires you to pay attention to those blind spots. Similarly, there could be blind spots in your Salesforce as well, which, if not paid attention to, might cause data leaks that can threaten your sensitive information.

Salesforce communities, or what is now called Salesforce Digital Experiences these days is something any Salesforce user would be aware of. It’s one of those features that is highly appreciated for the ease of bringing the entire Salesforce community of customers and partners together.

But as you’re asking questions and sharing data with your customers and partners, do you believe it is safe? Does your data remain within that community, or are there any unknown holes that may cause your data to leak? Something to think about, right?

What Exactly Is the Issue?

“With great power, comes great responsibility”

How are Attackers Exploiting Salesforce Digital Experiences?

A misconfiguration of security in Salesforce Digital Experiences provides attackers with a hole to easily gather sensitive data, which can be inappropriately used for running spear-phishing campaigns at a minimum.

But if you consider the worst-case scenario, this kind of misconfiguration can lead to attackers exploiting weak configuration settings to get access to sensitive business data.

Once an attacker finds a site that they can exploit, they will spend a considerable amount of time gaining forensics about the site. These forensics could be used to perform a multitude of attacks against your Salesforce Digital Experience site, and potentially even gain full access to query, or even update or delete any data in your Salesforce org.

Customers use Salesforce Digital Experiences for business cases such as customer service, subscription management, Covid tracking / healthcare, and loan origination or other financial service handling. Being internet-facing, these sites can be accessed at any time and from any place. Salesforce Digital Experiences are also indexed by Google, making it easy to find, not just by partners and customers, but also by hackers who always keep looking for vulnerable sites.

Salesforce Digital Experiences run on Salesforce Lightning, which is composed of a large number of client-side facing APIs that cannot be disabled. This enables developers to assemble web pages quickly using a drag and drop builder. Most people don’t know that all Lightning Experience pages render every page on load using these client-side APIs. This means that every component, every layout, all the data, and even custom apex code methods are all accessed through these client-side facing APIs.

But…if an unauthenticated user, or even an authenticated user has access to data or to perform actions you normally would not want them to do, they can use these aura APIs to query data, create, update, delete records, or even take advantage of exposed custom apex code to steal sensitive data, or even inject viruses, or other malicious code into Salesforce.

The worst part is there is no way to disable access to these APIs. Even with the “API Enabled” feature disabled, attackers can still access these APIs. This is because this is core to the Lightning Experience in Salesforce. Furthermore, these APIs offer similar capabilities that you get from Salesforce’s Rest or Soap APIs.

These APIs are mostly harmless provided that the user doesn’t have access to operations or data that they normally should not.

What makes the situation more critical is finding vulnerable Salesforce Digital Experience sites for an attack is just a Google search away as there is a specific search in Google you can use that will return pages upon pages of Salesforce Digital Experience sites. An attacker can figure out many avenues to acquire details about such sites and get access through an unauthenticated guest or even as an authenticated user on sites that offer a self-registration option.

Also, if an attacker has more advanced knowledge, he might attack the community's vulnerable custom and third-party components, such as passing parameters to exposed apex methods to take advantage of poorly designed methods that could allow the attacker to retrieve sensitive information or execute malicious operations.

How Is Salesforce Trying to Improve Security for Digital Experiences?

Salesforce is making several changes to guide users to avoid such critical configuration mistakes in Digital Experiences. Salesforce has already removed the ability for guest users of the Digital Experiences to access excessive information. They have also made some changes to make sure that the critical security settings are secure by default. For example, guest user by default cannot own records, and guest users cannot upload files.

There are a few updates that Salesforce brought with its Winter ‘21 release to secure communities for users. Some of these updates included:

●      Reduce object permissions for guest users: The feature will disable different object permissions for guest users like Edit, Delete, View All Data, and Modify All Data.

●      Enhanced security for managed topic images: Before Winter ‘21, Salesforce Digital Experiences tended to store the managed topic images as documents, which were accessible to all, even if the site was private. But with the update, images began to be stored as private.

●      Disabled setting to let guest users see other members: Earlier, the feature for admins to enable guest users to have visibility of other users revealed their PII information. Later with the update, this setting was turned off by default.    

