kras99 - stock.adobe.com
AutoRabit's CodeScan Shield, released this week, enables Salesforce development teams to check for compliance as well as code vulnerabilities across the entire Salesforce landscape from sandboxes to production.
CodeScan Shield has two modules: CodeScan, an existing application security testing module that AutoRabit acquired in 2021; and OrgScan, a new policy management module that controls who has access to components of an enterprise's Salesforce environment. The platform aims to simplify security scanning, which is needed as security continues to shift left, placing more responsibility for security on developers, according to industry analysts.
"AutoRabit is extending the static analysis beyond code scanning for security issues," said Jack Poller, analyst at Enterprise Strategy Group (ESG), a division of TechTarget. "With OrgScan, DevOps teams are able to evaluate how well the application adheres to security and compliance policies."
Checking for organizational compliance, such as adherence to a multifactor authentication policy, is usually not part of static application security testing (SAST) tools because these are policy violations, not code issues, he said.
Besides extending security checks, CodeScan Shield aims to simplify the security process inside Salesforce by providing a dashboard that alerts team members when violations occur, said Eric Pearson, senior product manager at AutoRabit.
Finding ways to simplify the security process is vital because when security tools or processes take too long or require security expertise, developers will push the code with vulnerabilities, said Melinda Marks, analyst at ESG. Salesforce customers put highly sensitive data into the application, so it's important to ensure secure development to protect all that data, she said.
Melinda MarksAnalyst, Enterprise Strategy Group
"Not catching mistakes leaves you vulnerable to security issues," Marks said. "Our research shows most organizations suffer serious consequences from security incidents caused by misconfigurations that could be prevented by implementing static testing to ensure that when code is released, it has been tested and is secure."
More developer responsibility
There is a growing need for simplified tools because surging security threats are one of the consequences of continuous delivery, said Charlotte Dunlap, research director at analysis firm GlobalData.
"These tools also reflect the growing trend toward shift left or IaC -- infrastructure as code -- placing more responsibility with the developer for integrating security earlier into the application development process," Dunlap said.
Other SAST and software composition analysis tools addressing Salesforce include SonarQube, Checkmarx, Snyk and Veracode. But AutoRabit claims better coverage for Salesforce programming languages, ESG's Marks said. The key to whether these types of tools will get accepted and used is how much they automate or reduce manual and tedious tasks, she said.
CodeScan Shield users can connect to Salesforce via an API call. At the time of publication, AutoRabit has not made CodeShield's pricing structure public.