Headline
Lessons From the GitHub Cybersecurity Breach
This Tech Tip outlines three steps security teams should take to protect information stored in Salesforce.
No one likes to hear the B-word: breach. Developers definitely don’t want to hear that word in relation to a platform they use day in and day out.
When GitHub revealed details about a security breach that allowed an unknown attacker to download data from dozens of private code repositories earlier this year, it was a nightmare scenario. Attackers were using information collected from GitHub to target two third-party cloud platforms-as-a-service (PaaS): Heroku and Travis CI.
Attackers had stolen OAuth tokens issued to Heroku and Travis CI and used them to access and download the contents of private repositories, GitHub found.
Where does the most sensitive information reside in your organization? For organizations using Heroku, Salesforce houses the information that, if exposed, could cripple the organization. Security teams need to think about protecting their Salesforce data. Why should they put the organization’s cybersecurity at risk by relying on third-party integrations?
These three simple steps can help improve cybersecurity posture on Salesforce.
1. Use Salesforce-Native Applications
Applications built on Salesforce ensure that your data remains in one place with the same cybersecurity posture as the Salesforce platform. With apps consolidated on a single platform, the attack surface is greatly reduced.
2. Establish a Zero-Trust Model
Never trust, always verify. All users should have the minimum level of permissions and access needed to be able to complete their necessary tasks while requiring users to prove their need and identities before access. Audit everything.
3. Utilize Secrets Management
Never store credentials in clear text, and always assume private repositories are public. Having a secrets management solution ensures that your secrets are rotated along with having an appropriate level of security compliance around your credentials.
With this improved cybersecurity posture, developers, infosec teams, and the CEO will be at ease knowing that the organization’s most sensitive data is secure.