Salesforce has experienced massive growth over the last few years and now ranks 137 on the Fortune 500. Simply put, it’s hard to ignore the impact Salesforce has had on the enterprise application market. Yet few seem to realize that there is a great deal of third-party development and customized code on the Salesforce platform, and with that code comes potential cybersecurity concerns.
While the company takes great pride in what it calls its “secure, scalable cloud platform,” there may be a disconnect when it comes to the term “secure” when paired with the ability to create custom code. Further complicating the “secure” argument is the fact that numerous tools exist to create custom applications that run on the Salesforce platform, and many of those tools offer low code/no code capabilities.
Seattle-based DigitSec offers a solution to that custom development cybersecurity conundrum in the form of DigitSec S4, an application security testing platform designed for Salesforce.
Also see: 5 Cloud Security Trends in 2022
A Closer Look at S4 for Salesforce
The S4 (short for SaaS Security Scanner) platform brings many application security testing tools to the world of creating secure code for custom Salesforce development.
The platform brings together SAST (Static Source Code Analysis), IAST (Interactive Runtime Testing), and SCA (Software Composition Analysis). This creates a unified offering that automates much of the heavy lifting associated with verifying the security of code and installed applications.
What’s more, the platform incorporates features such as cloud security configuration review, integration into CI/CD pipelines via numerous DevOps tools, and platforms that ease the chore of fixing security bugs.
A view of the S4 security dashboard.
Hands on with DigitSec S4
S4 was designed to delve deep into the security posture of a Salesforce implementation. While that may be an oversimplification of S4, it does encapsulate the overall definition of the product. It runs in the cloud, and does not require any dedicated on-premise infrastructure or complex provisioning (although private cloud and enterprise install options are available). That means users can get up and running quite quickly.
Further easing adoption of the S4 platform is its ability to integrate into CI/CD platforms, which proves to be a catalyst to make DevSecOps a reality for most any shop leveraging DevOps. Integration into CI/CD pipelines also brings support into agile processes, and in some cases, waterfall-based development projects.
Source Code Security Analysis
S4 incorporates a static application security testing (SAST) engine, which automatically scans Salesforce source code (i.e. Apex, Visualforce, Lightning Web Components, Aura) to identify any security vulnerabilities.
When first run on newly ingested code, S4 creates a foundation of findings, which identifies critical vulnerabilities. The code scanning engine uses multiple techniques to identify actual vulnerabilities while avoiding typical false positives common with general-purpose code scanners.
Each finding is further validated and the S4 platform creates a discovery report, which offers examples of why the vulnerability is a true positive. Additionally, the platform incorporates methods to detect injection flaws and other vulnerabilities that are not always obvious to even the most seasoned DevSecOps staffer.
Software Composition Analysis
The S4 platform uses software composition analysis (SCA) to discover exploitable software libraries, and analyze the impact of those libraries within Salesforce. It then generates intelligence on resulting vulnerabilities created by the detected common vulnerabilities and exposures (CVEs).
Recommendations are offered on what libraries to update or patch, as well as the severity and compliance impact of the CVE on the Salesforce organization. S4’s SCA can also be integrated into CI/CD platforms to further automate workflows around development and deployment.
However, developers must remember that SCA should not be a “run once and forget about it” process. New CVEs are reported globally on a daily basis and a library that may be secure yesterday may not be secure tomorrow. S4 regularly checks 30 different sources for new CVEs to keep its internal database up to date.
The S4 continuously monitors for potential security concerns.
Interactive Runtime Testing
The S4 platform includes runtime testing or interactive application security testing (IAST). This uses data gathered during source code analysis to create an environment to actually test the code while running to discover additional injection flaws that can often be missed by source code testing alone.
Additionally, S4 generates additional intelligence and builds proof of concept examples that illustrate actual exploits. S4 leverages IAST to automatically reduce false positives, while also providing an accurate level of risk that an exploit represents.
Salesforce Cloud Configuration
Most development teams leave Salesforce configuration settings to those deploying or managing the applications and the Salesforce environment.
However, that may create a situation where a tested and secure application becomes vulnerable to an attack because critical Salesforce setting was misconfigured. S4 automates the cloud configuration review process and compares established settings against a known list of Salesforce configuration problems.
Common misconfigurations include access controls, content security policy definitions, password settings, and account settings. Arguably, most assume that the default settings may prove good enough to provide cybersecurity. However, one has to consider the impact of security compliance regulations on those settings.
The S4 platform can illuminate how your security bugs are affecting compliance requirements on Salesforce instances.
S4 includes the capability to report how each security vulnerability finding may impact or violate a specific requirement in your chosen framework. This allows prioritization by not only technical security risk (i.e. critical, high, medium, low) but also by highlighting which framework requirements may be violated by the bug.
Conclusion: Redefining How DevSecOps Works
DigitSec S4 helps to redefine how DevSecOps can work efficiently in CI/CD pipelines by automating what were once difficult and manual tasks.
The S4 platform also reduces burdens on developers of Salesforce applications and helps to give them peace of mind that they are delivering secure applications that follow the best practices of cybersecurity. Those managing Salesforce deployments also can benefit from S4, which includes configuration validation and compliance checking.
Ultimately, DigitSec S4 may very well change how DevSecOps is conducted in DevOps environments.