With the outburst of cyberattacks, businesses are trying their best to remain vigilant in safeguarding their data against potential breaches. Recent findings by Varonis Threat Labs have highlighted critical vulnerabilities in the Apex programing language, posing a significant risk to the security of business data. Taking immediate action to secure these vulnerabilities is paramount in maintaining the integrity of the Salesforce environment.
Explaining Apex
Apex allows users to create custom logic and code for their Salesforce instances. It's widely used for customisation and integrates with Salesforce Lightning Platform API to execute logic on the server. Developers leverage Apex to add business logic to various system events and objects, resembling Java syntax. Apex classes serve as templates for creating Apex objects, encompassing methods, variables, and initialisation code. While Apex enhances Salesforce's power and customisation, it also introduces potential vulnerabilities.
Understanding the Apex Code Threat
If exploited, the vulnerabilities can lead to data leakage, data corruption, and damage to business functions in Salesforce. "That's why keeping track of Apex classes and their properties, who can execute them, and how they are used is vital," says Rahul Tyagi, Co-founder, Safe Security.
The recent research reveals high- and critical-severity vulnerabilities and misconfigurations in Apex. These vulnerabilities were identified in Fortune 500 companies and government agencies, amounting to the widespread nature of the threat.
Importantly, the risk extends beyond large enterprises, as Apex code is utilised in various "off-the-shelf" applications. The potential consequences of exploiting these vulnerabilities include data leakage, data corruption, and disruptions to essential business functions within Salesforce.
Apex code can run in two modes – "without sharing" and "with sharing," each carrying its own set of risks.
Apex classes that run "without sharing" — ignoring the user's permissions — are a powerful and important capability often required for proper functionality. This mode increases risk and should be used carefully, especially when assigned to guests or external users, warns Tyagi. According to him, the risks associated with the "without sharing" mode are:
Insecure Direct Object References (IDOR): Users can potentially access and manipulate data they shouldn't, leading to data breaches and integrity issues.
Vulnerabilities in Apex Code: Similar to other programing languages, Apex code can be exploited if not properly secured. Vulnerabilities like SOQL and SOSL injection allow attackers to manipulate queries and extract sensitive data, compromising system integrity and security.
The Shared Responsibility Model
Crucially, under the shared responsibility model, the onus lies on Salesforce customers to ensure the security of the Apex code they implement. Unlike many other cloud services where the provider assumes a more significant role in security, Salesforce places the responsibility squarely on the end-user organisations.
"Therefore, it's imperative to involve cybersecurity specialists and compliance experts in reviewing Apex classes, not solely relying on Salesforce developers and admins," advises Vaibhav Kanyalkar, CTO, Privezi Solutions.
Maheswaran S, Country Manager of South Asia at Varonis, also underlines the principle of the shared responsibility model. While cloud service providers are responsible for the availability and reliability of their platforms, customer organisations must actively ensure the security of their data.
Mitigating Risks: A Tactical Approach to Apex Security
To reduce the blast radius and fortify Salesforce security, organisations are advised to meticulously review their Apex classes. This involves a comprehensive assessment of who can execute them, checking profiles, and scrutinising permission sets.
An essential step in the security audit process is validating that Apex classes are created securely. This includes a thorough review of the source code to confirm whether the class is configured to run "without sharing."
Apex classes that run without sharing can access data that they normally shouldn't, exposing your sensitive information to potential threats. “To secure your data and prevent common vulnerabilities, you need to follow the best practices for Apex development, such as using the with sharing keyword, storing credentials securely, stripping inaccessible fields, encoding user input, marking methods as CSRF-safe, and scanning your code for security issues. By doing so, you can ensure that your Apex code is not only powerful but also safe and compliant,” says Hariom Seth, Founder, Tagglabs.
Nitay Bachrach, Senior Security Researcher at Varonis and author of the research highlights the need for organisations to conduct thorough audits of all Apex classes. He suggests starting with identifying and auditing classes that can be executed by guest users, and configured to run "without sharing." Adhering to the principle of least privilege is vital, ensuring that code only runs without sharing when absolutely necessary.
Tyagi thinks protecting sensitive data and preserving system integrity in Salesforce need the use of strong security measures. This entails following safe coding standards, such as sanitising input and employing static queries, performing human access reviews to verify appropriate user permissions, and enforcing permissions with "WITH SHARING_ENFORCED."
It is imperative to utilise Salesforce's built-in security capabilities, such as the Crypto class, and to apply data loss prevention (DLP) techniques in addition to continuous monitoring via Event Monitoring and SIEM APIs. Furthermore, a thorough security policy must include the least privilege principle, patching regularly, and turning on multi-factor authentication (MFA). An incident response strategy that is well-stated helps to guarantee that security incidents are handled quickly and efficiently.
Kanyalkar suggests:
Integrate security into the software development lifecycle to identify and mitigate security vulnerabilities early in the development process.
Provide comprehensive training and awareness programs to employees to educate them about security best practices and their role in maintaining security.
Adopt a zero-trust approach where access is granted on a least privilege basis and continuously verified based on various parameters like device health, user behavior, and location.
Beyond the immediate audit, a proactive approach involves adopting best practices when writing Apex code. Salesforce has introduced various mechanisms to secure in-house code, including safe ways to include user input in SOQL queries. However, these practices often go overlooked, particularly in the case of non-AppExchange codes and in-house developments.
A comprehensive security strategy necessitates the involvement of security specialists in addition to Salesforce developers and administrators. While AppExchange packages typically undergo rigorous scrutiny, in-house code may not receive the same level of attention. Validating that Apex classes are created safely, adhering to best practices, is crucial in preventing vulnerabilities that could lead to data leakage and corruption.
Empowering Organisations in the Face of Apex Vulnerabilities
The recent revelations regarding vulnerabilities in Apex programing language demand the critical importance of proactive security measures. By embracing a comprehensive security strategy, conducting thorough audits, and adhering to best practices, organizations can navigate the complex landscape of Apex vulnerabilities.
The experts’ insights serve as a roadmap for organisations looking to fortify their defenses, pressing on the need for meticulous auditing and adherence to the principle of least privilege. Maheswaran's perspective reinforces the shared responsibility model, ensuring that organisations must actively secure their data even as they leverage cloud-based applications and services.