Salesforce is making several attempts to guide users to avoid such critical configuration mistakes in Digital Experiences.. Salesforce has already removed the ability for guest users of the Digital Experiences to access excessive information. They have also made some changes to make sure that the critical security settings are secure by default. For example, guest user by default cannot own records, and guest users cannot upload files.

There are a few updates that Salesforce brought with its Winter ‘21 release to secure communities for users. Some of these updates included:

●      Reduce object permissions for guest users: The feature will disable different object permissions for guest users like Edit, Delete, View All Data, and Modify All Data.

●      Enhanced security for managed topic images: Before Winter ‘21, Salesforce Digital Experiences tended to store the managed topic images as documents, which were accessible to all, even if the site was private. But with the update, images began to be stored as private.

●      Disabled setting to let guest users see other members: Earlier, the feature for admins to enable guest users to have visibility of other users revealed their PII information. Later with the update, this setting was turned off by default.    

What Can You Do To Avoid Attacks On Salesforce Digital Experiences?

Reading about such attacks might make you feel overwhelmed and worried the next time you access Digital Experiences. But it doesn’t have to be that way. Although it’s quite challenging to make Salesforce completely secure for your data, there are a few steps that you can take to keep your communities guarded.

By now, I hope you understand that the more access you give to anonymous guest users and even authenticated users, the more the chances of such attacks will be. So, the key here is to be constantly reviewing and auditing your user permissions, and especially your guest user permissions.

Let’s take a leap here to get onto some points that could be helpful for you to make your Digital Experiences more secure and prevent attacks by unauthorized users.

1.   Set permissions for the guest user profile

One thing that you might have extracted from this post is that you should provide your guest users with access to a minimum amount of data when interacting through the community. So, in order to keep your Digital Experience secure, you need to modify the permissions for the guest user.. Change your settings related to access, and you can also manage field-level security for controlling user access at a granular level.

2.   Enable secure access to the guest user record

You have to secure the default access setting for guest users. Look for Sharing Settings in the Setup and then find Secure guest user record access. Make sure the setting it’s checked. With the release of Summer ‘20, Salesforce even disabled the setting to grant users permission to View All Users.

3.   Disable API access

We’ve seen above that an API-led misconfiguration can open a back door for attacks into the Salesforce community. So, it’s essential to disable API access to avoid such attacks. Check that the “API enabled” is unchecked. Also, make sure to disable the “Access Activities” too. (But remember that even with “API enabled” setting is disabled, the Lightning APIs are still accessible.)

You should also continuously monitor sharing roles and permissions for guest and community users. Along with this, make sure that you are keeping track of what records your external users are owning, and what are the security implications of them owning specific records.

4.   Set a default owner for records by guest users

Navigate to the Administration workspace using the site builder. Set up a default owner for records created by guest users under Preferences, and turn off settings to let guest users view the site members.

Wrapping Up

Turning off access for guest users is a decision that might be different for different companies. Sometimes you cannot avoid collaborating in a community, and cannot completely cut off your guest users. But you can be a little more careful of any data you are accessing and sharing to your external users.

Even Salesforce preaches a ‘shared responsibility’ model when it comes to using the CRM and the data safely. Although Salesforce is making more and more efforts with each release to make the CRM more secure and convenient for users, it’s also up to you to follow all security guidelines and implement needed settings for better data security.

Following the basic security guidelines by Salesforce would also help you to be aware of some best practices to keep your Salesforce org secure. Additionally, the points we’ve covered above can help to keep those back doors closed that an unauthorized user with malicious intent can exploit.

If you are concerned about your data being exposed or unsafe, Book a FREE Salesforce security assessment, to see if you are at risk, or better yet, come visit us at our booth at Cactusforce.

The 100% Salesforce-native Provar Manager includes:

• Test planning, design, and documentation

• End-to-end test management

• Holistic manual, automated, unit, and exploratory test result reporting

• DevOps-ready integration

• Defect management

• Reporting and analytics

• The ability to import industry standard test results

• A free trial and test drive

• Free online training

Let’s get into the overview, shall we?

What are Provar Manager’s Key Features?

