Salesforce Releases & Security Testing Best Practices. What Large Organization implements to ensure higher platform security
With the rise of cloud platform usage many Organizations quickly realized the importance of investing in platform security. Often Organizations enhance cloud solutions such as Salesforce to fit their needs and requirements. Thus an ongoing changes to the solution occur at different intervals. Those changes could have an impact or change to the security of the platform. IT professionals and especially platform security teams at large Organizations realizes that a proper, well planned process to test security vulnerabilities is essential to implement.
In this article, I will explain what are the types of security testings needed per release size and what is the role that development team plays to conduct those tests and ensure its completion.
- Password Policies
- Network Settings
- Session Settings
- Org Wide Sharing Setting
- Role Changes
- Object/Field Level Security Audit on profiles and permission sets
- Conduct all defined Manual Ethical Hacks (MEH) Test Cases
The second type of security testing is the comprehensive platform security testing that both development team and a third party, who specialized in system security testing need to conduct. This type of testing is coordinated with the third party security team to plan for any new features addition to the platform. This test has two different parts to it:
- Full Static Analysis completed by system administrator: this analysis uses a tool like “Checkmarx”, “PMD” or “Org Scan” these tools provides full scan on the Org and provide results for the IT Dev team to act upon. The finding from that tool will be addressed within the last sprint of a planned major release. The Company internal security team ensures that any High or Medium impact findings are addressed by the IT Dev team prior to release to production.
- Full Web Application Testing completed by third Party: this analysis requires salesforce approval since the testing method challenges salesforce infrastructure and its network. The third party vendor will conduct automated dynamic security scans as well as manual testing of functional workflow vulnerabilities. The fundings from these tests will be addressed by the IT Dev Team or by salesforce if it is a major infra-structure issue.
We CloudElite can work with you to realize the benefits of Cloud security testing as well as help you build proper release management process and a roadmap.
Reach out to us for any demo or want to learn more on how we helped companies scale with their development lifecycle. Please fill out the form below