New
We have updated our Terms of Service, Privacy Policy and Terms of Use. Review.
Back to Blog
Becoming a Salesforce Security Champion: steps to get you started

Becoming a Salesforce Security Champion: steps to get you started

Claudia Orecchioni

Why every Salesforce development team needs a Security Champion.

Security Champion is a concept made popular by the Open Web Application Security Project: it's a member of the development team that take direct responsibility in security and actively promote security best practices.

With more and more data moving to the cloud, the need for awareness and discipline around security has never been so relevant. In one of our most popular posts, we estimate that 30% of organisations live with security problems in their Salesforce orgs that could yield to data leaks, compliance problems and significant reputation damage.

Security Champions can make a real difference

The concept of Security Champion isn’t typically heard of in Salesforce teams. Yet, there is a strong, growing need for such figures. At Clayton, we work with Security Champions every day, helping them take control of security during all stages of development. This article is largely inspired by our experience and shares a repeatable approach, as well as tips and tricks, to give you a head start to becoming a Security Champion.

Step 1: educate and promote best practices

As an expert and an advocate on security topics, the Security Champion plays a key role in promoting a security culture by raising awareness and educating team members on best practices. When working with the Salesforce platform, there are different facets of security. Education requires speaking with different types of stakeholders, at different levels of abstraction, which is in itself a challenging task. We have collected some resources that you can share with different team members, to make your education job easier.

Resources for your Salesforce Developers

Customisations are a source of security risk. All custom developments may potentially introduce security problems and vulnerabilities, which is why it’s crucial that all developers in your team understand security well. There is a wealth of great resources out there, from accessible Trailhead modules to advanced, in-depth, Dreamforce sessions. Here are some of our favourites:

Resources for your Salesforce Administrators

Due to its extreme flexibility in configuration, Salesforce admins also play a very important in maintaining good security practices. Salesforce has a multitude of features and resources that have important security ramifications: from access control, password policies, identity management and access, etc.

A checklist to get you started

  • Create a knowledge base for your team.
  • Create a space to communicate within and outside your team. Slack channels, Chatter and company newsletters are great ways to keep people engaged.
  • Maintain interest in security topics by promoting workshops, training, interactive quiz.
  • Add a “Security 101” module to your developers’ induction training.
  • Give regular updates on plans, achievements and show appreciation for your team members that make a difference.
  • Periodically report on updates to your management, to keep them actively engaged in the topic.

Step 2: perform regular security assessments

Conducting security reviews and assessments of your Salesforce applications is core to the role of every security champion. Every team should carry security assessments regularly, and take them very seriously. Many tools are already on the market and can help you in performing this task. We will present some of them, exploring in deep their capabilities and pros and cons in one of our next articles.

A checklist to get you started

  • Plan regular security assessments. Create a shared calendar and make sure they are continuously performed and tracked.
  • Track confirmed problems by severity in your product backlogs.
  • Create a specific epic for security-related topics. It helps tracking, planning and reporting.
  • Document the assessments process in your knowledge base to keep it repeatable

Step 3: secure your Salesforce development lifecycle

If you want to take security to the next level, you need to embed continuous vulnerability scanning as part of your development lifecycle (DevSecOps).

This makes security testing a stage every change goes through, just like passing unit tests. DevSecOps tools are specially important if you work in a regulated sector, work extensively with sensitive data, or are willing to certify your security to standards such as ISO 27001 or SOC 2.

Share on social media: 

Get ahead.

Join 1000+ Salesforce professionals who receive critical reading, insights and expertise written just for them, from the team at Clayton. Once a week.
Unsubscribe with one click.

More from the Blog

Making your boss care about technical debt

It's not always easy to get your boss on your side to take action against technical debt. Here are 3 things your boss will most certainly care about.

Read Story

Understand, Assess And Manage Your Salesforce Technical Debt

Our first handbook looks at the state of technical debt in the Salesforce ecosystem and contains tips on how to address it.

Read Story

What we learnt scanning 10.2 billion lines of Salesforce code

As we hit our first 10 billion lines of code reviewed, we look at some of the things we have learnt about the Salesforce ecosystem.

Read Story