Among its many capabilities, Provar Manager has three key features geared toward streamlining your testing processes:

Organize

Get your testing under control with a framework for organizing, documenting, storing, and reporting on everything about your tests. Get rid of spreadsheets and build a foundation for integration, automation, analysis, and optimization.

Analyze

Collect, report, visualize and analyze all data related to any test, execution, defect and test resource. Gain actionable insights and improve visibility of test metrics and release quality.

Optimize

Fine tune your entire testing process with a central hub for testing execution, reporting, and analysis, and manage your release risk. Get the information you need to assess candidate release risk, resources required, and change impact.

Who is Provar Manager For?

Wondering if Provar Manager is for you and your team? Here’s a deep-dive into the roles that will get the most from this product.

Testers

• Looking for more flexibility and extensibility

• Seeking speed and automation

• Wanting more connectivity

• Searching for a better way to manage tests

DevOps Engineers

• Using Salesforce-native release management tools

• Who want to include QA testing and reporting in their CI/CD pipelines

• Seeking integrated QA

Business Analysts

• Identifying as a “citizen tester”

• Looking for a platform that is simple to use and understand

• Wanting easy access to, better visibility for, and streamlined communication around reporting and analytics

Developers

• Who only test Apex or LWCs

• Who wonder if changes will break declarative or UI components

• Seeking a faster feedback loop

Admins

• Serving as a do-it-all one-person QA team

• Managing users, integrations, and reporting

• Looking for ad hoc testing optimization

• Mitigating release risk and resource management

Stakeholders

• Who don’t yet have visibility or metrics on QA

• With low confidence that releases won’t break elements in production

• Who want to keep users happy

• Looking for better visibility and increased confidence

What Does Provar Manager Currently Integrate With?

Currently, we integrate with Provar Automation, any Salesforce Org, Jira, Flosum, and Salesforce DevOps Center. You can also upload results using standard file formats such as JUnit and TestNG. Keep checking back to watch the growing list, or reach out today to discuss suggested integrations!

As you’re reading this blog, it is possible that a hacker might be trying to steal the sensitive information on the Salesforce org of your business, planning to encrypt it to threaten you to leak the data unless you pay a hefty ransom. 

Imagine the drastic hit that your sales will take if you can’t access your opportunities, accounts, contacts, campaigns, and more! You’ll feel just like a hostage, worrying about the devastating loss that the company will face, both in terms of reputation and revenue.

According to Symantec, 2015 was a year of nine mega-breaches that led to the loss of half a billion personal records. We always talk about technology improving constantly, then why are businesses still vulnerable to such cyber attacks? Is it the responsibility of businesses to look for ways to prevent their data as hackers are trying more and more to breach the security barriers? Or should we rely on Salesforce to provide more reliable ways to secure data?

The Back Door for Cyberattacks

It’s no news that Salesforce is the #1 CRM globally used by businesses across multiple industry sectors. The CRM has millions of users, integrated through a platform or “community”, interacting with each other to address different business areas like marketing, sales, and customer service. 

Despite being such a popular and trusted CRM, Salesforce does NOT offer its users prevention from scanning attachments, files, or document uploads for malicious content or viruses. 

And that’s not by any mistake. In fact, it’s an intentional design made by Salesforce as no virus-infected code gets executed on the system, just remains stored on the database, waiting for someone to download and execute. 

Salesforce simply relies on its partners to fill in the gaps in terms of functionalities or security. 

Scanning of malicious content is not a core competency of Salesforce, creating world class business solutions is, thus Salesforce chose to focus on creating more business value for their customers than diverting resources to create and support a malicious file scanning solution.

You can not trust Salesforce blindly with full data recovery, not just for scanning viruses. Although Salesforce retired its previous backup settings in 2020 and reintroduced the data recovery features in March 2021, you can only use it as a last resort measure. 

The current Salesforce data recovery service does not offer complete data backup and recovery assistance. This service has many limitations that are to be considered, according to Security Boulevard. Some of these limitations are:

• Salesforce doesn’t guarantee successfully restoring 100% of your data.

• The files that you receive after the recovery process will not include metadata.

• The process of recovering the data can take approximately 6-8 weeks.

