Back to Blog
Becoming a Salesforce Security Champion: steps to get you started

Becoming a Salesforce Security Champion: steps to get you started

Claudia Orecchioni

Why every Salesforce development team needs a Security Champion.

Security Champion is a concept made popular by the Open Web Application Security Project: it's a member of the development team that take direct responsibility in security and actively promote security best practices.

With more and more data moving to the cloud, the need for awareness and discipline around security has never been so relevant. In one of our most popular posts, we estimate that 30% of organisations live with security problems in their Salesforce orgs that could yield to data leaks, compliance problems and significant reputation damage.

Security Champions can make a real difference

The concept of Security Champion isn’t typically heard of in Salesforce teams. Yet, there is a strong, growing need for such figures. At Clayton, we work with Security Champions every day, helping them take control of security during all stages of development. This article is largely inspired by our experience and shares a repeatable approach, as well as tips and tricks, to give you a head start to becoming a Security Champion.

Step 1: educate and promote best practices

As an expert and an advocate on security topics, the Security Champion plays a key role in promoting a security culture by raising awareness and educating team members on best practices. When working with the Salesforce platform, there are different facets of security. Education requires speaking with different types of stakeholders, at different levels of abstraction, which is in itself a challenging task. We have collected some resources that you can share with different team members, to make your education job easier.

Resources for your Salesforce Developers

Customisations are a source of security risk. All custom developments may potentially introduce security problems and vulnerabilities, which is why it’s crucial that all developers in your team understand security well. There is a wealth of great resources out there, from accessible Trailhead modules to advanced, in-depth, Dreamforce sessions. Here are some of our favourites:

Resources for your Salesforce Administrators

Due to its extreme flexibility in configuration, Salesforce admins also play a very important in maintaining good security practices. Salesforce has a multitude of features and resources that have important security ramifications: from access control, password policies, identity management and access, etc.

A checklist to get you started

  • Create a knowledge base for your team.
  • Create a space to communicate within and outside your team. Slack channels, Chatter and company newsletters are great ways to keep people engaged.
  • Maintain interest in security topics by promoting workshops, training, interactive quiz.
  • Add a “Security 101” module to your developers’ induction training.
  • Give regular updates on plans, achievements and show appreciation for your team members that make a difference.
  • Periodically report on updates to your management, to keep them actively engaged in the topic.

Step 2: perform regular security assessments

Conducting security reviews and assessments of your Salesforce applications is core to the role of every security champion. Every team should carry security assessments regularly, and take them very seriously. Many tools are already on the market and can help you in performing this task. We will present some of them, exploring in deep their capabilities and pros and cons in one of our next articles.

A checklist to get you started

  • Plan regular security assessments. Create a shared calendar and make sure they are continuously performed and tracked.
  • Track confirmed problems by severity in your product backlogs.
  • Create a specific epic for security-related topics. It helps tracking, planning and reporting.
  • Document the assessments process in your knowledge base to keep it repeatable

Step 3: secure your Salesforce development lifecycle

If you want to take security to the next level, you need to embed continuous vulnerability scanning as part of your development lifecycle (DevSecOps).

This makes security testing a stage every change goes through, just like passing unit tests. DevSecOps tools are specially important if you work in a regulated sector, work extensively with sensitive data, or are willing to certify your security to standards such as ISO 27001 or SOC 2.

Share on social media: 
Clayton Logo

Clayton stops 1679 vulnerabilities and bugs, every day.

Join 500+ Salesforce teams and unlock your best engineering.
Start Free
Up and running in clicks. No credit card required.

More from the Blog

Webinar - Salesforce Well-Architected: A Guide for Implementation

How can you ensure that your Salesforce implementations adhere to these best practices? Join us in our next webinar.

Read Story

Watch The Video - The Path to Modern DevSecOps: A Story from MTX Group

Join us for an exclusive webinar with MTX Group as we unveil their remarkable path to modern DevSecOps.

Read Story

World Class Salesforce Engineering Teams Manage Developers Differently

Insights and metrics to measure developers’ productivity in the Salesforce ecosystem.

Read Story