Salesforce has received quite the promotion in many companies, moving from a back-office app to a mission-critical one that contains all of their prized customer data. Now that Salesforce is so key to driving revenue, companies must be even more sure that it remains online and secure. Consider the repercussions if an outage were to eliminate sales or service for a period of time or worse, a security breach exposed customer data. Both of these scenarios are simply too risky to chance.

We recently invited Andy Ellis, CISO at Orca Security and author of 1% Leadership, to join Veroljub Mihajlovic, senior director of product marketing at Flosum, to explain some of the potential security threats associated with Salesforce and what savvy organizations should do about them in our webinar A CISO’s Guide to Salesforce.

Here are five risks organizations should take action on today to safely enjoy all the perks that Salesforce has to offer.

Risk 1: SaaS apps

Security within Salesforce is an emerging challenge, as many people are just starting to realize you need to own security within SaaS apps. Historically, when vetting potentially partners, companies have audited just the company to see if they can be trusted but not the platform itself. Additionally, the overall Salesforce ecosystem tends to have a combination of apps that a company’s developers write as well as third-party apps. It is crucial that organizations understand all the potential apps that are interacting with their data and take appropriate security steps.


Risk 2: Broad access

As Salesforce becomes more infused into an organization’s DNA, the number of people who have access to it often increases, to the point where it can become difficult to control or even understand just how many people have access. And, as people join, move within, or leave a company, the issue of access can become even more fuzzy. Without carefully controlled Salesforce access, a company’s own employees often pose the largest risk to security. Something as innocent as downloading data to a spreadsheet can introduce immediate and long-term security problems that may be hard to put back into the box. It’s important for organizations to make sure Salesforce access is restricted to only those who need it and manage permissions appropriately to keep people from unintentionally doing harm.

Risk 3: Citizen developers

An emerging trend is the increase of citizen developers. According to Forrester research, 39% of digital and IT professionals who were surveyed said they allowed employees outside of IT to deliver apps. This practice can make a lot of sense from a business perspective, as it empowers employees with business acumen to create tools quickly that meet business needs. However, a common organizational pitfall is treating developers in a low-code environment differently from how we treat developers in a full-stack environment, and that introduces security risks. Even when working within low-code apps that use clicks instead of code, it is possible for citizen developers to make errors that can threaten security and harm the business. Organizations must provide guardrails to help these citizen developers work safely.


Risk 4: Unclear ownership

Because Salesforce has such broad uses and implications, organizations can often become internally conflicted as to whether Salesforce security should fall under IT, sales operations or some other function. Additionally, while the CISO owns security for the company, they’re often not the person who is actually implementing the security measures. That comes down to roles such as developers or program managers, and CISOs must be ready for this reality. Organizations must gain the needed clarity around ownership and stop passing the security buck.


Risk 5: Machine identity

Digital or machine identities, which encompass any identity that is not specifically tied to a human such as an automated process or an app, are common with SaaS and other apps and must be approached with extreme caution. These identities lead to challenges with authentication and controlling data flow with one application to another which often creates inroads for adversaries. A full understanding of all the machine identities in play as well as corresponding security protocols is a must.


Keep security at the core

Yes, there are security risks that come with Salesforce, as with any app. That shouldn’t scare organizations away from using it but it should propel them to take necessary precautions to make sure their business and customers are protected. What’s needed is a complete mind shift to Salesforce DevSecOps, a cultural change that fully integrates security back into the entire process. Shifting the development culture from DevOps to DevSecOps can mitigate these risks and help settle the question of ownership by giving everyone a role.

With Flosum, organizations can enjoy a reliable solution to establish a true DevSecOps process that enables fast deployments in a security-conscious environment. Schedule a free demo of Flosum to learn more.

To hear the full conversation with Andy Ellis and Veroljub Mihajlovic, watch the webinar: A CISO’s Guide to Salesforce.



signup for our blog


“Flosum is the best native release management tool that you will fall in love with. I have gained confidence in my role and has given me the ability to view release management from a whole different perspective.”

Faizan Ali

Faizan Ali
Salesforce Consultant at Turnitin