• You’ll get the retrieved data in the form of CSV files, which you must manually upload back to Salesforce.

• This data recovery service will cost you $10,000.

So, in short, a manual, time-taking, and costly process, that doesn’t even guarantee full recovery. That’s not what we call reassuring.

The Threat of Cyber Attacks on Salesforce

Sadly, cyberattacks are becoming a more and more common thing. Since the pandemic hit, there has been a 600% increase in cybercrime cases, affecting businesses from nearly every industry sector. And the consequences of these cyberattacks could be severe, ranging from losing sensitive business data to crippling the entire business architecture. 

Not just the loss of data, but cyberattacks also lead to a significant financial impact, causing yearly damages that could sum up to billions. In 2022, the average cost of a single data breach reached a record high of $4.35 million according to IBM.

A CRM platform like Salesforce has millions of users working with high-quality and verified data, including financial information, business details, and other sensitive information. That’s something that makes Salesforce a magnet for hackers. As a business gets hacked, there are always chances that the data held by it will leak, which will not just erode customers’ trust but also cause a loss of millions to the company. 

Cyberattacks on Salesforce can occur due to different threat vectors that you might access on a daily basis. Some of the most vectors are:

• Emails: You might have integrated your Salesforce account with your email management application for better productivity and case management, but you never know when you will end up downloading an attachment within Salesforce that contains any malware.

• Digital Experiences (Communities): It’s common for Salesforce users to share files over Digital Experiences, but if a user’s desktop scanner is not up-to-date, they might upload virus-affected articles, manuals, applications, etc. Sensitive Salesforce data may become accessible to anyone online due to a misconfigured Salesforce Digital Experience site. Objects containing sensitive data, such as customer lists, support cases, and employee email addresses, can be queried by anonymous users.

Learn more about Misconfigured Salesforce Digital Experiences for Recon and Data Theft. 

• Live Chat: Users uploading files on chat in real time can also be a gateway for malicious attacks. 

• API Integration: You can also get a virus to the system while uploading files to Salesforce via external or partner sites. 

• Email-to-Case: Even if you add a random scanner to your email, that might not be as effective as you think. 

• Insecure Coding Techniques: Since object and field level checks are insufficient to prevent SOQL injection, a different approach to SOQL query security is required. A vulnerability subtype known as "blind SOQL injection" allows information contained in a record to be discovered, usually through a veiled signal in the query result.

A Salesforce CTA, Matt Meyers from EzProtect will be demonstrating in a session at CactusForce exactly how an attacker could hack a Salesforce digital experience to steal customer data, you can join this session to learn more about the security in Salesforce.

Salesforce’s Take on Cybersecurity

It is believed that a majority of cases of cyberattacks have happened since the pandemic hit. But even before the quarantines and COVID-19 lockdowns, employees have been bringing their laptops home and working on external networks over the weekend. From using a compromised home network to attackers accessing recycled passwords, numerous reasons could have been causing cyberattacks.

Greg Poirier, an expert in business security technology and Founder of Salesforce Partner CloudKettle, said, “That security issue is not new. What is new is that the volume of attacks and resources, and efforts going into security attacks on at-home employees has increased significantly. What’s happening is people are working way harder in the last year to exploit it. And that’s what makes it more important.”

Considering the situation of increasing cyberattacks, Salesforce also made it mandatory for all customers to use Multi-Factor Authentication to access different Salesforce products, starting from February 1, 2022.

Any CISO will tell you that there is more need to focus on enterprise security than ever, and sometimes businesses fail to prioritize MFA. As the digital world is becoming more connected and complex, no company can risk missing out on MFA and other essential security measures to safeguard data. 

Over the last few years, it has been witnessed that many companies, mainly large enterprises, have been using “connected” multi-cloud-based solutions to offer you a unified view across different segments of the business. Because of this shift, cybercriminals have started using a new attack vector, data warehouses. Due to this shift, organizations are actively increasing their security protocols and solutions, like Salesforce Shield and Mulesoft’s API Manager, which could protect their data from some common attacks.

What You Can Do To Secure Your Data

Everything we’ve covered so far brings us to the question, what can be done to secure our data?

