Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Salesforce QA / Tester
hard

How do you do security and penetration testing for Salesforce?

Security testing identifies vulnerabilities. Penetration testing actively exploits to validate defenses.

Salesforce platform security:

  • Salesforce-managed — multi-tenant security; you don't test the platform.
  • Your responsibility — your customisations: code, sharing, FLS, integrations.

Areas to test:

1. Permissions.

  • Profiles, permission sets.
  • Object / field / system permissions.
  • Audit who has elevated access (View All, Modify All).
  • Test that least-privilege is enforced.

2. Sharing model.

  • OWD enforcement.
  • Sharing rules accurate.
  • No unintended cross-team access.

3. Field-Level Security.

  • Sensitive fields hidden from unauthorized profiles.
  • Encrypted fields properly encrypted.

4. Integration security.

  • Connected Apps with appropriate scopes.
  • API tokens properly secured.
  • HTTPS / TLS in transit.

5. SOQL injection.

  • Dynamic SOQL using bind variables.
  • User input properly escaped.
  • No SOQL concatenation with raw input.

6. XSS / CSRF.

  • Custom UI properly escapes output.
  • Visualforce uses encoders.
  • LWC handles input safely.

7. Authentication.

  • MFA enforced.
  • SSO properly configured.
  • Session settings appropriate.

8. Data protection.

  • Encryption for Restricted/Mission Critical fields.
  • PCI / PHI properly handled.
  • GDPR / CCPA compliance.

Penetration testing approach:

  • Automated scanning — Burp Suite, OWASP ZAP.
  • Manual exploration — try things; find vulnerabilities.
  • Salesforce Source Code Analysis — Salesforce's own scanner.
  • Code review — manual + tools (PMD, Checkmarx, Veracode).
  • External pentest firm — annually for compliance.

Output:

  • Vulnerability report — what was found, severity, exploitation.
  • Remediation plan — fixes prioritised by severity.
  • Re-test after fixes.
  • Sign-off for compliance.

Compliance triggers:

  • PCI DSS — annual pentest.
  • SOC 2 — security testing required.
  • HIPAA — security risk assessment.
  • Industry-specific — varies.

Common findings:

  • Permission sprawl (View All Data overgranted).
  • SOQL injection vulnerabilities.
  • Missing FLS checks in code.
  • Insecure Connected Apps.
  • Outdated AppExchange packages.
  • XSS in custom Visualforce.

Common pitfalls:

  • Skipping security testing until forced.
  • Assuming Salesforce handles all security — wrong; your customisations are yours.
  • Testing only once — security degrades; periodic re-test.
  • Ignoring findings — vulnerabilities accumulate.

Senior QA insight: security testing is mandatory for regulated industries; recommended for everyone.

The senior framing: security incidents are the highest-impact failures. Testing is the cheapest insurance.

Why this answer works

Senior. The 8-area framework and "cheapest insurance" framing are mature.

Follow-ups to expect

Related dictionary terms