Why every Salesforce development team needs a Security Champion.
Security Champion is a concept made popular by the Open Web Application Security Project: it's a member of the development team that take direct responsibility in security and actively promote security best practices.
With more and more data moving to the cloud, the need for awareness and discipline around security has never been so relevant. In one of our most popular posts, we estimate that 30% of organisations live with security problems in their Salesforce orgs that could yield to data leaks, compliance problems and significant reputation damage.
Security Champions can make a real difference
The concept of Security Champion isn’t typically heard of in Salesforce teams. Yet, there is a strong, growing need for such figures. At Clayton, we work with Security Champions every day, helping them take control of security during all stages of development. This article is largely inspired by our experience and shares a repeatable approach, as well as tips and tricks, to give you a head start to becoming a Security Champion.
Step 1: educate and promote best practices
As an expert and an advocate on security topics, the Security Champion plays a key role in promoting a security culture by raising awareness and educating team members on best practices. When working with the Salesforce platform, there are different facets of security. Education requires speaking with different types of stakeholders, at different levels of abstraction, which is in itself a challenging task. We have collected some resources that you can share with different team members, to make your education job easier.
Resources for your Salesforce Developers
Customisations are a source of security risk. All custom developments may potentially introduce security problems and vulnerabilities, which is why it’s crucial that all developers in your team understand security well. There is a wealth of great resources out there, from accessible Trailhead modules to advanced, in-depth, Dreamforce sessions. Here are some of our favourites:
- Developer Documentation: Secure Coding Guidelines
- Developer Blog: Learn MOAR in Spring ’20 with Field Level Security in Apex
- Trailhead: Develop Secure WebApps
- Trailhead: Security Specialist Super badge
- Secure Salesforce: External Integration Security With Chimera
- Video: Secure Coding: Field-level Security, CRUD, and Sharing
- Video: Tips and Tricks to pass Salesforce Security Review
- Video: Scale Security at Your Company
- Video: Avoiding Common Security Mistakes
- Video: Secure your Heroku Apps
Resources for your Salesforce Administrators
Due to its extreme flexibility in configuration, Salesforce admins also play a very important in maintaining good security practices. Salesforce has a multitude of features and resources that have important security ramifications: from access control, password policies, identity management and access, etc.
- Security Resources for Salesforce Administrators
- Stay Current on Security
- Trailhead: Secure Identity and Access Management
- Security for Admins Cheatsheet
A checklist to get you started
- Create a knowledge base for your team.
- Create a space to communicate within and outside your team. Slack channels, Chatter and company newsletters are great ways to keep people engaged.
- Maintain interest in security topics by promoting workshops, training, interactive quiz.
- Add a “Security 101” module to your developers’ induction training.
- Give regular updates on plans, achievements and show appreciation for your team members that make a difference.
- Periodically report on updates to your management, to keep them actively engaged in the topic.
Step 2: perform regular security assessments
Conducting security reviews and assessments of your Salesforce applications is core to the role of every security champion. Every team should carry security assessments regularly, and take them very seriously. Many tools are already on the market and can help you in performing this task. We will present some of them, exploring in deep their capabilities and pros and cons in one of our next articles.
A checklist to get you started
- Plan regular security assessments. Create a shared calendar and make sure they are continuously performed and tracked.
- Track confirmed problems by severity in your product backlogs.
- Create a specific epic for security-related topics. It helps tracking, planning and reporting.
- Document the assessments process in your knowledge base to keep it repeatable
Step 3: secure your Salesforce development lifecycle
If you want to take security to the next level, you need to embed continuous vulnerability scanning as part of your development lifecycle (DevSecOps).
This makes security testing a stage every change goes through, just like passing unit tests. DevSecOps tools are specially important if you work in a regulated sector, work extensively with sensitive data, or are willing to certify your security to standards such as ISO 27001 or SOC 2.