When your sensitive business data is at risk, you just can’t risk missing out on anything. Although you never know when things could take a nasty turn for you in terms of cybersecurity, it is always essential to be ready on your part. 

So, let’s talk about some measures you can take to increase the security of your data on Salesforce.

1. Event Monitoring

You can activate an automatic system in your Salesforce org that will notify you about risky actions like insecure settings or weak passwords. If anything like this goes wrong, Salesforce will notify you and your cybersecurity personnel to fix the problem as soon as possible. 

1. Authentication

Salesforce offers a helpful authentication feature that can be useful. Whenever a user adds his credentials for the login, Salesforce creates a session cookie for it. Salesforce uses an encoded session ID instead of storing the credential information. So, if anyone tries to hack cookies from the browser, they won’t be able to get access to the authentication data of the user.

1. Virus Scanning Tools

As we know, Salesforce doesn’t scan any document you upload for viruses or malicious content; you need an additional tool that will help you scan the files you upload to your org. EzProtect is a reliable tool that will scan your files for malware, viruses, ransomware, or any other threats that can be embedded in the code and can’t be easily detected by random desktop scanners. 

Learn more about the facts you must do now to protect your salesforce data from hackers.

Salesforce has been transformative for your business, but you can only keep making the most of it as long as it’s secure. So, take your first step towards securing your Salesforce data using EzProtect to scan your files for malicious content or threats. 

Want to know more about our solution? Check out our website and learn how EzProtect is just the right tool for you.

Ready to talk? Book a FREE Salesforce security assessment to see if you are at risk, or better yet, come visit us at our booth at Cactusforce.

*This is part two of a two-part series that takes a deeper dive into choosing the right test automation solution for your team’s needs. Part one focused on what you should look for in the technology itself, while part two focuses on looking beyond the technology and evaluating the vendor’s business model.

We want to help you cut through the noise on the test automation market to ensure you choose the quality partner that fits your organization. There are other factors to consider outside the technology; the guide below will provide clarity on what to look for in a vendor’s business model, and what questions to ask to ensure you select the right solution for your team’s needs.

Key Considerations

The key considerations for evaluating a testing solution vendor, beyond its technological capabilities, fall into these categories: 

Now, let’s break this down in a little more detail.

Support

It is imperative that your test automation solution vendor offers ongoing support across a number of verticals. The more willing a vendor is to help their customers in the long haul, the stronger the relationship will become and the more satisfaction and trust you can have in the product.

Here are some questions you can ask to determine the level of ongoing support your team will get:

• After the initial setup consultation, how do you provide continued support to your customers?

• What is your customer retention rate? Do you think your level of support plays into this?

• Do you have an easily accessible online help center, or an area on your website with frequently asked questions? Do you offer a community forum for your customers to ask questions and receive support?

• What happens if I have a question specific to my company’s workflow? How quickly will I be able to connect with an expert from your team? Are you available 24/5 to accommodate my full team’s needs (if global)?

• Are you attending any upcoming trade shows or conferences in my area?

Training

Next we’ll talk about training. A good vendor will prioritize continued education, such as readily accessible courses that users can take on their own time to brush up their skills, as well as continued training through webinars, instructional blog posts, and white papers that take a deep dive into real use cases.

Here are some questions to ask when evaluating how your vendor goes about training:

• Do you have a library of training courses I/my team members can take at our leisure to expand on our product knowledge? What are some of your current course topics? Do you have any courses that will soon be released? How often do you release new courses? Are you available to provide on-site training, and will you provide our partner ecosystem the same level of training and support?

• Do you offer free webinars for customers? What about free webinars for folks outside of your customer base? What are some topics you have covered in the past? Do you have any upcoming webinars that might be relevant to my team’s needs?

• Do you have a blog? How frequently does your company post on its blog? What topics have you covered recently? Do you publish contributions from various members of your team/departments so we can get a wide range of perspectives?

• Do you have a library of white papers available upon request for me/my team members to browse?

Customer Success

Finally, you’ll want to evaluate your test automation solution vendor for its customer success level. A good vendor will have an arsenal of customer success stories for every use case, and they will be happy to share them. Spend plenty of time researching reviews from reputable industry sites, peers, and analysts, and ask the vendor if they can connect you with past and current customers.

