Skip to main content

Software Development

Securing Your Salesforce Ecosystem: A Comprehensive guide to using Checkmarx

Planning For Future Success

Secure software development is critical for businesses today, and organizations that use Salesforce as their primary CRM platform must ensure that their Salesforce applications are secure and protected against potential threats. One of the best ways to enhance the security of Salesforce applications is by using Checkmarx – a software security tool that provides application security testing solutions.

Checkmarx

Checkmarx’s static application security testing (SAST) solution is a powerful code review tool for Salesforce that scans the source code of an application and identifies security vulnerabilities before the code is compiled or executed.

The Static Application Security Testing process involves the following steps:

Step 1. The developer uploads the Apex code to the Checkmarx platform. Checkmarx scans the code for potential security vulnerabilities, including injection flaws, cross-site scripting attacks, and security misconfigurations.

Step 2. The developer receives a report detailing the potential security vulnerabilities in the code.

Step 3. The developer addresses the identified vulnerabilities, either by fixing the code or by providing a justification.

Checkmarx’s SAST solution for Salesforce also integrates with Salesforce’s development platform. It allows developers to scan their Apex code for potential vulnerabilities directly within the Salesforce environment. This integration ensures that developers can identify and address potential security vulnerabilities quickly and efficiently. It reduces the risk of a data breach or cyber-attack.

Common issues and vulnerabilities that Checkmarx can help identify in Salesforce applications:

  1. Cross-Site Scripting – This vulnerability allows attackers to inject malicious code into a website or web application, which can then be executed by unsuspecting users. Checkmark’s SAST solution can identify potential cross-site scripting vulnerabilities in Apex code, allowing developers to address them before the code is compiled or executed.
  2.  SOQL / SOSL Injection – This vulnerability allows attackers to inject malicious code into a Salesforce application’s SOQL or SOSL queries, potentially allowing them to access sensitive data or perform unauthorized actions. Checkmark’s SAST solution can identify potential SOQL/SOSL injection vulnerabilities in Apex code, allowing developers to address them before the code executes.                                                              Solution: We can use’ String.escapeSingleQuotes ‘or bind variables in the query to prevent this vulnerability.
    //Insecure code
     Contact contact = [SELECT Id, Name FROM Contact WHERE LastName =: Inputstring LIMIT 1];
    
    //Secure code 
    Contact contact = [SELECT Id, Name FROM Contact WHERE LastName =: String.escapeSingleQuotes(Inputstring) LIMIT 1];
    

     

  3. CRUD Issues – CRUD stands for Create, Read, Update, and Delete, which are the four basic functions of persistent storage. CRUD issues can allow attackers to perform unauthorized actions on Salesforce data, such as creating, reading, updating, or deleting records. Checkmarx’s SAST solution can identify potential CRUD issues in Apex code, allowing developers to address them before the code executes.                                                     Solution: We can use any of the different tests available in Apex, such as isQueryable(),  isAccessible(), isUpdateable(),isCreateable(), and so on. on fields in code as well as on objects. To prevent this vulnerability.
    If (Schema.sObjectType.Contact.isQueryable()){
    Contact contact = [SELECT Id, Name FROM Contact WHERE LastName =: String.escapeSingleQuotes(Inputstring) LIMIT 1];
    }
    // For Insertion:
    Contact contact = new Contact();
    if (Schema.sObjectType.Contact.fields.LastName.isCreateable()){
             contact.Title = ‘Example Title’;
    }
    if (Schema.sObjectType. Contact.fields.Email.isCreateable()){
             contact.Email= ‘examplenew@gmail.com’;
    }
    if (Schema.sObjectType.Contact.isCreateable() && contact !=null){
             Insert contact;
    }
    // For Deletion:
    if (Schema.sObjectType.Contact.isDeletable() && contact !=null){
             Delete contact;
    }
    // For Update:
    Contact contact= new Contact();
    contact.Id = id;
    if (Schema.sObjectType. Contact.fields.Email.isUpdateable()){
    contact.Email = ‘example@gmail.com’;
    }
    if (Schema.sObjectType.Contact. isUpdateable () && contact !=null){
             Update contact;
    }
    

     

  4. Access Control Issues (Sharing, FLS) – Access control issues can allow attackers to access sensitive data or perform unauthorized actions in a Salesforce application. Checkmarx’s SAST solution can identify potential access control issues related to sharing settings or field-level security (FLS) in Apex code, allowing developers to address them before the code executes.                                                                                                               Solution: We can use the with sharing keyword in the class name.                                                                    Example:
    //Insecure code
     public class ClassName { 
    //your code 
    }
    //Secure code
     public with sharing class ClassName {
     //your code 
     }
    

    Potential security issues and vulnerabilities in Salesforce applications are identified. Checkmarx’s SAST solution can help developers address them early in the software development life cycle. It reduces the risk of a data breach or cyber-attack.

Checkmarx’s features include:

  1. Comprehensive security testing of Salesforce applications
  2. Integration with Salesforce’s development platform for easy scanning of Apex code.
  3. Detection of known vulnerabilities in third-party components and libraries.

The advantages of using Checkmarx for Salesforce include:

  1. Enhancing the security of Salesforce applications.
  2. Reducing the risk of a data breach or cyber attack.
  3. Identifying potential security vulnerabilities early in the software development life cycle.

Summary

The reason of code review is to ensure the quality of the code remains high as possible. This step is took using checkmarx to identify the code gaps. The checkmarx minimizes the application security risks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Vicky Madankar

Vicky Madankar is a technical consultant with over 4 years of development experience. He currently works as a Salesforce developer and loves exploring technology.

More from this Author

Follow Us