Salesforce holds your most sensitive business data: customer information, financial records, proprietary processes. A security breach isn't just a technical issue—it's a business disaster that can destroy trust and result in regulatory fines.
After auditing hundreds of Salesforce orgs, we've seen the same security gaps repeated over and over. This guide covers the essential security practices that every org should implement, regardless of size or industry.
The Security Model: Understanding the Layers
Salesforce security operates in layers, each protecting different aspects of your data:
- Organization-level: Login IP restrictions, password policies, session settings
- Object-level: Which objects users can access
- Field-level: Which fields users can see or edit
- Record-level: Which specific records users can access (sharing rules, profiles)
Common Security Vulnerabilities We Find
1. Overly Permissive Profiles
Too many orgs use "System Administrator" as a default profile for users who don't need that level of access. This violates the principle of least privilege.
// Review profile permissions quarterly
// Questions to ask:
// 1. Does this user need "Modify All" on this object?
// 2. Can we use a permission set instead of profile changes?
// 3. Are we using field-level security appropriately?2. SOQL Injection Vulnerabilities
Dynamic SOQL queries built from user input are a major security risk. Always use bind variables.
// NEVER DO THIS
String searchTerm = ApexPages.currentPage().getParameters().get('search');
String query = 'SELECT Id, Name FROM Account WHERE Name LIKE \'%' + searchTerm + '%\'';
List<Account> accounts = Database.query(query);// ALWAYS USE BIND VARIABLES
String searchTerm = String.escapeSingleQuotes(
ApexPages.currentPage().getParameters().get('search')
);
String query = 'SELECT Id, Name FROM Account WHERE Name LIKE :searchTerm';
List<Account> accounts = Database.query(query);3. Missing Field-Level Security
Sensitive fields like Social Security Numbers, credit card numbers, or salary information should be protected at the field level, not just object level.
Implementing Field-Level Security
Field-level security (FLS) is your second line of defense. Even if a user can access an Account record, they shouldn't necessarily see all fields.
Record-Level Security: Sharing Rules and Manual Sharing
Understanding when to use sharing rules vs. manual sharing vs. Apex managed sharing is critical for maintaining security while enabling collaboration.
API Security: Protecting Your Integrations
When exposing data via REST or SOAP APIs, implement proper authentication, rate limiting, and input validation.
Security Audit Checklist
- ☑️ Review all profiles quarterly
- ☑️ Audit all Apex classes for SOQL injection
- ☑️ Enable field-level security on sensitive fields
- ☑️ Review sharing rules and OWD settings
- ☑️ Enable login IP restrictions for admin users
- ☑️ Implement two-factor authentication
- ☑️ Review connected app OAuth settings
- ☑️ Audit API access and usage
Need a security audit? Our health checks include comprehensive security reviews. Contact us to schedule an assessment.
#TBR