Here are some questions you can ask to supplement your research:

• Do you have customer case studies or success stories available for me/my team members to review? Do you have any from my specific industry, or that are using your product in a similar way to how we would be using it?

• When I was researching your company, I noticed that there was negative feedback published on [site] regarding [topic]. Can you speak to this feedback, such as ways your company has improved this area of business? What is your process for receiving feedback and integrating suggestions into future updates?

• Do you have any reviews you could provide from reputable industry review sites, peers, and/or analysts?

• Would any of your existing or past customers in a similar industry, or who have used your product in a similar capacity, be willing to speak with me/my team members and answer a few questions?

* This is part one of a two-part series that takes a deep dive into choosing the right test automation solution for your team’s needs. Part One focuses on what you should look for in the technology itself, while Part Two will focus on looking beyond the technology and evaluating the vendor’s business model.

The guide below will provide clarity on what to look for, as well as what questions to ask to ensure you select the right solution for your team’s needs. We will start by discussing the technology, of course.

The key considerations for a product evaluation of a Salesforce-specific testing solution fall into four categories: 

Let’s break this down in a little more detail.

Test Resilience or Fragility

Salesforce automatically updates its platform multiple times per year, which can cause automated tests to break unless the testing system was designed to operate with Salesforce. And when tests break, you’re in trouble.

Here are some questions you can ask to decide if a test automation solution has the test resilience or fragility you need:

• Can a test created for Visualforce run without modification under Aura (Classic and Lightning)?

• If Salesforce makes a change to the way a page is rendered (changes to the HTML, CSS, Javascript, etc.), will a test continue to work without modification?

• If we make a change to a Salesforce layout, will a test created for the previous page layout work without modification?

• If Salesforce changes an API used in a test, will it continue to work without modification?

Polymorphism and Reusability

The technology that makes tests resilient also enables polymorphism, where a single test can run across numerous contexts, and reusability, which reduces the number of tests you need to create and maintain. Reusable polymorphic tests make for a higher quality solution that evolves more quickly and easily.

Here are some questions you can ask to gauge a test automation solution’s polymorphism and reusability:

• Can I create a single test and run the test for several different user profiles or page layouts without modification or creating additional tests?

• Will a test that I create in English run without modification and without creating duplicate tests in another language like French or Japanese?

• Can a single test run without modification or creation of additional tests across PC, Mac, and mobile users on several different browsers?

• Can a test be used to validate field visibility and accessibility based on user permissions for several profiles/permission sets without modification and without creating additional tests?

• Can a test created in the development environment run without modification and without creating additional tests in the validation or production environments?

Ease of Use and Learning

Ease of use and learning is another big factor to consider in your evaluation. Many Salesforce users are considered “citizen developers,” meaning they may not be experts in programming languages and frameworks. It’s essential that your test automation solution is usable by your entire team so you can deploy your tests with confidence.

Here are some questions you can ask to see if a test automation solution champions ease of use and learning:

• Are test steps added from a Salesforce screen (“right-click to add test step”)? Can you build your test in one location without having to toggle back and forth between multiple platforms or screens?

• Can I add a test step and see the results before adding the next step? Can I step back to remove a prior step? Can I pause and resume a test as I run it?

• If I select a button in the Salesforce user interface and right-click to add a test step, does the test step automatically default to click? Does it default to “set” for an input field? What other default actions should we capture? Does your approach automatically detect the locators, such as elements you want to test, before you test, or do I have to label these elements? When running a test script, do you see the test pass/fail in real time, or do you need to fix it and run it over again to confirm the issue is resolved?

Testing Adjacent Systems

Finally, when it comes to the technology itself, it’s essential that you evaluate a test automation solution’s ability to test adjacent systems. Every Salesforce platform connects to other enterprise systems and custom integration points, so it’s important that your testing solution works well with other systems so that you can test your workflows end-to-end.

Here are some questions that’ll help you evaluate whether your test automation solution is ideal for testing adjacent systems:

• Can I test that a triggered email was sent? Can I test email to case flow?

