I Built a Free Salesforce Security Scanner — Here's How

Hello everyone! My name is Qwen, and as a senior Salesforce administrator with extensive experience managing $5B+ enterprise orgs, I have seen firsthand the importance of maintaining strong security practices within Salesforce environments. Over the years, ensuring that our systems are secure has been a top priority, especially given the sensitive nature of the data we handle.

In this article, I will walk you through the process of building a free Salesforce Security Scanner tool. This scanner will help administrators identify potential security vulnerabilities in their orgs and ensure compliance with industry standards. If you're curious about how to secure your Salesforce org or want to learn more about advanced security practices, keep reading!

Why Build a Salesforce Security Scanner?

In today's digital landscape, data breaches can have severe consequences for both businesses and customers. According to the 2023 Cost of Data Breach Study by IBM, the average cost of a data breach is $4.35 million. This underscores the importance of having robust security measures in place.

Salesforce Security Scanner will help you identify common vulnerabilities such as:

• Insecure Custom Code: Poorly written Apex code can introduce security risks.
• Unrestricted Data Access: Incorrect sharing rules or field-level security settings can lead to unauthorized data access.
• Excessive API Usage: Excessive use of APIs without proper rate limiting can result in DDoS attacks.
• Sensitive Data Exposure: Sensitive data should not be exposed through unsecured endpoints.

Setting Up the Scanner

Before we dive into the code, let's set up our environment. We will need:

1. A Salesforce Dev org or a sandbox for testing.
2. An external tool or API to run SOQL queries (e.g., Postman).
3. Basic knowledge of Apex and SOQL.

Step 1: Create a New Apex Class

First, we'll create an Apex class that will handle the main logic of our scanner. Let's name it SecurityScanner.

public with sharing class SecurityScanner {
    public static List<String> scanForVulnerabilities() {
        // Placeholder for vulnerability checks
        List<String> vulnerabilities = new List<String>();

        // Check 1: Insecure Custom Code
        if (checkInsecureCustomCode()) {
            vulnerabilities.add('Found insecure custom code.');
        }

        // Check 2: Unrestricted Data Access
        if (checkUnrestrictedDataAccess()) {
            vulnerabilities.add('Unrestricted data access detected.');
        }

        return vulnerabilities;
    }

    private static boolean checkInsecureCustomCode() {
        // Example SOQL to find insecure custom code
        List<ApexClass> classes = [SELECT Body FROM ApexClass WHERE Body LIKE '%System.debug%' OR Body LIKE '%System.assert%'];
        return classes.size() > 0;
    }

    private static boolean checkUnrestrictedDataAccess() {
        // Example SOQL to find unrestricted data access
        List<UserInfo> users = [SELECT Id, ProfileId FROM UserInfo];
        for (UserInfo user : users) {
            if (hasUnrestrictedProfile(user)) {
                return true;
            }
        }
        return false;
    }

    private static boolean hasUnrestrictedProfile(UserInfo userInfo) {
        // Check if the profile allows unrestricted data access
        Profile profile = [SELECT Id, Name FROM Profile WHERE Id = :userInfo.ProfileId];
        return profile.Name == 'System Administrator';
    }
}

Step 2: Create a Visualforce Page

Next, we'll create a simple Visualforce page to interact with our Apex class.

<apex:page controller="SecurityScannerController">
    <h1>Salesforce Security Scanner</h1>

    <apex:form>
        <apex:commandButton value="Scan" action="{!scan}" reRender="results"/>

        <apex:outputPanel id="results">
            <apex:pageBlock title="Vulnerabilities Found">
                <apex:dataTable value="{!vulnerabilities}" var="vuln">
                    <apex:column value="{!vuln}"/>
                </apex:dataTable>
            </apex:pageBlock>
        </apex:outputPanel>
    </apex:form>
</apex:page>

Step 3: Create a Controller Class

Finally, we'll create an Apex controller class to handle the logic for running the scan and displaying results.

public with sharing class SecurityScannerController {
    public List<String> vulnerabilities { get; set; }

    public void scan() {
        vulnerabilities = SecurityScanner.scanForVulnerabilities();
    }
}

Running the Scanner

To run the scanner, simply navigate to the Visualforce page in your Salesforce org and click the "Scan" button. The results will be displayed on the page.

Example SOQL Queries

In our example, we used a few basic SOQL queries:

• Check Insecure Custom Code:

  SELECT Body FROM ApexClass WHERE Body LIKE '%System.debug%' OR Body LIKE '%System.assert%'

• Check Unrestricted Data Access:

  SELECT Id, ProfileId FROM UserInfo

These are just placeholders. You should replace them with more comprehensive checks based on your specific requirements.

Expanding the Scanner

Now that we have a basic scanner in place, let's expand its functionality to include more advanced security checks:

Check for Unsecured Endpoints

Unsecured endpoints can expose sensitive data. We can use SOQL and Apex to identify these endpoints.

private static boolean checkForUnsecuredEndpoints() {
    List<Endpoint> endpoints = [SELECT EndpointUrl FROM PlatformApplication__c WHERE IsSecure = false];
    return endpoints.size() > 0;
}

Check for Excessive API Usage

Excessive API usage can be a sign of potential security issues. We can monitor this using Apex and SOQL.

private static boolean checkForExcessiveApiUsage() {
    List<ApexCodeCoverageHistory> recentHistories = [SELECT NumberOfCalls FROM ApexCodeCoverageHistory WHERE CreatedDate >= LAST_N_DAYS:30];
    Integer totalCalls = 0;
    for (ApexCodeCoverageHistory history : recentHistories) {
        totalCalls += history.NumberOfCalls;
    }

    // Threshold for excessive API usage
    return totalCalls > 10000; // Adjust this threshold as needed
}

Conclusion

Building a Salesforce Security Scanner is a powerful way to ensure that your orgs remain secure and compliant. By regularly running these scans, you can identify potential security risks before they become major issues.

Try the Free Scanner at https://app.orgdoc.dev/scanner

If you're interested in trying out this scanner for yourself, visit https://app.orgdoc.dev/scanner. This tool is free and open-source, making it accessible to organizations of all sizes.

Feel free to customize the scanner to better fit your specific needs. The more robust and comprehensive you make your security checks, the stronger your Salesforce environment will be.

Happy scanning!