The Importance of Salesforce Integration Health Checks
Salesforce systems contain sensitive, critical data, making regular health checks of integrations essential to ensure ongoing data security.
As a seasoned cybersecurity professional with over 20 years of experience at companies like F-Secure, I've witnessed numerous cyber threats. One area of concern is the unchecked integrations in Salesforce environments. Salesforce systems house sensitive data crucial to businesses, and administrators often face significant toil to maintain good hygiene. However, the risk of unchecked integrations and apps accessing this data is very real.
In this post, I will discuss the Sisense breach and its implications for Salesforce environments, the role of tokens in integrations, the relevance of such threats to Salesforce, and what actions you can take.
The Sisense Breach
In April 2024, the Cybersecurity and Infrastructure Security Agency (CISA) reported that Sisense had been breached. The attackers exploited a credential stored in GitLab to access Amazon S3 buckets, exfiltrating several terabytes of data, including millions of access tokens. These tokens, essential for integration services, enable authentication, authorization, session management, secure communication, and more.
Who is Sisense?
Sisense is a dashboard platform used for analytics and data insights, with clients including many well-known companies. Despite having robust security certifications like SOC2, ISO27001, ISO27701, and HIPAA, the breach exposed significant vulnerabilities. The breach’s impact was hard to assess due to the uncertainty about which tokens were compromised, potentially affecting both current and former Sisense customers.
Understanding OAuth Tokens
Salesforce Connected Apps OAuth Usage
Salesforce heavily utilizes OAuth 2.0 for secure integration. The “Connected Apps OAuth Usage” view in Salesforce Setup allows administrators to manage and revoke OAuth tokens. OAuth tokens facilitate secure access by providing temporary keys, while refresh tokens are used to obtain new access tokens.
Relevance to Salesforce
Sisense’s integration with Salesforce means some customers likely connected the two platforms. This breach highlights the potential risk for Salesforce environments if one of their integrated services is compromised. Salesforce administrators should be vigilant and ready to revoke tokens swiftly in cases like this. The default validity for Oauth refresh tokens in Salesforce is “forever” – they never expire. This means that even applications you stopped using a long time ago are likely to still have access to your environment unless you remembered to revoke their token when you stopped using the service.
Best Practices
Regular Token Revocation: Always revoke tokens for services no longer in use.
Monitor Integrations for signs of token compromise.
Use Named Credentials: Avoid hardcoding secrets in source code; use dynamic secret management.
Prioritize Cleaning: Regularly clean up unused tokens – e.g. start by revoking tokens that have not been used even once during the past two years. The Oauth access scope and user permission of the token should also affect the priority.
Introducing Valo
Inspired by the risks associated with unchecked tokens, I co-founded Valo with cybersecurity experts, including former leaders from Salesforce Shield and Salesforce Security Health Check. Valo offers an AI-powered solution to automate the discovery and remediation of high-risk tokens and integrations, ensuring optimal security for Salesforce environments.
By following these guidelines and utilizing advanced tools like Valo, that automate integration health checks, Salesforce administrators can better secure their environments and protect sensitive data from potential breaches
Mika Stahlberg