Low-Code Security Alliance Forms to Address Critical Salesforce Security Concerns

In a significant development for the Salesforce ecosystem, a group of 15 leading Salesforce and security specialists have joined forces to create the Low-Code Security Alliance (LCSA). This consortium, dedicated to promoting security education and awareness in low-code development environments, comes at a crucial time when Salesforce security is gaining increased attention in the industry.

The formation of the LCSA coincides with today’s announcement that Gearset, the popular Salesforce DevOps platform, has acquired Clayton, a specialized code analysis platform for Salesforce. This acquisition further underscores the growing importance of security in the Salesforce development lifecycle and aligns with the LCSA’s mission to address what they describe as a “bomb waiting to go off” in Salesforce security.

Andrew Davis, AutoRABIT Chief Product Officer and LCSA co-founder, emphasized the urgency of the situation: “Low-code systems now power some of the world’s most sensitive business applications. Security of low-code applications has received little attention, but we are seeing a sharp rise in vulnerabilities and serious risk of cyberattacks targeting these systems. IT and security leaders need to be much more engaged in securing these low-code applications.”

John Crimmings, a senior Salesforce DevOps thinker at Slalom Consulting and LCSA member, highlighted the disconnect between Salesforce teams and corporate IT security: “There is this almost a veil of ignorance between IT InfoSec groups at an enterprise level and Salesforce, where there’s a sense of ‘I don’t want to know what I don’t know.’ Because if I knew what actually was accessible by whom, it would put a lot of orgs in a really tough spot.”

Salesforce Application Security Areas of Concern

The LCSA has identified several key areas of concern in Salesforce security:

1. Misunderstanding of the Shared Responsibility Model: Many organizations fail to grasp that while Salesforce secures its platform, the security of applications built on top of it is the customer’s responsibility.
2. Excessive Permissions: Overly broad access controls and system administrator privileges are often granted without proper oversight.
3. Insecure Configurations: Salesforce Communities and Digital Experiences are frequently misconfigured, potentially exposing sensitive data.
4. Code-level Vulnerabilities: Custom Apex code and APIs can introduce security risks if not properly developed and reviewed.
5. Lack of Security Training: There is insufficient security awareness and education among Salesforce developers and administrators.

Plans for the Future

The LCSA plans to expand its efforts beyond its initial white paper, “Securing Salesforce: The Hard Truths About Shared Responsibility.” Future initiatives include:

1. Providing comprehensive training programs on Salesforce security best practices.
2. Developing low-code security enablement resources for organizations.
3. Hosting webinars and conferences to foster knowledge sharing within the community.
4. Collaborating with Salesforce and other stakeholders to improve security features and guidance.

As part of their launch efforts, the LCSA will be present at Dreamforce, Salesforce’s annual conference, where they plan to distribute 1,500 paper copies of their white paper to attendees.

Readers are encouraged to visit the LCSA website at lowcodesecurityalliance.org.

SalesforceDevops.net is a Member

Vernon Keenan, industry analyst and founder of SalesforceDevops.net, is pleased to announce his founding membership in this important new industry organization. Recognizing the critical nature of Salesforce security, Keenan stated, “I’ve been tracking and discussing this issue since day one as an analyst in the space. The formation of the LCSA is a crucial step in addressing the security challenges faced by Salesforce customers.”

To support the LCSA’s educational efforts, SalesforceDevops.net will be publishing a two-part series of articles by John Crimmings on the topic of Salesforce Application Security. This series aims to provide in-depth insights and practical guidance for organizations looking to enhance their Salesforce security posture.

The formation of the Low-Code Security Alliance marks a significant milestone in addressing the growing security concerns within the Salesforce ecosystem. As low-code development continues to rise in popularity, the LCSA’s efforts to educate and guide organizations on security best practices will be crucial in preventing potential data breaches and ensuring the integrity of business-critical applications built on the Salesforce platform.

• How To Build a Salesforce Devops Platform
• Prodly: Salesforce Devops Top Products Demo with Vern
• McKinsey and Salesforce Team Up Amid Fierce Competition to Lead Enterprise AI
• Copado
• Forecast 2023: Is Tech Dying? No – Consumers Aren’t Buying