Unauthorised access to data is a primary concern of clients who commission a Salesforce assessment. The Salesforce documentation acknowledges that the sharing model is a “complex relationship between role hierarchies, user permissions, sharing rules, and exceptions for certain situations”. It is often said that complexity and security are natural enemies. Salesforce empowers its users with a multifaceted sharing framework in order to cover a wide variety of business use cases. But with great power comes great responsibility. This blog post over on the NCC Group research site discusses the topic of misconfigured sharing, and announces the release of a new open-source tool Raccoon to help identify such misconfigurations, which could otherwise expose sensitive data.
With Coronavirus still active across the world, life is far from settled, but the uptake of remote working is surely here to stay. From a security standpoint, organisations may feel less comfortable at the moment simply because staff are working out of sight. Whether that feeling is justified will depend on the technical measures put in place to facilitate remote working. Salesforce provides logging of authentication events as part of the standard platform. This blog post over on the NCC Group research site takes a look at monitoring these events in various contexts as a way to increase assurance.
SFPolDevChk is a quick tool to show which Profiles in a Salesforce instance have become desynced from an Organization in terms of password and session policies, with any deviations highlighted. Published as an NCC Group open source project.
This blog post on the NCC Group research site discusses the most common findings from a sample of over 35 security assessments of Salesforce customer deployments. The assessments covered a mixture of configuration and code review, and the common issues were sorted into broad categories: Deviation From Salesforce Baseline Standard, Deviation From Security Best Practice, Authentication Issues, File Handling, Insecure Code, Unhandled Security Alerts and Critical Updates Pending (now since merged by Salesforce), and Broken Access Controls.