Salesforce Security with Doug Merrett.pdf

Let’s discuss Salesforce Security
Doug Merrett – Platinum7
Wellington Salesforce User Group
20th August 2025

Shared Responsibility Model
Salesforce does not do all of it for you…
Copyright © 2025 Platinum7
Foundational
International Infrastructure
Hardware Compute Storage
Scalability Availability Datacentre Security
Security
Foundational
Network (inc encryption) Server (inc encryption) Administrative
Capacity High Availability Disaster Recovery
Operational Management Audits Site Reliability CSIRT
Secure SDLC
Security
Foundational
Persona Level Record Level Field Level
Performance Monitor / Audit Backup / Archive
Secure SDLC
Org Level
Privacy / Data Gov Customer

Salesforce is inherently very secure
The Scattered Spider hacker group has exfiltrated data from Salesforce customers
like Pandora, Qantas, LVMH, Google, Allianz and Cisco
• How?
• Socially engineered Salesforce users into helping the hacker install a Connected App
• This app may be masquerading as Salesforce’s DataLoader
• Mitigation
• Educate your staff that no one from IT will be asking them to assist in installing an
application into Salesforce
• Enable API Access Control – more on that soon!
However, you need to do some work as well!

Security is never “finished”
Assess
Your Org
Health
Secure Your
Application
Secure Your
Data
Improve
Security
Awareness

Assessments
• Health Check
• Portal Health Check (do not use as it’s incorrect)
• Salesforce Optimizer (being phased out)
• Salesforce Security Centre’s Security Analysis tool (ex Own Secure)
• Code Scan with Checkmarx/DigitSec S4/Gearset/AutoRabit/Salesforce’s own Code
Scanner
• Third parties (shameless plug)

Secure your Application
• Restrict access to Connected Apps and the API with API Access Control
• Raise a case with Salesforce Support to get enabled
https://links.platinum7.com.au/APIAccessControl
• Reconfigure External Sharing OWD to be Private unless there is a really good reason
• Ensure Aura based communities are protected
https://links.platinum7.com.au/Aura-Issue
• Reconfigure broad sharing access (Public R/W, or Private with broad sharing rules)
Use Least Privilege principles

Secure your Application (cont)
• Use Lightning Login to go passwordless
• Fix the code issues found by the Code Scanner
• SOQL injections - Where data from UI/API is put into a SOQL query without protection
• Stored XSS - Where data from the database is shown in the UI without protection
• XSS due to disabled escaping – developer explicitly turning off XSS escaping
• Sharing violation exposed methods – no “with sharing” on exposed Apex methods
• Use SSO and enforce it for logging into your org
• Most SSO tools have capabilities to stop non-company devices from connecting
• Use IP Restrictions to limit access to corporate networks
Use Least Privilege principles

Secure your Data
• Use Event Monitoring’s Transaction Security policies to minimise data exfiltration risks
• Reconfigure API Users that are System Admins
• Especially with the availability of the Integration User license
• Remove permissions not needed (View All Data, Modify All Data, API Access, …)
• Use data masking in sandboxes to shrink the attack surface
• Data Mask & Anonymizer by Salesforce, DataMasker by Cloud Compliance
• Use archiving/deletion to remove data that no longer provides business benefit

Secure your Data (cont)
• User Access Report -
https://appexchange.salesforce.com/appxListingDetail?listingId=a0N3A00000FYkDDUA1
• Don’t have too many System Admins (3-5)
• Backup your data
• Look at Privacy and Consent
• Embedded PII and other information
• Look at David Norris’ Medium posts – https://dave-norris.medium.com

Improve Security Awareness
• Educate users on Cybersecurity for home and work
• Educate Developers and Admins on security best practices
• Look at using new techniques in your development cycles
• Have a playbook for what to do in cyber events
• Look at frameworks – eg NIST Cybersecurity Framework

Q&A
Please reach out if you have any questions –
I do not bite! And I am happy to have a chat
about anything security related…
Contact Details
• doug@platinum7.com.au
• +61 404 005 435
• https://www.platinum7.com.au
• https://doug-merrett.medium.com

Interesting information
• Architecture: https://architect.salesforce.com/well-architected/trusted/overview
• Security: https://developer.salesforce.com/developer-centers/security
• Code Scanner from Salesforce blog post:
https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/code-
analyzer.md
• NIST Framework: https://www.nist.gov/cyberframework
• Platinum7 Salesforce Security Assessments: https://www.platinum7.com.au/assessments
(NFP get a 10% discount)

Interesting information (cont)
• Six Steps to Establish a Security Governance Model: https://medium.com/salesforce-
architects/six-steps-to-establish-a-security-governance-model-3e9cf461ffe1
• Who Sees What in Salesforce video series:
https://www.youtube.com/playlist?list=PLFNbZmUNjID5ILGyXqm_1oJHcTDoLkW0W

Companies to investigate
Backup
• Salesforce’s Backup (fka OwnBackup) and Odaseva are the top tier
Event Monitoring tools
• Platinum7 Event Storage – keep your logs “forever”
• Platinum7 Transaction Security Policies – complex and capable policies to block
data exfiltration
Let me know if you would like an introduction

Salesforce Security with Doug Merrett.pdf

More Related Content

Similar to Salesforce Security with Doug Merrett.pdf

Recently uploaded

Salesforce Security with Doug Merrett.pdf