Salesforce Releases & Security Testing Best Practices. What Large Organization implements to ensure higher platform security

With the rise of cloud platform usage many Organizations quickly realized the importance of investing in platform security. Often Organizations enhance cloud solutions such as Salesforce to fit their needs and requirements. Thus an ongoing changes to the solution occur at different intervals. Those changes could have an impact or change to the security of the platform. IT professionals and especially platform security teams at large Organizations realizes that a proper, well planned process to test security vulnerabilities is essential to implement. 

In this article, I will explain what are the types of security testings needed per release size and what is the role that development team plays to conduct those tests and ensure its completion.

Cloud Computing

There are two types of security tests defined based on the type of the release. Before we get into details about that, let me clarify what types of releases a medium to large company may have. 
 
Mostly, there are two main releases: A) major release and B) minor release.  
 
The major release is defined to be a release of new features/functionality to the platform or major changes to the current feature to allow for cross functional platform scalability. For example, an addition of new compliance application to implement a number of policies on salesforce is considered to be a major release. This type of release typically takes no less than 2 months of development and planning.
 
On the other hand, the minor release is defined to be a release for overall system maintenance or light enhancement. This release is completed every three weeks to address any bugs reported internally as well as small enhancements to the current system functionality.
 
That being said, Development teams should design the security testing to be conducted based on the release where not all testing is done. here more to learn. 
 
Now, what are those types of security testing ?  
 
The first type of security testing is the sprint security testing that need to be conducted on every minor release. The salesforce system administrator engages with the security tester when a deployment to the UAT environment takes place for newly added components. This test ensures that the original security settings have not changed. The testing covers the following security aspects of the system: 
 
  • Password Policies 
  • Network Settings 
  • Session Settings 
  • Org Wide Sharing Setting
  • Role Changes
  • Object/Field Level Security Audit on profiles and permission sets 
  • Conduct all defined Manual Ethical Hacks (MEH) Test Cases
 
A checklist should be defined once to be followed by the testers. 
 

The second type of security testing is the comprehensive platform security testing that both development team and a third party, who specialized in system security testing need to conduct. This type of testing is coordinated with the third party security team to plan for any new features addition to the platform. This test has two different parts to it:

  1. Full Static Analysis completed by system administrator: this analysis uses a tool like “Checkmarx”, “PMD” or “Org Scan” these tools provides full scan on the Org and provide results for the IT Dev team to act upon. The finding from that tool will be addressed within the last sprint of a planned major release. The Company internal security team ensures that any High or Medium impact findings are addressed by the IT Dev team prior to release to production. 
  2. Full Web Application Testing completed by third Party: this analysis requires salesforce approval since the testing method challenges salesforce infrastructure and its network. The third party vendor will conduct automated dynamic security scans as well as manual testing of functional workflow vulnerabilities. The fundings from these tests will be addressed by the IT Dev Team or by salesforce if it is a major infra-structure issue. 
 
All in All,  security testing should be a practice for all companies. IT Dev team & Security team need to work together to ensure that any system vulnerabilities are communicated properly and addressed prior to releasing any new features or enhancements to the production environment. The move towards a secure platform is one of the top objectives of all IT  leaders.  
 

We CloudElite can work with you to realize the benefits of Cloud security testing as well as help you build proper release management process and a roadmap.

 

Reach out to us for any demo or want to learn more on how we helped companies scale with their development lifecycle.  Please fill out the form below