DevSecOps is Now Increasing Speed and Security for Salesforce

As SaaS and DevOps expanded their relationships, new teams were formed to address new security challenges. Traditional solutions weren’t built to detect the new vulnerabilities and created noise for an already stressed pool of resources.?

The combination of new and false vulnerabilities ends up increasing security problems and slowing DevOps projects.?The good news is that recent developments in security and visibility are now increasing speed and improving visibility.

The industry firm Gartner forecasts spending on public cloud services to reach $396 billion in 2021, and increasing by 22 percent to reach $482 billion in 2022. Software-as-a-service (SaaS) applications based in the cloud have exploded with the market growing 18 percent each year and 99 percent of organizations using one or more SaaS applications by the end of this year.

According to industry data, CIOs believe that agility and scalability are the top reasons driving the migration and use of SaaS. In particular, Salesforce alone grew from $161 billion in January 2020 to $251 billion in September 2021.

What does this mean for security, especially for personally identifiable information (PII) and business data in the enterprise? SaaS data includes, but is not limited to, customers’ sensitive PII and payment information; increasingly SaaS applications also house mission-critical enterprise information including product plans, patent information, business and operational processes, and human resource records.

The extensive data held in SaaS applications presents huge security risks and costs for organizations globally. The average cost of a data breach exceeded $4.2 million, the most in the 17-year history of the?IBM?“Cost of a Data Breach” report, and nearly half of the breaches involved compromised PII, the costliest record type to lose, at $180 stolen record - an increase from $146 per record in 2020

SaaS Offers New Ways to Do Business But Introduces Significant Risk

A recent DarkReading discussed the problem related to one of the most popular SaaS applications, Salesforce. Analyst Keenan Vernon explained?how Salesforce DevOps Needs Guardrails.

“Some companies go too fast when it comes to SaaS, DevOps, and security, but smart developers and implementers will respect some basic guidelines to keep their product safe.”

A recent eWeek report highlighted a new DigitSec solution purpose-built to address DevSecOps for SaaS solution Salesforce. Frank J. Ohlhorst, Technology Futurist, Emerging Technology Analyst, states that DigitSec S4 “reduces burdens on developers of Salesforce applications and helps to deliver secure applications that follow security best practices.”

A few weeks later InCountry Chief Security executive explained how their teams were able to reduce their DevOps hours by 1000 hours in 5 months. His report included extensive explanations of how InCountry improved security and accelerated DevOps projects globally.

The general purpose solutions were slowing DevOps and have weakened visibility.?

General-purpose application security testing tools were not designed for the Salesforce environment. Instead, the patchwork of tools must be replaced with a continuous integration and deployment (CI/CD) approach. Specific steps include:

1.??Check all local and remote libraries. Only checking configurations and access controls, which focuses mostly on insider threats, misses application vulnerabilities from custom development or app downloads that could open up your SaaS services to external threat actors.

2.??Carefully and routinely check third-party software libraries. If you are only testing source code, but ignoring third-party software libraries, you are only securing half of your software application attack surface.?CVEs are publicly reported every day on commonly used open-source software libraries, showing attackers a direct path to compromise those key components.?Running a software composition analysis (SCA) regularly to check all your locally bundled and remotely referenced libraries is a key step in achieving a secure software supply-chain status.

3.??Static source code analysis, or SAST, can often miss cross-site scripting (XSS) or SOQL/SOSL injection on the Salesforce platform.

New Solutions Built to Enhance Security and Visibility can have Significant Business Impacts as Renne’ Devasia, explained.

DevOps and DevSecOps have been slow and less secure for SaaS apps like Salesforce. New innovations are accelerating speeds and improving security. As DevSecOps continues to evolve this will also help low-code and no-code programs to develop even faster.

Innovations are reducing developer hours and false negatives... and reduce the sheer amount of solutions needed to detect real vulnerabilities. Are your executives still waiting for DevSecOps? Then get them caught up in a new generation of innovations...