Top 3 Salesforce security risks to check in 2024: A deep dive

In this article, we join forces with Salesforce Consulting Partner, Tenger Ways, to explore the critical aspects of Salesforce security that every business leader should be aware of and provide actionable insights on managing out-of-date installed packages, custom code vulnerabilities, and data access risks. 

Security isn’t merely a requirement; it's a strategic imperative. For businesses relying on Salesforce, protecting sensitive data is non-negotiable and stands as the cornerstone of stability and trust. Unfortunately, according to recent data, it’s highly likely that your Salesforce org is at risk.

“Today, the phrase ‘data is the new currency’ has never rung truer. For IT leaders, safeguarding this currency demands constant monitoring and innovation.”

— Mike Bogan, Co-Founder Hubbl Diagnostics 

A failure to comprehend the security implications of customizations in your Salesforce org could result in disaster. These customizations impact data protection, compliance with regulations, risk mitigation, business continuity, cybersecurity defense, reputation, resource efficiency, scalability, and future-proofing. Understanding these implications is essential for safeguarding sensitive data, meeting regulatory requirements, and securing your organization's reputation and future success.

1. Updating installed packages 

We all have, and update, apps on our mobile phones. If you run your business on Salesforce, you likely have installed apps (packages) to help run your business.

Installed packages can pose significant risks if not managed diligently. Recent findings indicate that 99% of Salesforce organizations have installed packages with newer versions available, highlighting the widespread prevalence of this issue. This makes sense because, before Hubbl Diagnostics, there was no way to automatically know whether your packages are out of date. 

According to Tenger Ways and their Tenger Fitness for Salesforce program, out-of-date installed packages can have significant consequences for your org, affecting both security and performance:

• Security: 15% of all custom code security issues come from installed packages. Managed package updates often include security enhancements and fixes for vulnerabilities. By staying up to date, you ensure that your Salesforce instance is protected against potential security threats and data breaches.
• Bug fixes: Updates address known bugs and issues, improving the stability and reliability of the managed package. This helps prevent system crashes or unexpected errors that can disrupt your business operations.
• Compatibility and performance: As Salesforce evolves, older versions of managed packages may become incompatible with new Salesforce features or updates. Keeping packages current ensures that they work seamlessly with the latest platform changes.
• Compliance: Managed packages may include features designed to help organizations comply with specific regulations or standards (e.g., GDPR, HIPAA). Staying updated ensures you are aligned with current compliance requirements.
• Long-term viability: Neglecting package updates can result in dependencies on outdated technology. Over time, this can lead to technical debt, making future updates and migrations more complex and costly.
• Avoiding customization workarounds: If a package is not updated, users might resort to creating custom workarounds to address issues or lack of functionality. This can lead to a messy and inefficient system that's difficult to maintain.

Installed packages security recommendations

1. Incorporate package review into your business process: As a practice, identify out-of-date installed packages at least once per quarter.
2. Automate out-of-date package identification: Leverage Hubbl Diagnostics’ free solution to automatically check installed packages against a comprehensive database of package versions, ensuring you have access to the latest version of your packages.

2. Reviewing custom code

Custom code, the engine driving innovation in Salesforce, also presents significant security challenges. With an average of approximately 2000 custom code security issues affecting each Salesforce org, businesses must take a proactive stance in safeguarding their digital assets.

Custom code vulnerabilities pose severe risks to your organization. Example threats include:

• SOQL Injections: This vulnerability in code allows hackers to manipulate the SOQL query to execute any command they want to run. This is critical to address as it can provide hackers unauthorized access to your data.
• Cross-site scripting (XSS) vulnerabilities: XSS occurs when a hacker can inject malicious scripts into a web page viewed by others. Uncovering XSS vulnerabilities from URL parameters in your Apex code is critical to reduce your site vulnerabilities.
• Improper Authorization: Apex code that grants excessive privileges to users, or code, does not properly validate user inputs. Highlighting these issues in your code reduces potential authorization issues.

