Salesforce Release Updates — A Cautionary Tale for Security Teams
On the surface, Salesforce seems like a classic Software-as-a-Service (SaaS) platform. Someone might even argue that Salesforce invented the SaaS market. However, the more people work with the full offering of Salesforce, the more they realize that it goes beyond a traditional SaaS platform's capabilities.
For example, few people talk about managing the security aspects of Salesforce Release Updates. By understanding what Release Updates are, why they pose a security risk, and how security teams can mitigate risk, Salesforce customers can better protect sensitive information.
What are Salesforce Release Updates?
Since Salesforce does not automatically update its platform, it does not follow the traditional SaaS model. For example, most SaaS platforms have two types of releases, security, and product improvements. Urgent security updates are released as soon as a security vulnerability is known, and product improvements are released on fixed dates, such as quarterly or monthly. As part of the SaaS model, the vendor automatically updates the platform.
The update and patching policy benefits the customer and the SaaS provider. The customers don't need to worry about updating the system so they can focus on the core aspects of their business. Meanwhile, the SaaS provider does not need to develop multiple update versions or worry about the most recent version installed by the customer.
Better yet, the SaaS provider does not need to worry that customers will experience a security breach because it automatically installs the security patch for everyone. It just makes everyone's life easier and is one of the reasons that SaaS platforms are immensely popular.
Salesforce Updates Work Differently
Salesforce works differently, very differently. They use a hybrid system that is similar in some ways to traditional software that requires the customer to apply updates until EOL and a modern SaaS platform. Salesforce offers regular seasonal service updates and security updates as needed. However, neither update is implemented automatically.
Salesforce gives admins a "grace period" where they can choose to update the platform. At the end of this period, Salesforce pushes the update through automatically.
For example, Salesforce introduced the Enforce OAuth Scope for Lightning Apps security update in Summer 2021. The provider recommends that organizations apply it by September 2021. However, Salesforce will not enforce it until Winter 2022. This is an important security update, but customers do not need to install it immediately.
Why Salesforce Updates Work Differently
While Salesforce encourages admins to run through a checklist and apply the updates, it realizes that customers rely on the platform's flexibility and that changes can impact the customizations, like custom developments and integrations.
Since any update can be catastrophic for an organization, Salesforce gives customers time to review the update's content and prepare the organization's Salesforce before activating the changes.
What is the importance of Salesforce Security Updates?
The Salesforce Security Updates are, as the name suggests, for security purposes. They are published to fix a security issue, prevent attacks, and strengthen the security posture of a Salesforce tenant. Therefore, customers should install them as soon as possible.
Once Salesforce publishes an update, the vulnerability it is patching becomes general knowledge. This knowledge means the weakness is equal to a common vulnerability or exposure (CVE) but without the assigned number. Bad actors can easily get access to all the information regarding the exposure and create an attack vector that utilizes the published vulnerability. This places all organizations that have not enforced the security update vulnerable to an attack.
Since most attacks are based on known, published, 1-day vulnerabilities, waiting to apply the update creates a data breach risk. All bad actors use 1-day attacks, from script kids to professional ransomware hackers, since weaponizing them is much easier than looking for an unknown vulnerability. Most bad actors look for low-hanging fruits - organizations without updated software or that have lax security.
This is why security professionals call the period from vulnerability until the organization enforcing a security update the golden window for attacks. For that reason, it is critical to update all software to the latest stable version and install security updates as soon as possible.
The case of access control for guest users
This is not just a hypothetical or interesting story. In October of 2020, security researcher Aaron Costello discovered that access control permission settings in Salesforce might allow unauthenticated users ("guest users") to access more information than intended by using cumulative weaknesses in Salesforce, including
- old and not secure Salesforce instances,
- problematic default configurations,
- complicity and advanced abilities of "@AuraEnabled" methods.
Salesforce suggested security measures for guest users, objects, and APIs, while also pushing Security Updates in the following Winter '21 and Spring '21 releases.
Among the Security Updates were Remove View All Users Permission from Guest User Profiles and Reduce Object Permissions for Guest Users.
Both suggestions directly address the security threat's root cause. Problematically, this was too little too late because bad actors had known about the vulnerability since October 2020. By the time Salesforce pushed the updates to the different tenants, the admins needed to activate the updates manually. This means that a customer might have been at risk for anywhere from 6 - 9 months before fixing the vulnerability themselves.
The security team's responsibility for Salesforce Security
While Salesforce provides value to organizations, its approach to managing security updates makes it a unique type of SaaS. Additionally, it is an extremely complex system with thousands of configurations. While many don't seem important to security, they can actually impact a Salesforce tenant's posture.
Therefore, the CISO or security team needs to be involved more than they normally would when managing Salesforce. They need to:
- make sure configurations are done with security in mind,
- monitor changes,
- make sure updates don't worsen the organization's security posture,
- insist that Security Updates are installed as soon as possible
- make sure that the security hygiene of the Salesforce tenant is good.
Fortunately, the category of SaaS Security Posture Management (SSPM) tools address these tasks, and Adaptive Shield is a market-leading solution in this category to enable optimal SaaS security posture automatically.
How can Adaptive Shield help secure Salesforce?
Adaptive Shield understands the complexity of securing Salesforce, among many other SaaS platforms, as Adaptive Shield provides an enterprise's security teams complete control of their organizations' SaaS apps with visibility, detailed insights, and remediation across all SaaS apps.
The platform helps Salesforce admins, CISOs, and security teams track and monitor the settings and configuration updateswith security checks that ensure that the Salesforce tenant is configured and secured properly. This includes monitoring permissions, "@AuraEnabled" methods, API security, and authentication.
Adaptive Shield also provides clear priority-based mitigation information so admins and security teams can swiftly secure the Salesforce tenant to maintain a strong security posture. The Adaptive Shield platform makes the task of securing a Salesforce tenant from cumbersome, complex, and time-consuming — to an easy, clear, quick, and manageable experience. This prevents such vulnerabilities as the example above by breaking the chain of misconfigurations and unenforced updates.