Due to the urgency of the pandemic, organizations of all sizes are taking bold steps to accelerate digital transformation. To move quickly, enterprises are increasingly using software-as-a-service (SaaS) apps like Salesforce, ServiceNow, and dozens of others as enterprise application delivery platforms. Unfortunately, some companies have pushed their software-as-a-service DevOps process too hard, and while striving for speed, have neglected the security requirement to be part of that process.
It’s as if the sales executive has a shiny new Salesforce org and loads it with quickly generated application enhancements, thrown into a nitrous oxide tank, and then releases it for a spin on Mulholland Drive in Los Angeles , with its hidden hairpin curves in the ravines overlooking the city. Our hurried executive decided to floor it right away and didn’t see the hairpin spin until it was too late.
When using Salesforce applications to deliver a strategic application, you need security best practices integrated into the process, from start to finish, to ensure that your developers and admins don’t fly out of an abyss and expose the customer’s personally identifiable information (PII) on the Internet. You need security guardrails embedded in your DevOps process to deploy customized Salesforce builds with precision and confidence. Let’s find out how you can do that.
Cybersecurity Platform
A key security step is to have a systematic way to ensure that SaaS platforms are set up properly. This task or function is often called configuration management. But doing this work manually becomes impossibly complicated, so configuration management should now be seen as a major cybersecurity concern.
In systems like Salesforce in particular, there are interconnected connections of overlaid security models. When looking at SaaS configuration security packages, compare the features of their metadata -based approaches. Here a service first captures tenant metadata in SaaS, creates an intelligent internal model, and then generates a report of data security and setup concerns.
Some vendors are even moving forward to include a method of automated SaaS penetration testing called interactive application security testing (IAST), often referred to as fuzzing or runtime testing. In this case, the service uses metadata intelligence to create a custom runtime testing harness. This allows for periodic performance checks that determine whether the actual system performance matches the desired result.
Developer Cybersecurity
When we talk about shifting cybersecurity concerns “left,” or earlier in the app development cycle, it’s important that developers don’t feel like all the work is also shifting to the left. Application security testing (AST) on SaaS platforms needs to be made easier by providing developers with SaaS-specific scanning tools that seamlessly integrate with their CI/CD development or pipeline .
Software security tools for enterprise apps written on top of a SaaS platform typically check if any code placed in the system does not identify any security vulnerabilities. This is where a Salesforce developer mistakenly exposes themselves to a cross-site scripting or SOQL injection attack, for example. Source code scanning is known as static application security testing (SAST), and it is a major guardrail to SaaS cybersecurity developers.
The next step in the developer’s cybersecurity guardrail protection is to make sure all third-party packages and open source software libraries used in an application are secure. Software supply chain security is now a major concern with public libraries like GitHub and NPM being widely used, and new software supply chain attacks are happening all the time. To address this critical concern, software composition analysis (SCA) is needed to alert developers to new Common Vulnerabilities & Exposures (CVE), publicly reported exploits.
To meet developer needs, better API and CLI access is needed to properly integrate application security testing into DevOps workflows. SAST and SCA should be better integrated with interactive developer environments (IDEs) such as VS Code and IntelliJ. Using advanced Salesforce security scanners should be as easy as using a language linter.
Don’t Fall off the Cliff
In 2021, the Biden administration issued an executive order mandating more stringent cybersecurity practices. And recently, as directed by EO 14028, NIST released its Guidelines on Minimum Standards for Software Developer Verification, which require review of both source code (SAST) and software libraries ( SCA), as well as fuzzing and runtime testing (IAST) mandates for the minimum security testing requirement of its application. All of these guardrails are now required for government DevOps.
Global businesses should take these requirements seriously, not only if they are trying to deliver custom SaaS development services to the government, but also for their own protection of their sensitive SaaS and customer PII data. Since PII is No. 1 target for attackers, all industries should be vigilant and make comprehensive application security testing, especially Salesforce, which is full of PII, an integral part of their SaaS DevOps processes.
Caring for a data breach associated with a platform or developer cybersecurity defect often occurs only after a multimillion-dollar mistake. Manage this risk and favor platform owners and developers by investing in easy-to-use cybersecurity scanning tools.