Devsecops firm AutoRabit is trying to address security issues arising from policy changes and misconfigurations in Salesforce environments with a new offering, CodeScan Shield.
CodeScan Shield is the next iteration of AutoRabit’s static code analysis tool, CodeScan, and elevates the capabilities of CodeScan with the help of a new module called OrgScan. The new module governs organizational policies by enforcing the security and compliance rules mandated for Salesforce environments.
With OrgScan, a dashboard is created at the end of each scan and identifies any areas of concern. This puts the control back in an organization’s hands, saving time and money, the company said.
“It is important to recognize that usually there are at least three groups involved in maintaining security across organizations,” said Eric Pearson, regional vice president for North and South America enterprise accounts at AutoRabit. “There’s the development organization, the release management organization to build and release the applications that they build. But you also have Salesforce sysadmins, who are responsible for everything from user access, session management, and other aspects of Salesforce security. And you have InfoSec, which is very concerned around data, privacy, etc.”
Pearson pointed out that oftentimes these different security groups stay in silos. “What we’ve looked to do with CodeScan Shield is really start to bring these different groups together, and help automate them in a policy management system—everything from admin privileges, session management, user access, etc. And ensure that those types of rules are incorporated in the development and release management cycles sooner so that we help customers not just shift left but really shift in and make security the focal point of any devsecops solution,” he said.
CodeScan Shield enables admins and developers to scan Salesforce profiles, permission sets, user settings, session settings, and more. Users can check for 100% adherence to native and custom Salesforce policies, supporting regulatory compliance standards. The no-code interface of OrgScan can be used without needing extensive coding knowledge, the company said.
CodeScan Shield targets security for Salesforce apps
While AutoRabit’s flagship tool CodeScan is a static code analysis tool, CodeScan Shield dynamically tracks the code to check for any vulnerabilities introduced accidentally due at actively addressing security issues that may arise at different stages of development.
“CodeScan Shield isn’t checking if the code works per se,” Pearson said. “What it’s looking for is did you accidentally introduce a vulnerability into your code? Is there a way to backdoor and get data? Is there a way to backdoor and hack the user experience? It’s looking to bring a barrier of protection to your code at the same time, and separately, then there’s areas of control that Salesforce does grants through their security layer, right profiles help restrict information they restrict where you have access to permission sets go just the opposite way, they grant users additional control above and beyond what their profile allows them to do.”
Pearson explained how multiple custom profiles in Salesforce environment can lead to modified data that could have entirely different policies. For example, while the policy dictates that password must expire every month, modified data could set that to never expire, making the code vulnerable.
“What we want to do with OrgScan is we help you mandate what your policy should look like, how many custom profiles should have modified data, or how many profiles if any, should that password set to never expire and what should those be? CodeScan Shield will then flag any violations against your main data policies,” Pearson said. “It ensures that the development teams are following the guidelines and the mandates that have been set forth from InfoSec and System Administration. Really difficult to do when you don’t have those two things working together.”