DevSecOps: How Salesforce DevOps embraces security

DevSecOps: How Salesforce DevOps embraces security

David Runciman on

Share with


More and more Salesforce teams are adopting DevOps and reaping the rewards. Salesforce developers and admins are increasingly familiar with DevOps concepts. But what about DevSecOps — a term that’s been doing the rounds for a little while? What does it mean for your Salesforce team?

DevSecOps is about breaking down silos between development, security and operations—with security consciously placed at the center. Essentially, DevSecOps is DevOps done well; security should be baked in at the beginning, not left as an afterthought.

DevSecOps in the Salesforce ecosystem

Salesforce teams that have embraced DevOps should recognize that they’re also responsible for keeping their company’s org secure. While Salesforce provides your company with security infrastructure, it’s your team of developers and admins that keeps your org’s data and metadata secure day to day.

Along with benefiting the day-to-day operation of your organization, adopting DevSecOps can also play a pivotal role in preparing for an IPO or demonstrating SOX compliance.

Gearset DevOps Summit: Developing a long-term Salesforce DevOps mindset

Find out more

DevSecOps with Gearset

Here at Gearset, security underpins everything we do—just take a look at our trust page—and we’re helping our users to put security at the heart of their processes. Using Gearset, teams are keeping their orgs secure with the following Salesforce DevOps practices.

Backup and restore

Having backups as part of your DevOps process is the best way to secure your org’s data and metadata. If mistakes are made during development, or if data is lost in any other way, backups provide a fallback so you can restore your org. Running an extra backup on-demand from within your DevOps tool, just before a risky release, means you can restore your org’s data and metadata if anything goes wrong.

It’s not just your data that needs backing up for security. Having metadata backups means being able to restore profiles and permissions—the metadata types that control users’ access to data in Salesforce. A Salesforce outage in 2019 demonstrated this risk: many companies found their permissions model had been corrupted, granting all users sysadmin access to data. Teams with metadata backups were able to restore their permissions quickly and protect their company’s data.

Gearset’s backup solution automatically runs daily backups of both data and metadata, while additional backups can quickly and easily be run on-demand. Backup data is stored securely, with enterprise-grade encryption in transit and at rest. Gearset also restores data reliably, preserving parent-child relationships between records.

Gearset screenshot: reviewing backup history for Salesforce data and metadata

Monitoring and alerts

It’s great that Salesforce is so easily configurable, but this does mean someone can change or add customizations directly in your company’s production environment without you noticing. Lots of Salesforce teams are in the dark about these changes, which can introduce vulnerabilities. Gearset’s change monitoring tool notifies you of changes made to your org, so you can be sure nothing happens without you knowing about it. This insight, into who changed what and when, gives you peace of mind and keeps your org’s data secure.

Gearset screenshot: Salesforce org monitoring

You can also explore your org’s permissions from the monitoring history page in Gearset. This makes it much easier to keep track of who has access to what data, based on the Profiles and Permission sets your company uses.

Gearset screenshot: keeping track of profiles and permissions

Version control

Version control is an essential part of any DevOps process, and it also brings significant security benefits. Instead of production being a single point of failure, your main branch becomes the single source of truth for your team. With teammates reviewing each other’s pull requests, errors and vulnerabilities are more likely to be caught during development.

Gearset screenshot: working with version control


Once your team has adopted version control successfully and has reliable deployments, you’re ready to begin automating parts of your release pipeline. By continuously integrating development work into the main branch and automatically deploying to environments such as Staging, QA, or UAT, your team can be sure their work is deployable and get to work on testing. Automation also encourages short iterative releases, making it easier to roll back any problematic packages. A lightning-fast release process also means teams can respond quickly when a bug is identified.

Gearset screenshot: constructing an automated release pipeline for Salesforce

Automated unit testing

Testing is a key part of any DevOps workflow and a vital way to keep data secure. Of course, Salesforce enforces 75% code coverage—you can’t deploy code if your work falls short of that threshold. It’s important that tests aren’t just written to get work deployed; they should properly test the logic of your code. It’s also important that you keep running these tests in your org. Tests can start to fail silently because of subsequent changes made to the org - and old code can compromise security.

Gearset automates daily unit testing, so you can track the code coverage in your org and see which tests are failing. To set up a unit testing job, just choose an org, specify what code coverage you’re aiming for, and configure your notification settings.

Gearset screenshot: setting up automated unit testing for Salesforce

Data masking

It’s useful to test the new features you’re building in a sandbox environment with real data from production. Real data can be complicated, and it can highlight edge cases where the behaviour of the new feature isn’t quite right. But deploying data from production to a sandbox environment isn’t great for security - especially if the kind of data you need contains sensitive information.

Gearset’s data masking lets you use this data safely. During data deployments in Gearset, you can choose to substitute your sensitive records for fictitious records with the same format. This keeps the complexity of the data for testing, but prevents sensitive information getting out of production and into developer orgs. You can configure data masking, choosing which kinds of data you want to mask and how you would like to mask them.

Gearset screenshot: masking Salesforce data deployed to a testing environment

Embrace DevSecOps in your workflow

Gearset offers all of the above, so you can begin implementing a more secure release process today. Just book a consultation with one of our experts to see how Gearset can help secure your orgs.

If you want to understand more about DevSecOps, including the tools, people, and processes you need, download our ebook Deciphering DevSecOps for Salesforce Teams.

Try all of Gearset for free