DevSecOps: How DevOps embraces security
David Runciman on August 26th 2020
More and more Salesforce teams are adopting DevOps and reaping the rewards. Salesforce developers and admins are increasingly familiar with DevOps concepts. But what about DevSecOps - a term that's been doing the rounds for a little while? What does it mean for your Salesforce team?
DevSecOps is about breaking down silos between development, security and operations - with security consciously placed at the center. Essentially, DevSecOps is DevOps done well; security should be baked in at the beginning, not left as an afterthought.
DevSecOps in the Salesforce ecosystem
Salesforce teams that have embraced DevOps should recognize that they're also responsible for keeping their company's org secure. While Salesforce provides your company with security infrastructure, it's your team of developers and admins that keeps your org's data and metadata secure day to day.
DevSecOps with Gearset
Here at Gearset, security underpins everything we do - just take a look at our trust page - and we're helping our users to put security at the heart of their processes. Using Gearset, teams are keeping their orgs secure with the following Salesforce DevOps practices.
Having backups as part of your DevOps process is the best way to secure your org's data and metadata. If mistakes are made during development, or if data is lost in any other way, backups provide a fallback so you can restore your org. Running an extra backup on-demand from within your DevOps tool, just before a risky release, means you can restore your org's data and metadata if anything goes wrong.
It's not just your data that needs backing up for security. Having metadata backups means being able to restore profiles and permissions - the metadata types that control users' access to data in Salesforce. A Salesforce outage in 2019 demonstrated this risk: many companies found their permissions model had been corrupted, granting all users sysadmin access to data. Teams with metadata backups were able to restore their permissions quickly and protect their company's data.
Gearset's backup solution automatically runs daily backups of both data and metadata, while additional backups can quickly and easily be run on-demand. Backup data is stored securely, with enterprise-grade encryption in transit and at rest. Gearset also restores data reliably, preserving parent-child relationships between records.
It's great that Salesforce is so easily configurable, but this does mean someone can change or add customizations directly in your company's production environment without you noticing. Lots of Salesforce teams are in the dark about these changes, which can introduce vulnerabilities. Gearset's change monitoring tool notifies you of changes made to your org, so you can be sure nothing happens without you knowing about it. This insight, into who changed what and when, gives you peace of mind and keeps your org's data secure.
You can also explore your org's permissions from the monitoring history page in Gearset. This makes it much easier to keep track of who has access to what data, based on the Profiles and Permission sets your company uses.
Testing is a key part of any DevOps workflow and a vital way to keep data secure. Of course, Salesforce enforces 75% code coverage - you can't deploy code if your work falls short of that threshold. It's important that tests aren't just written to get work deployed; they should properly test the logic of your code. It's also important that you keep running these tests in your org. Tests can start to fail silently because of subsequent changes made to the org - and old code can compromise security.
Gearset automates daily unit testing, so you can track the code coverage in your org and see which tests are failing. To set up a unit testing job, just choose an org, specify what code coverage you're aiming for, and configure your notification settings.
It's useful to test the new features you're building in a sandbox environment with real data from production. Real data can be complicated, and it can highlight edge cases where the behaviour of the new feature isn't quite right. But deploying data from production to a sandbox environment isn't great for security - especially if the kind of data you need contains sensitive information.
Gearset's data masking lets you use this data safely. During data deployments in Gearset, you can choose to substitute your sensitive records for fictitious records with the same format. This keeps the complexity of the data for testing, but prevents sensitive information getting out of production and into developer orgs. You can configure data masking, choosing which kinds of data you want to mask and how you would like to mask them.
Embrace DevSecOps in your workflow
With backups, monitoring, unit testing, and data masking, you can make sure that your DevOps processes are helping to keep your Salesforce org secure. If you're not already using these features in Gearset, why not set them up now? A free 30-day trial with full access to Gearset is available for all new users. If you're already using parts of Gearset, and you're interested in gaining value from more of its features, you can reach out to us in the live chat or at [email protected].