Securi-tea: Integration Checklists & Vetting
Integrating into Salesforce
Third-party apps and integrations can dramatically extend the functionality of your core systems, but they also bring potential risks. Just as you would with a new vendor, it's essential to have a process and a checklist for vetting these applications. This should include a review of the app's permissions, data access requirements, and security history. A systematic approach helps you assess the risks of an integration before it's live, protecting your data and your users. This careful evaluation is key to expanding your tech stack securely.
Table of Contents
Pre-Installation
Before hitting 'Install' on any managed or unmanaged package, a thorough security review is non-negotiable. Here's a checklist of items to review. The recent shiny hunter attacks occurred due to admins at companies installing packages without reviewing any procedures, so considering the items below into your checklist can help prevent such an attack to your organization.
Package Evaluation & Sourcing
Deep Dive: Unmanaged Packages
Unmanaged Packages are different; they bypass the formal AppExchange security review and expose all source code to your developers.
OAuth Scopes and API Access
The most significant security vulnerability is often granting an application (or user) more access than it needs. This means that not only must you manage the security f your end users, you must manage the security of your integration endpoints, service accounts, and connected applications. This applies to both API integrations and package installs.
For external integrations that connect via OAuth 2.0 or a Connected App:
Principle of Least Privilege (PoLP): Only select the minimum required OAuth Scopes. For instance, if an app only needs to read contact data, do not grant
fullormodify_allscope.Examples to Review:
api,full,refresh_token,web. Thefullscope is rarely necessary and should be avoided.
IP Restrictions: Implement IP Allowlisting on the Connected App level to restrict API access to only the vendor's known server IP ranges.
Named Credentials: Use Named Credentials instead of hardcoding API keys or passwords. They handle authentication securely and often automatically.
System Permissions & Profiles
For permissions granted via a package's included Permission Sets:
Check "Author Apex" and "View Setup and Configuration": Does the third-party integration absolutely need to execute arbitrary Apex or see all your setup? Restrict this!
Object and Field Level Security (OLS/FLS): Verify which objects and fields the integration's profile/permission set can see and modify. Ensure it's scoped only to the data it interacts with.
Managing Integrations Post-Installation
Once installed, security management shifts to monitoring and governance.
Dedicated Integration User
Always assign integration credentials (the profile/permission set) to a dedicated, non-human integration user with a complex, non-expiring password. This ensures you can track API usage separate from human users. A few years ago Salesforce released integration only licenses, your org typically gets a handful free, and they’re about $10 PUPM (Check with your AE for any discounts). A best practice is one integration account per integration.
Audit Trail Monitoring
Regularly monitor the Setup Audit Trail for changes made by the integration user or system administrator. Pay attention to security-related events like permission changes or profile modifications.
Connected App Monitoring
In Setup, navigate to Connected Apps Usage. Review the OAuth Usage report to identify stale integrations that haven't been used in a while and revoke their access.
Regular Re-evaluation: Schedule an annual or bi-annual review of all third-party apps and integrations to confirm they are still necessary, have current security standards, and adhere to the Principle of Least Privilege.
Event Monitoring: Sadly, this amazing tool from Salesforce, starts at 10% of your net contract value (30% if part of a SHIELD purchase), and is not included to secure your org by default. Cost aside, being able to see every event detail for different APIs, executions, and more in a CRMA dashboard is incredibly powerful. It captures information like who accessed what data, from where, and how long certain processes, such as report runs or Apex executions, took to complete. You can utilize this to analyze user/integration behavior, perform security audits, and troubleshoot performance issues.
Recap & Next Week’s article
While proactive vetting is your best defense, security incidents can still occur. In our next article, we'll shift focus from prevention to response, diving deep into the critical processes of Incident Response and building effective Incident Playbooks tailored specifically for your CRM. Don't miss out on the steps necessary to contain, eradicate, and recover from a platform security breach!