Use Health Check to Scan Your Security Configurations

You can even run it before you’re done with this module! Don’t worry, we’ll wait here.

With Health Check, you can identify and fix vulnerabilities in your security settings, all from a single page. A summary score shows how well your org is aligned with the Salesforce-recommended standard.

Typically, if you change your settings to be less restrictive, your score decreases. For example, suppose you changed your password minimum length from eight characters (the default value) to five, and changed other Password Policies settings to be less restrictive. These changes make your users’ passwords more vulnerable to guessing and other brute force attacks. As a result, your overall score decreases, and the settings are listed as risks.

From Setup, enter Health Check in the Quick Find box, then select Health Check.

Each setting listed as a risk has a handy Edit link that takes you to the page where you can adjust the setting to the standard value. For reference, standard values are listed in Health Check.

Here’s a video showing an example of improving your Health Check score.

If not, don’t worry. Just read this section, and store it in your memory bank.

Using the Tooling API, you can retrieve an org’s security settings, risks, Health Check score, and Salesforce baseline settings. You can add this information to your security monitoring systems and dashboards to verify that multiple Salesforce applications have the same level of security.

The Tooling API objects that you use are SecurityHealthCheck and SecurityHealthCheckRisks. Here’s an example of a SOQL query that gets an org’s Health Check score and a list of high-risk settings.

SELECT Score, (SELECT RiskType, Setting, SettingGroup, OrgValue, StandardValue FROM SecurityHealthCheckRisks WHERE RiskType='HIGH_RISK') FROM SecurityHealthCheck
 

Note

To get Health Check information through the API, you need command-line and administrative access to your Salesforce application.