Securi-tea: Integration Checklists & Vetting
Integrating into Salesforce
Third-party apps and integrations can dramatically extend the functionality of your core systems, but they also bring potential risks. Just as you would with a new vendor, it's essential to have a process and a checklist for vetting these applications. This should include a review of the app's permissions, data access requirements, and security history. A systematic approach helps you assess the risks of an integration before it's live, protecting your data and your users. This careful evaluation is key to expanding your tech stack securely.
Table of Contents
Pre-Installation
Before hitting 'Install' on any managed or unmanaged package, a thorough security review is non-negotiable. Here's a checklist of items to review. The recent shiny hunter attacks occurred due to admins at companies installing packages without reviewing any procedures, so considering the items below into your checklist can help prevent such an attack to your organization.
Package Evaluation & Sourcing
Item | Details to Check | Why It Matters |
AppExchange Security Review | Verify the app has successfully passed the Salesforce Security Review. | This is Salesforce's baseline verification for preventing common vulnerabilities. Never install a paid or complex app without this stamp of approval. |
Vendor Reputation | Research the vendor's history, customer reviews, and maintenance frequency. Check their security policy and documentation. A great tool tool for this analysis is BlackKite, Huntress, or Bitsight. | A reputable vendor is more likely to maintain and secure their app consistently. |
Data Residency & Compliance | Where will the app store your data? Does the vendor meet your regulatory requirements (e.g., GDPR, HIPAA)? Pro-Tip: Ask the vendor for ERDs and landscapes explaining how they store data. | Crucial for compliance and data sovereignty. |
Support & Documentation | Ensure clear documentation exists for installation, configuration, and, most importantly, uninstallation. | A clear path for removal is essential for security incidents or deprecation. |
Procurement & Infosec | Each company has their own set of requirements, such as a security questionnaire, or a procurement tool that you must enter details within. | Working with your procurement & infosec teams can add an extra level of security prior to installing new packages, through following a repeatable procurement & security review process. |
Deep Dive: Unmanaged Packages
Unmanaged Packages are different; they bypass the formal AppExchange security review and expose all source code to your developers.
Item | Action Required | Why It Matters |
Code Review | A developer must inspect all Apex Classes, Triggers, and Visualforce/LWC components for malicious or inefficient code. | You are accepting full responsibility for this code. Look for hardcoded credentials, SOQL injection vulnerabilities, and excessive use of with sharing/without sharing. |
Administrative Access | Identify and remove any permission sets, profiles, or custom settings that grant unnecessary administrative privileges or Modify All Data. | Unmanaged code often comes with overly permissive settings that must be pared back. |
IP/Ownership | Ensure you understand the intellectual property rights and who is responsible for future maintenance and security patches. | Since the code is now yours, you own the future security burden. |
OAuth Scopes and API Access
The most significant security vulnerability is often granting an application (or user) more access than it needs. This means that not only must you manage the security f your end users, you must manage the security of your integration endpoints, service accounts, and connected applications. This applies to both API integrations and package installs.
For external integrations that connect via OAuth 2.0 or a Connected App:
Principle of Least Privilege (PoLP): Only select the minimum required OAuth Scopes. For instance, if an app only needs to read contact data, do not grant
fullormodify_allscope.Examples to Review:
api,full,refresh_token,web. Thefullscope is rarely necessary and should be avoided.
IP Restrictions: Implement IP Allowlisting on the Connected App level to restrict API access to only the vendor's known server IP ranges.
Named Credentials: Use Named Credentials instead of hardcoding API keys or passwords. They handle authentication securely and often automatically.
System Permissions & Profiles
For permissions granted via a package's included Permission Sets:
Check "Author Apex" and "View Setup and Configuration": Does the third-party integration absolutely need to execute arbitrary Apex or see all your setup? Restrict this!
Object and Field Level Security (OLS/FLS): Verify which objects and fields the integration's profile/permission set can see and modify. Ensure it's scoped only to the data it interacts with.
Managing Integrations Post-Installation
Once installed, security management shifts to monitoring and governance.
Dedicated Integration User
Always assign integration credentials (the profile/permission set) to a dedicated, non-human integration user with a complex, non-expiring password. This ensures you can track API usage separate from human users. A few years ago Salesforce released integration only licenses, your org typically gets a handful free, and they’re about $10 PUPM (Check with your AE for any discounts). A best practice is one integration account per integration.
Audit Trail Monitoring
Regularly monitor the Setup Audit Trail for changes made by the integration user or system administrator. Pay attention to security-related events like permission changes or profile modifications.
Connected App Monitoring
In Setup, navigate to Connected Apps Usage. Review the OAuth Usage report to identify stale integrations that haven't been used in a while and revoke their access.
Regular Re-evaluation: Schedule an annual or bi-annual review of all third-party apps and integrations to confirm they are still necessary, have current security standards, and adhere to the Principle of Least Privilege.
Event Monitoring: Sadly, this amazing tool from Salesforce, starts at 10% of your net contract value (30% if part of a SHIELD purchase), and is not included to secure your org by default. Cost aside, being able to see every event detail for different APIs, executions, and more in a CRMA dashboard is incredibly powerful. It captures information like who accessed what data, from where, and how long certain processes, such as report runs or Apex executions, took to complete. You can utilize this to analyze user/integration behavior, perform security audits, and troubleshoot performance issues.
Recap & Next Week’s article
While proactive vetting is your best defense, security incidents can still occur. In our next article, we'll shift focus from prevention to response, diving deep into the critical processes of Incident Response and building effective Incident Playbooks tailored specifically for your CRM. Don't miss out on the steps necessary to contain, eradicate, and recover from a platform security breach!