• Can I verify that a Salesforce action triggered a connected action in an external system, such as creating an invoice in an ERP? Can I verify that an action on our website created the correct records/activities in Salesforce?

• Can I test that an external API has been called from a Salesforce customization?

1. Reducing test maintenance is key to managing Salesforce release schedules 

One of the biggest influences on testing strategy is Salesforce’s release cycles. Salesforce delivers three main releases each year, plus time-based features and weekly patches – and your organization will include them whether you’re ready or not. Depending on what changed, you’re going to need to run anything from simple smoke tests to full regressions. And, if your test automation is flaky, be forewarned that test maintenance can add significant overhead and time to an already tight release cycle. The trick to finding big reductions in maintenance is working with a test automation vendor that can future-proof your Salesforce test automation, delivering release-to-release test compatibility. Remember, every minute spent maintaining a test is a minute not spent on testing, and a delay in getting to a confident decision for the new release.

2. How to build ultra-resilient tests for Salesforce

Here’s one of the key challenges to Salesforce test automation in a nutshell: Salesforce regularly makes changes to how a page is rendered, which directly affects the HTML, CSS, Javascript, and DOM that most test automation tools rely on to build tests. Translated: traditional tests tend to be fragile in the face of Salesforce changes.

The good news: there is another way. Salesforce uses metadata to define the form and structure of its page – page layouts, objects, and field definitions. Metadata changes much less often than the rendered page source, which means tests based on metadata are much more resilient. How testing solutions use Salesforces metadata to build tests is a fundamental engineering choice that affects not only maintenance, but successful adoption by a key testing demographic in the low-code world.

3. How citizen testers are key to accelerating test automation

One of the biggest benefits of the low-code revolution is the tremendous expansion of potential coders and testers. Enter the citizen tester, who might be a user, a business analyst, or subject matter expert. The common characteristic of citizen testers is they are not test coding experts. Citizen testers are on the rise to fill workforce gaps and need tools geared toward their success. That means a short learning curve (days not months), intuitive test building (clicks not code), highly automated ultra-reliable test creation, built-in reusability, and scalability. These tools should cater to the citizen tester while at the same time speed up test building and maintenance for the code-savvy test engineer (the same way low-code development empowered more developers and made application development faster for pro coders).

4. How to make quality visibility a strategic advantage

Without testing and a clear picture of quality, low-code development platforms can enable risk creation (untested business critical software) at a prodigious rate. QA teams need a test management platform that will help them collect, organize, and analyze data throughout the software development lifecycle, add detail and speed to feedback loops, and create a shared view of quality across the business – a “quality hub.” A Salesforce quality hub should support multiple user types and easy customization and integration, and should also take advantage of Salesforce applications and infrastructure. The outcome of a well-executed Salesforce quality hub is organization-wide quality visibility and teams that can rapidly and confidently make decisions for every release, drive continuous improvement, and keep customers happy.

5. What to look for in a Salesforce testing provider

With numerous providers on the market, it can be difficult to identify the testing solution that best meets your team’s needs. Here are some key Salesforce testing features to help narrow the field:

1. Keep up with release velocity in a low-code Salesforce world.

2. Minimize test maintenance to manage three big yearly releases, date-triggered features, and weekly patches.

3. Don’t rely on the DOM. Tests built on something Salesforce regularly changes are bound to be fragile and require lots of maintenance.

4. Empower the citizen tester.

5. Look past simple test management and build a Salesforce quality hub.

Salesforce is a strategic platform for creating and running business-critical applications. Testing tools should be chosen accordingly.

To Wrap Up

Enterprise IT organizations must have a good handle on these five topics to help development and QA teams deliver quality Salesforce releases and apps at speed. Identifying software quality as a strategic advantage, teams can select tooling, build infrastructure, and develop processes to support that goal. The journey won’t be simple or short. Being mindful of the nuances of Salesforce testing and the requirements of citizen testers will pay big dividends. And, Salesforce and its ecosystem offers an amazing breadth and depth of community, training, consulting, and vendor solutions to help any team succeed.

Interested in learning more about how Provar can help elevate your team’s quality journey? Schedule a demo today.