Are you oversharing (in Salesforce)? Our new tool could sniff it out!

Unauthorised access to data is a primary concern of clients who commission a Salesforce assessment. The Salesforce documentation acknowledges that the sharing model is a "complex relationship between role hierarchies, user permissions, sharing rules, and exceptions for certain situations"[1]. It is often said that complexity and security are natural enemies. Salesforce empowers its users with … Continue reading Are you oversharing (in Salesforce)? Our new tool could sniff it out!

Salesforce Security with Remote Working

With Coronavirus still active across the world, life is far from settled, but the uptake of remote working is surely here to stay. From a security standpoint, organisations[1] may feel less comfortable at the moment simply because staff are working out of sight. Whether that feeling is justified will depend on the technical measures put … Continue reading Salesforce Security with Remote Working

Common Insecure Practices with Configuring and Extending Salesforce

This article discusses the most common findings from a sample of over 35 security assessments of Salesforce customer deployments conducted by NCC Group. The assessments covered a mixture of configuration and code review based on our customers’ use of the Salesforce platform, not of Salesforce itself. The findings were sorted into broad categories, of which … Continue reading Common Insecure Practices with Configuring and Extending Salesforce

When a Trusted Site in Internet Explorer was Anything But

This post is about one of those vulnerabilities that you don’t envisage seeing again for some time but, nevertheless, still contains some valuable lessons, especially when it comes to how vulnerabilities can combine to produce different attack scenarios. While the scenario is rare for Internet-facing websites, developers and architects responsible for internal applications, especially legacy … Continue reading When a Trusted Site in Internet Explorer was Anything But