Maintaining updated custom code in Salesforce is vital to ensuring security, platform compatibility, performance, and long-term viability. It also enables you to stay current with new features, adapt to changing business needs, and remain compliant with evolving regulations. The Tenger Fitness for Salesforce program evaluates custom code along the following vectors:

• Security: Outdated custom code may contain vulnerabilities or security gaps that could be exploited by malicious actors. Regular updates help address these issues and strengthen your data and application security.
• Scalability: As your business grows, custom code may need to adapt to new requirements. Updated code is more flexible and scalable, making it easier to accommodate evolving needs.
• Support and maintenance: Developers and third-party vendors are more likely to offer support and assistance for the latest code versions. If you encounter issues or need assistance, having up-to-date code improves your chances of receiving help.
• Reduced technical debt: Continually updating code avoids the accumulation of technical debt, making your Salesforce environment more manageable and sustainable over time.
• Enhanced user experience: Up-to-date code provides a better user experience, with fewer errors and faster load times. This can lead to increased user satisfaction and productivity.
• Innovation: Keeping custom code updated allows you to take advantage of new technologies and best practices, fostering innovation within your organization.

Custom code security recommendations:

1. Review development best practices: Work with your Admin and Development teams to ensure they’re following the Salesforce Well-Architected best practices for custom development.
2. Review past development: With that framework in mind, review past development to understand whether critical security risks exist. Leverage Hubbl Diagnostics to kickstart your review for free.

3. Auditing profile and permission sets

Today, the question isn't merely who accesses your data; it's about ensuring the right people do so, securely and with purpose. Recent research underscores a concerning reality: the average Salesforce org grants expansive data access rights, with 24 assignments allowing users to ‘Modify All Data’ and an additional 20 assignments enabling data export. The implications of these access levels are far-reaching, impacting the core of your organization's integrity.

The ‘Modify All Data’ permission, in particular, grants users extensive powers, touching areas from lead conversions to quota overrides. It's the linchpin of your data security strategy. Salesforce's strategic shift, discontinuing permissions on profiles by Spring '26, underscores the urgency for organizations to reevaluate their data access protocols.

Understanding the security applied through profiles and permission sets in Salesforce is a top priority. According to Tenger Ways and their Tenger Fitness for Salesforce program, your analysis should consider:

• Sensitive data access: Profiles and permission sets define who can access what data in your Salesforce org. Understanding these permissions helps you ensure that sensitive data is only accessible to authorized users, reducing the risk of data breaches and privacy violations.
• Compliance: Many industries have strict data privacy and compliance regulations. Proficiently configuring profiles and permission sets ensures that your Salesforce org aligns with these regulations, reducing legal and financial risks.
• Data integrity: Effective access control prevents users from making unauthorized changes to critical data. This safeguards data integrity and accuracy, ensuring that your Salesforce database remains reliable.
• Audit trails: Understanding how permissions are set up helps you track and audit user activity in Salesforce. You can monitor who is accessing and modifying data, aiding in security incident investigations and compliance reporting.
• User productivity: Properly configured permissions provide users with the necessary access to perform their tasks efficiently. This results in higher user productivity and satisfaction.
• Resource efficiency: Effective permissions management can lead to resource efficiency. By restricting access only to what's needed, you can minimize the risk of mistakes and reduce the time and effort required for data corrections.

Data access recommendations:

1. Data access audit: Utilize Hubbl Diagnostics to conduct a thorough audit of profiles and permission sets, identifying access gaps and potential security risks.
2. Define access policies: Clearly define who within your organization should have access to critical data. Establish policies that align with both security best practices and regulatory requirements.
3. Migrate to permission sets: Transition from relying heavily on profiles to adopting permission sets. Salesforce’s impending shift emphasizes this migration, ensuring future-proof data security strategies.

Leveraging metadata decision-making to drive security and growth

As we conclude this deep dive into Salesforce security risks in 2024, the message is clear: safeguarding this invaluable currency is not just a task but a strategic imperative. 

When you make changes to your Salesforce platform, it becomes your responsibility to fully grasp the implications of these modifications. In other words, you need to understand how your changes will affect the entire system. This is important because any alterations you make can have far-reaching consequences. In Salesforce, you must consider how your changes impact data security, user access, and overall functionality. By taking this responsibility seriously, you ensure that your Salesforce system remains secure, efficient, and aligned with your organization's needs. 

Tenger Fitness for Salesforce can help. Through this two-week program, you’ll be empowered to truly understand your Salesforce foundation. More than a health check, Tenger Fitness is an in-depth analysis of your Salesforce platform, helping you identify security flaws, obstacles to adoption and efficiency, development effectiveness, and other risks, issues, and opportunities for optimization. 

As you navigate the challenges of out-of-date packages, custom code vulnerabilities, and data access, remember: by embracing innovation, fostering a culture of security, and leveraging the expertise of trusted partners, you can not only navigate the complexities of data security with confidence, but also use it as a catalyst for your organization's growth and success.

Here’s to a secure digital future, one informed decision at a time!