Understand the state of your existing production organizations and the hidden risk associated with accumulated technical debt. Performing static code analysis on your existing organizations gives you the opportunity to shift left your approach to quality and security while enabling code review automation.
3. Assess Your Data Governance
All data is not created equal. This is why DevOps teams need to incorporate governance policies across their entire data estate.
While often confused with data management, a solid data governance policy offers an additional benefit—providing a framework for interacting with your Salesforce data. This, in turn, reinforces secure practices to protect against leaks, corruption or tampering.
Data storage in Salesforce can be very expensive. These practices should extend beyond Salesforce to any third-party data storage solution where backups or data might be archived.
From a business continuity perspective, ensuring that you don’t have all your eggs in one basket is critical. Revisit your governance policies as your company’s needs evolve.
Keep lines of communication open so team members can suggest improvements and alert management about potential issues.
4. Secure the Supply Chain
Every access point to your Salesforce system and coding environment is a potential vulnerability. There are a series of threats from both outside and inside your organization.
Your DevOps management team should provide clear instructions for how your team members interact with your systems. Proper employee behavior is the simplest and cheapest way to protect your Salesforce system.
Protect the edge of your supply chain. Deploy and maintain endpoint protection. Many documents uploaded to Salesforce are infected with malware, and Salesforce doesn’t provide native protection.
Maintain consistent permissions policies across your sandboxes, version control repositories, DevOps pipelines and automated testing tools. Open access might seem attractive, but it opens your system up to being compromised if any of your team members are hacked.
Update older versions of development tools and clients that may use out-of-date encryption standards, making them vulnerable to attack.
Third-party libraries and packages are potentially vulnerable to substitution attacks (also known as dependency confusion). A key risk in 2022 is Salesforce functions allowing for arbitrary use of third-party, open source libraries and packages.
