Surely you have heard the expression “if it works, don’t touch it”. It is a rule of thumb that is very present in the world of computing, however, it should not be applied 100%. Most system administrators and Salesforce administrators are not exempt, they live each workday saturated with requests awaiting to be satisfied. Through multiple configurations, Salesforce administrators manage to adapt organizations to the particularities of each company. It often happens that, moved by the urgency of daily completion of critical demands, security recommendations are ignored during these customizations. It is then that the system can be exposed to vulnerabilities.
How often do you stop to wonder how your organization’s security is doing? Maybe a lot less than you should. Regardless of whether you are a project manager, consultant or administrator, the Health Check of your organization offers you an overview of everything that, even working, you could touch and improve.
In this article we will bring you closer to Health Check and its importance for your organization.
What is the Salesforce Health Check?
Health Check is a native Salesforce functionality through which you can view a detailed assessment of the security of your Salesforce implementation. It runs to identify problems, risks, and vulnerabilities in your configurations and customizations. In addition, it provides you with elements and suggestions to improve the general protection of your organization.
Salesforce is a very flexible platform and customizations are very common. Users often deploy applications and make adjustments to make the system as responsive as possible to the way their business works. For this reason, both the platform and the users are responsible for guaranteeing the security of the work environment. Health Check is a tool that provides the information necessary to identify inactive security mechanisms or configurations that may constitute vulnerabilities. This information is very useful to prevent security breaches when applications and personalization codes are added to the organization.
With just one click, through Health Check , you can run a deep assessment of all your security settings. The configuration parameters will be compared with those of the baseline (by default, standard values recommended by Salesforce).
At the end of the analysis, a panel will show a percentage score that indicates the security status of your organization. This score is expressed on a scale of 0 to 100, where 100 is the optimal setting.
On this same screen you can view the list of all the configurations examined, with their status and the option to be edited. In the case where you have full control over the impact that each value of your configuration has, on customizations, integrations, users, etc. you’ll be able to click the Fix Risks button and adjust all risk settings at once to the baseline values. You should be very careful with this option, because you may get unexpected results.
As we mentioned earlier, all of an organization’s security checks are performed against baseline values. In industries like medical and financial, legal security requirements are generally more stringent than what Salesforce sets by default. In these cases, the application allows importing a personalized baseline in XML format.
Why is it important to consult the Health Check ?
On the Internet, no software is free from threats. Saas like Salesforce are especially sensitive because of the amount of business-critical information they contain and can be accessed by many users from almost any device. Consulting the Health Check allows you to know how exposed or protected your organization is against common security threats such as online password hacking or malicious code injection.
Among the safety aspects that are evaluated by a Health Check are included:
- Protection at the session level in parameters such as the maximum number of login attempts, closing when the timeout expires, restricting sessions to a certain domain and a source IP.
- Protection at the connection level is achieved in two ways. In the first instance by requiring HttpOnly, to mitigate the risk in client-side code, which is executed by means of a cookie. Second, by checking the update status of all certificates.
- Security policies for passwords such as length, expiration, and complexity (the use of the combination of letters, numbers, and special characters).
- Content security policies, which protect your organization from XSS (Cross-site scripting) attacks.
- Code execution protection for both Apex and Visualforce pages against CSRF (Cross-Site Request Forgery), XSS, and clickjacking.
Some of the benefits of Salesforce Health Check are:
- Identifies non-optimal settings that may affect security.
- Detects potential vulnerabilities.
- Provides recommendations for improving security implementation.
- Reviews the best practices app for using Salesforce.
It is important that you consult the Health Check after every customization and configuration change you make. It is recommended that, every time you implement changes in your security policies, you run a status report before and after. It is a good practice to keep it as part of the documentation of your environment, the reports that you obtain on each occasion. So you can significantly improve your level of security.
In short, Salesforce Health Check is a useful tool to easily visualize and fix vulnerabilities in your Salesforce organization. Remember that even when it works, optimization and continuous improvement of your implementation should be a management goal. Contact us at firstname.lastname@example.org if you need a diagnosis of the security status of your Salesforce implementation.