A warning has been issued for Salesforce users with customized instances to be cautious of common programming errors and misconfigurations that could lead to the exposure of their sales data. According to security experts at data security firm Varonis, the Apex programming language, which is used to add functionality to Salesforce instances and create apps for the Salesforce AppExchange marketplace, is at the heart of the problem. Errors and misconfigurations while using this programming language can potentially result in vulnerabilities that compromise the security of corporate Salesforce applications.
Outlined in a security advisory from Varonis is the discovery that multiple government organizations and companies had customized their Salesforce Apex code, leading to data leaks, data corruption, and potential disruption of business functions. Nitay Bachrach, a senior security researcher at Varonis, revealed that sensitive information such as phone numbers, home addresses, SSNs, usernames, and passwords were at risk due to these customization practices.
The responsibility for secure code falls on the users since Salesforce is not responsible for Apex code uploaded by the users to their Salesforce instances. Additionally, security company AppOmni has warned about lax permissions in Salesforce sites and applications, which have led to vulnerable sites and cloud applications. Brian Soby, the chief technology officer and co-founder of AppOmni, emphasized that the platform makes it easy to exceed permissions, leading to a variety of security threats.
One significant issue revolves around the use of the “without sharing” designation in the Apex language, which can lead to bypassing user permissions, changes to any record, and commitment of those changes, putting the service at risk for insecure direct object references and database injection attacks. The Open Worldwide Application Security Project (OWASP) named insecure direct object references as the top risk for APIs in 2023.
Though Salesforce did not directly address the Varonis research, the company stressed its commitment to customer data security. It released the top-20 issues discovered through security scans of Apex apps published to the AppExchange marketplace, with sharing violations ranking as the third highest issue on the list.
To protect Salesforce apps and instances, Varonis recommends avoiding the “without sharing” configuration whenever possible, conducting security assessments of all custom and third-party Apex software, and securing all Apex classes, especially those that can be run by guest users or external actors such as customers or partners. It’s critical for organizations to follow best practices and maintain track of access while managing and writing code.
Moreover, companies need to ensure that their developers are well-versed in securely creating and managing Salesforce applications and instances, and enforcing good security behavior is equally important. AppOmni’s Brian Soby has highlighted the importance of understanding the configuration process and avoiding shortcuts that compromise security. Through proper training and adherence to security protocols, organizations can prevent potential data breaches and protect their Salesforce applications and data.