SaaS offerings by nature have unique security demands, because they’re designed for continuous updates by developers; and often augmented with multiple third-party apps built to optimize use for specialized groups, from prospects to employees and customers.
Unlike traditional software development, SaaS apps like Salesforce are typically exposed to the Internet during the dev cycle. This combination of development, exposure and third-party risks creates new opportunities for compromise of PII and new demands on software security and configuration testing.
Yet new kinds of dynamic exposure and attack vectors are only part of the problem. The reliance on traditional software code and security testing tools to address this new Salesforce DevOps reality has slowed development and increased security risk.
Using traditional testing tools on SaaS offerings like Salesforce, results in massive numbers of false positives and extensive layers of manual processes. The integration of security and DevOps is complex, expensive, and tedious to achieve continuous protection during development. So many organizations compromise by testing on an infrequent and often incomplete basis, or requiring developers to manually filter out the never-ending flood of false positives which delays development.
SaaS development needs to incorporate security into DevOps on a continuous basis, called by many DevSecOps. Yet DevSecOps requires automation, which requires purpose-built and integrated Salesforce testing tools that can reduce false positives and development delays while strengthening security.
For evidence of this look no further than the various Salesforce developer bulletin boards, where there are constant complaints about delays, false positives and specialized code fix recommendations when it comes to SaaS testing. Instead of enabling all developers to “shift left” and accelerate development, current general-purpose solutions require specialized skills and additional manual processes, thereby hamstringing business-critical DevOps processes.
Bottom line: without automation and integration there cannot be a shift left to DevSecOps. Yet the imperative could not be more strategic as SaaS and cloud offerings increasingly replace enterprise software for so many organizations.
You can read more at: DevSecOps for Salesforce.
Guest post by Waqas Nazir, CEO DigitSec