You may have seen the headlines recently. A new, sophisticated wave of cyberattacks has targeted the Salesforce environments of major, high-profile companies across various industries, including Google, Adidas, Chanel, and Qantas. The threat actors, a group linked to the notorious ShinyHunters, didn't exploit a vulnerability in the Salesforce platform itself. Instead, they used a far more dangerous weapon: social engineering.

These attacks utilized "vishing," or voice phishing, where hackers impersonated IT support staff. They convinced employees to grant them access by authorizing malicious connected apps, often disguised as legitimate tools like a fake Data Loader. Once approved, these apps gave the attackers API-level access to the company's Salesforce data, allowing them to exfiltrate vast amounts of sensitive customer information.

This series of events serves as a stark reminder that even the most secure platforms are only as strong as the people and processes that protect them. These recent attacks compelled me to share my knowledge with others, gained from over a decade of working on Salesforce orgs in highly regulated industries such as healthcare, financial technology, insurance, and asset management.

This newsletter series is designed to be one of many resources you utilize to securing your Salesforce org. We'll go beyond the headlines and provide actionable insights into every aspect of security. Once a week, I will post a new newsletter from the series from the below topics. As I post a new newsletter, I will update the sections below in the table of contents to be a directory to navigate to each category’s topic.

The topics for this newsletter series will overarching consist of behavioral security, authentication, user access management, data management, and secure coding.

We'll look at the broader security posture of your Salesforce applications, from conducting periodic security reviews to establishing formal incident response and business continuity plans. We'll discuss the importance of threat modeling and documenting potential risks. The upcoming newsletters for this section will cover:

Behavioral Newsletter 1- User Training, End User Best Practices, Team Assessment, Partner Assessment

Behavioral Newsletter 2 - Integration Governance, Comprehensive Review Process, Incident Response Plan

Behavioral Newsletter 3 - Incident Playbook, Security Contacts, Business Continuity Plan, Detection Tools

Behavioral Newsletter 4 - Security Investigation, Security Requirements, Conclude Behavioral

We'll dive into how your users, both internal and external, authenticate. This includes leveraging modern Multi-Factor Authentication (MFA) methods, understanding the role of "break glass" accounts, and defining robust password and network policies. We'll also cover the security of integration user accounts. The upcoming newsletters for this section will cover:

Authentication Newsletter 1 - Authentication for Admins, Breakglass accounts, and internal users

Authentication Newsletter 2 - Environmental SSO, strong MFA

Authentication Newsletter 3 - External Users Authentication

Authentication Newsletter 4 - Mobile Device Management, Password policies, IP Range policies

Authentication Newsletter 5 - Credential Storage, Integration Accounts, and Permissions

This is about controlling what users can do once they are in your org. We'll discuss defining a security matrix, applying the Principle of Least Privilege, and implementing processes for user provisioning and deprovisioning. We'll also cover API access control and monitoring user behavior for unusual activity. The upcoming newsletters for this section will cover:

User Access Management Newsletter 1 - Security Matrix

User Access Management Newsletter 2 - Separation of Duties, Sharing, Profiles, and Permission Sets

User Access Management Newsletter 3 - Security governance, Setup Audit Trail, JIT Provisioning

User Access Management Newsletter 4 - User Onboarding, User Offboarding, User monitoring

User Access Management Newsletter 5 - Sandbox access, API Access control, connected apps

Your data is your most valuable asset. This section will focus on protecting it through regular backups, data classification, encryption, and controlling production data in sandbox environments. We will also discuss compliance requirements like HIPAA or GDPR and data destruction processes. The upcoming newsletters for this section will cover:

For developers, security starts with code. We will review best practices for writing secure Apex and Visualforce, mitigating common vulnerabilities like SOQL injection, and using automated static code analysis tools. We'll also discuss the importance of integrating security into your CI/CD pipelines. The upcoming newsletters for this section will cover:

Secure Coding Newsletter 1 - Developer Expertise and Training

Secure Coding Newsletter 2 - DevOps Processes and Automation

Secure Coding Newsletter 3 - Vulnerability Management

Secure Coding Newsletter 4 - Policy Alignment & Planning

The recent breaches prove that a strong security foundation is non-negotiable. It requires more than just enabling a few settings; it demands a strategic, proactive approach that encompasses technology, process, and people.

My goal for this series is to provide you with the knowledge and tools you need to build a truly secure Salesforce environment, safeguarding your company and your customers. Have any questions or suggestions? Feel free to reply to this email with your thoughts.

Zach