Securing Salesforce Apps – A Real-World Story with ACME

In the previous blogs, we saw how different vulnerabilities are discovered, resolved and can have impact on the application from the code perspective. In this blog, we walk you through a real world scenario where ACME, a client is using a Salesforce-based application for client onboarding. ACME stores sensitive user data which makes it important for them to implement access controls to guarantee that only authorized team members are able to carry out authorized tasks and view users' personally identifiable information (PII). The application was created to provide a safe and effective onboarding process while streamlining Know Your Customer (KYC) procedures.  

However, handling financial and PII data is not something to be taken lightly. The involvement of sensitive information like personal identification, account statements, and books requires utmost attention. Although Salesforce provides a secure platform to build secure and agile applications, the access control and configuration of the platform is where the real challenge lies. Simply put, even the most secure system is only as safe as its setup.

At this point, ACME realized that they needed a thorough security review, everything from code to Salesforce configurations, and turned to Blueinfy. This blog is aimed at providing a detailed take on how we carried out the security review for ACME and ensured the platform’s reliability. 

The Role of Blueinfy in ACME’s Journey

The main goal of Blueinfy was to make the ACME application and configuration as secure as possible. Our approach was not limited to code reviews and penetration testing for identifying underlying issues. Typically, that’s the way to go; however, Salesforce has its own unique setup that can expose businesses to risks if not addressed properly.

As a result, we decided to kick up the security review by a notch by moving ahead of the usual tests and performing a detailed configuration review. To help the app seamlessly handle the financial data with confidence, we aimed to further strengthen ACME’s foundation.

What the Review Actually Covered

Instead of highlighting the technical jargons, let’s quickly discuss the key areas and checkpoints we covered that made all the difference.

1. Access Management – User Roles, Profiles, Permission Sets

As the name suggests, we started working on the application’s core by reviewing who can access the Salesforce platform, alongside all the interactive resources and functionalities at the user level. To prevent unauthorized access for the safety of sensitive data, effective access management is crucial.

Salesforce provides a unique way to set up user roles, profiles, and permission sets to implement access management, which allows you to decide who has access to different Salesforce components, i.e., records, objects, and fields. Moreover, it also defines the level of access (read, write, delete, etc.) each user has. 
 

It is important to understand the following terms in the context of the Salesforce application configuration-

  • Roles – It helps in determining a user’s position in the org and affects access to records based on the default organization-wide settings. 
  • Profiles – Determines the authorization to perform an action (Create, read, update, and delete) on objects and fields
  • Permission Sets – a list of permissions that need to be granted to users in addition to their profile 
During the Blueinfy review, one of the key focus of the testing was to review user roles and profile setup to identify permission implementation. For example, a non-admin user should not have access to change any system-wide settings. The objective here was also to make sure that ACME is following the principle of least privilege and is granting only the user’s permissions that are necessary. The review team exploited authorization bypass vulnerabilities at many instances due to missing CRUD/FLS enforcement in the code, despite access restrictions being defined through profiles and permission sets.

 

2. Sharing Settings

In Salesforce, sharing settings define how records are shared within the organization. When the application has multiple users and user roles, it is essential to implement platform-provided protection to implement proper authorization. This control ensures that users can only access the data appropriate to their role. 

The sharing settings also configure external organisation-wide defaults, which give control/manage access of external users. When this setting is configured as “Public Read/Write,” it permits all external users to view and modify each record of that object. Blueinfy reviewed ACME’s implementation of sharing settings to ensure proper implementation of authorization. The objective here was also to make sure that ACME is following the principle of least privilege to protect the data of the application against unauthorized access, especially for external users. 

 

3.  Insecure Storage of Sensitive Data 

Ensuring sensitive data is kept securely was a critical component of this review. Moreover, it assists in safeguarding against data breaches and protects the data from unauthorized users. The Salesforce platform provides multiple secure storage options with protected custom metadata API fields. It boasts custom settings, named credentials, and encrypting data in custom objects with keys in protected custom settings. To make sure that no data is stored as plain text, Blueinfy’s evaluation assessed ACME’s use of the Salesforce-supplied encryption mechanism, verifying its proper use. Moreover, the entire application was only accessible over a secure channel (SSL).  

 

4. Wide OAuth Scope

Salesforce often provides a wide third-party app support. However, this brings along the risk of more access than necessary. Protocols like OAuth enable the application to access Salesforce data on behalf of a user. This makes the system vulnerable, as broad scopes can unknowingly provide applications with more data than they require. Blueinfy carefully reviewed the OAuth configurations for ACME’s integration. Here, our main goal was to grant minimal access to external applications. Hence, we took all the narrowly defined common scopes, including Full Access, API Access, and Refresh Tokens, in ACME’s Salesforce environment into consideration and were successfully able to reduce the risk of data leakage by restricting the OAuth scope. Our practice helped in ensuring that only necessary data and functionality were exposed to external systems. 

 

5. Session Management

Session management refers to the controls that decide the duration of a user session and system behavior on user inactivity. Improperly configured session timeout may cause unauthorized access if a session is active for a long time, or users may get logged out early, causing inconvenience. Blueinfy made sure that ACME set the session timeouts correctly so that it reduces the risks of session hijacking and more.

 

6. Password Policies

Strong passwords are still the first line of defence. Even cloud platforms like Salesforce can fall victim to brute-force attacks with weak or predictable passwords. To prevent such instances and unauthorized user access, Blueinfy made sure that ACME’s application is aligned with industry best practices to protect user accounts from common threats. 

 

7. Missing Security Headers

Web applications rely on security headers for functions including protection against HSTS, clickjacking, content injection, and other common issues. Applications can be vulnerable to these threats when security headers are absent or incorrectly set. Blueinfy verified the presence of essential security headers in ACME’s Salesforce application.

Key Takeaways from the Review

Our testing methodologies allowed us to make significant practical improvements. From reducing excessive permissions and refining data-sharing rules to setting stricter login controls, Blueinfy did not just reduce hidden risks for ACME but also provided a clearer picture of the application’s functioning. 
This resulted in making the ACME’s Salesforce application more compliant and genuinely more secure. More importantly, ACME’s team could now serve clients knowing that their information was well-protected.

The Bigger Picture: Why This Matters for Businesses

For any business that handles financial or personal data, a simple overlooked configuration can result in costly breaches and distrust among consumers. This highlights the point that security reviews should not be seen as nice, optional extras, but rather as a necessity for growth. By acting proactively, ACME created an opportunity instead of a problem and improved its system and client assurance. 

ACME’s experience teaches every company that uses Salesforce or other similar platforms an important lesson: a secure and stable platform requires attention and expertise to point out certain misconfigurations. Salesforce has strong built-in protections, but how these parameters apply depends entirely on the configuration of the platform.