Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Implement Security Fundamentals

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain how cybersecurity affects product development.
  • Describe the security pillars.
  • Identify how to measure cybersecurity.

Your Role in Cybersecurity

Cybersecurity has an enormous impact in modern society. Almost everything in our day to day depends on information and communication technology that is vulnerable to some form of threat. Cybersecurity relies on solid security measures and clear verification that these measures are operational and effective. Protecting sensitive data is vital to maintaining trust in an organization’s information systems.   

Two computers in the process of a secure handshake.

You’re an engineer who builds and manages products and services, and your organization counts on you to protect these assets. You play an important role in your customers’ security. While your organization likely has a dedicated security team that monitors and improves your applications, systems, and processes, it is up to you to ensure your code does not leave your organization vulnerable. 

Following security best practices, including reporting suspicious behavior to your organization’s security team and defending against phishing attacks and badge surfing, are good habits. However, as an engineer or developer, you are responsible for more than the average employee. In this module, we talk about an overall approach to security that can help you keep your organization secure.

Why Keep Cybersecurity Top of Mind?

Cybersecurity issues affect all of us. Think about the last time a security breach impacted you. Did you have to get a new credit card number? Did you go through the hassle of changing all of your passwords? How did you feel about the company that leaked your information and caused you all this trouble? 

As a developer, you work to avoid security breaches. While it’s true that there are plenty of bad actors out there looking to take advantage of vulnerabilities, the biggest security problems tend to be self-inflicted. This is where internal awareness can truly pay off. 

The Call Is Coming from Inside the House

A self-inflicted cybersecurity threat is one that comes from inside your organization. These internal attacks can be from a malicious insider. But they can also arise when an employee accidentally allows attackers to compromise their user account or unknowingly downloads dangerous malware onto their workstation. Those involved in downloading dangerous malware include regular users as well as privileged users (e.g., system administrators) which highlights the fact that cybersecurity awareness is important at all levels of the organization.

Internal attacks are an ongoing cybersecurity threat businesses face, and security experts have seen a significant uptick in self-inflicted security issues in recent years. These incidents are problematic for many reasons, primarily because they erode customer trust. Maintaining your customer’s trust requires that each member of your organization does their part, because once trust is gone, it's nearly impossible to get it back. 

Self-inflicted incidents also burn up a substantial number of resources. This includes time spent by your legal, public relations, technology, communications, support, and incident response teams, who typically have to pause their regular workloads to attend to security breaches. 

Prevent Change-Induced Incidents

One of the most pernicious types of self-inflicted incidents is the change-induced incident. Select employees at your organization, such as developers, engineers, and documentation teams, may have access to systems in production to manage, apply, and verify configuration settings. If you are in one of these roles, it may be tempting to change the security controls that keep your data safe to make your life easier. 

Doing so, however, comes with a security tradeoff. Making changes to production and security controls can result in an incident if proper processes are not followed. Even the best policies won’t be effective in maintaining the security of your customers’ data if you don’t follow them consistently. Thus, when making changes, be sure to follow your organization’s change management standards. Never disable security controls. If you think your situation involves an exception, contact the appropriate team at your organization for guidance on next steps.

Keep Credentials out of Your Code

Credentials exposed in code are one of the riskiest security vulnerabilities that experts report. Your system is only as secure as its weakest link. It is critical to prevent embedding organizational secrets and credentials within a Git repository or a local machine. You can use static code analysis tools such as Fortify Static Code Analyzer, Synopsys, and BluBracket to sidestep this danger. These tools detect any passwords or passphrases checked into your code.  

In addition to avoiding exposing credentials in your code, you can also help prevent breaches by learning and implementing security pillars and secure design principles. 

Three Security Pillars

There are three pillars of security that make up the CIA triad. 

  • Confidentiality
  • Integrity
  • Availability

Confidentiality

Confidentiality is the security principle that controls access to information. It ensures that access to sensitive information is given only to those who need it. Confidentiality is in play when an organization configures role-based access or requires special training for other access situations. Your organization likely has a confidentiality attestation, for example, that every employee regularly completes when logging onto your network and systems.

Confidentiality is at the heart of a security principle that we discuss later in this trail: the principle of least privilege. Least privilege means that information access is restricted across organizations. Instead of giving everyone access to everything, you give access only to those who are authorized to view a set of data. This means you’ve categorized your data according to the type and severity of damage that can result if that data falls into unauthorized hands. 

Some ways to protect confidentiality include requiring special training for those who share sensitive data, familiarizing authorized users with security risk factors, and teaching these users how to guard vulnerable data assets. This can involve training users about anti-phishing measures, using strong password protection, and enabling multi-factor authentication (MFA) mechanisms such as biometric verification, security tokens, and digital certificates. 

Integrity

The second security pillar, integrity, ensures that sensitive data is trustworthy and accurate and that it is maintained in a consistent, correct, and reliable manner across its lifecycle. Integrity also means protecting sensitive data in transit (when data is moved, such as across a network or the internet) and at rest (when data is stored, such as in a database) to make sure it is not altered when implementing security measures such as file permissions and user access controls

Backups and redundancy plans are a key element of integrity. These ensure that if a file has been modified or corrupted, it can be reset to the most recent, accurate, and trustworthy version. Redundancy controls are also crucial in case of a nonhuman-caused event, such as a server crash or an environmental failure. Good integrity controls include using cryptographic checksums for verifying sensitive data. A cryptographic checksum (or hash) is a small-sized block of data that uniquely represents the content of a file. Users can utilize a checksum to test a file at a later date and verify that the data contained in the file has not been maliciously changed. 

Availability

Availability is the third pillar of the CIA triad. In the context of security, availability means that authorized users have reliable access to the systems and resources they need. Availability also means systems are upgraded on a consistent and prompt basis.

You can enable availability by having quick and adaptive disaster recovery plans for worst-case scenarios. These plans help safeguard against interruptions in connections and data loss in case of a natural disaster, fire, or even malicious activities such as denial-of-service (DoS) attacks and network intrusions.

The CIA security triad is an important security concept because it provides the basis for creating a holistic security plan to protect all of your organization’s sensitive assets.

Cybersecurity Standards

How do you know that you're meeting the CIA objectives? You can ensure confidentiality, integrity, and availability by documenting your security requirements in your organization’s cybersecurity standards. It is best to keep standards and their supporting documents, including implementation solutions, centrally located and easy for employees to find. 

It’s also helpful to make standards searchable and to organize them by a control framework, such as the National Institute of Standards and Technology (NIST) 800-53 control family, user role, and team. This can assist you in staying organized and meeting the many compliance requirements that likely apply to your organization. Staying in compliance helps your organization remain secure and enables you to meet various security certifications. 

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback