Top 3 Salesforce security risks to check in 2024

AUTHOR: Mike Bogan, Director of Product Strategy, Hubbl Diagnostics

Security isn’t merely a requirement; it's a strategic imperative. For businesses relying on Salesforce, protecting sensitive data is non-negotiable and stands as the cornerstone of stability and trust. Unfortunately, according to recent data, it’s highly likely that your Salesforce org is at risk.

A failure to comprehend the security implications of customizations in your Salesforce org could result in disaster. These customizations impact data protection, compliance with regulations, risk mitigation, business continuity, cybersecurity defense, reputation, resource efficiency, scalability, and future-proofing. Understanding these implications is essential for safeguarding sensitive data, meeting regulatory requirements, and securing your organization's reputation and future success.

1. Updating installed packages

We all have, and update, apps on our mobile phones. If you run your business on Salesforce, you likely have installed apps (packages) to help run your business.

Installed packages can pose significant risks if not managed diligently. Recent findings indicate that 99% of Salesforce organizations have installed packages with newer versions available, highlighting the widespread prevalence of this issue. This makes sense because, before Hubbl Diagnostics, there was no way to automatically know whether your packages are out of date.

Installed packages security recommendations:

1. Incorporate package review into your business process: As a practice, identify out-of-date installed packages at least once per quarter.

2. Automate out-of-date package identification: Leverage Hubbl Diagnostics’ free solution to automatically check installed packages against a comprehensive database of package versions, ensuring you have access to the latest version of your packages.

2. Reviewing custom code

Custom code, the engine driving innovation in Salesforce, also presents significant security challenges. With an average of approximately 2000 custom code security issues affecting each Salesforce org, businesses must take a proactive stance in safeguarding their digital assets.

Custom code vulnerabilities pose severe risks to your organization.

Example threats include:

• SOQL Injections: This vulnerability in code allows hackers to manipulate the SOQL query to execute any command they want to run. This is critical to address as it can provide hackers unauthorized access to your data.

• Cross-site scripting (XSS) vulnerabilities: XSS occurs when a hacker can inject malicious scripts into a web page viewed by others. Uncovering XSS vulnerabilities from URL parameters in your Apex code is critical to reduce your site vulnerabilities.

• Improper Authorization: Apex code that grants excessive privileges to users, or code, does not properly validate user inputs. Highlighting these issues in your code reduces potential authorization issues.

Custom code security recommendations:

1. Review development best practices: Work with your Admin and Development teams to ensure they’re following the Salesforce Well-Architected best practices for custom development.

2. Review past development: With that framework in mind, review past development to understand whether critical security risks exist. Leverage Hubbl Diagnostics to kickstart your review for free.

3. Auditing profile and permission sets

Today, the question isn't merely who accesses your data; it's about ensuring the right people do so, securely and with purpose.

Recent research underscores a concerning reality: the average Salesforce org grants expansive data access rights, with 24 assignments allowing users to ‘Modify All Data’ and an additional 20 assignments enabling data export. The implications of these access levels are far-reaching, impacting the core of your organization's integrity.

The ‘Modify All Data’ permission, in particular, grants users extensive powers, touching areas from lead conversions to quota overrides. It's the linchpin of your data security strategy. Salesforce's strategic shift, discontinuing permissions on profiles by Spring '26, underscores the urgency for organizations to reevaluate their data access protocols.

Data access recommendations:

1. Data access audit: Utilize Hubbl Diagnostics to conduct a thorough audit of profiles and permission sets, identifying access gaps and potential security risks.

2. Define access policies: Clearly define who within your organization should have access to critical data. Establish policies that align with both security best practices and regulatory requirements.

3. Migrate to permission sets: Transition from relying heavily on profiles to adopting permission sets. Salesforce’s impending shift emphasizes this migration, ensuring future-proof data security strategies.

Identify your top three Salesforce security risks for free

Get started with Hubbl Diagnostics, the most comprehensive Salesforce org monitoring solution, for free.