Use Health Check to Scan Your Security Configurations

Learning Objectives

After completing this unit, you’ll be able to:

  • Run a security health check on your own org.
  • Describe what your summary score says about your org’s security health.
  • Identify the Tooling API objects that allow you to get Health Check information.
Note

Note

To complete this unit, make sure that you have the “View Setup and Configuration” and “Manage Password Policies” user permissions.

Ever Wish You Had a Dashboard to See How Safe Your Security Settings Are?

You do—it’s called Health Check. Use Health Check to improve your org’s overall security and your ability to keep out the bad guys.

You can even run it before you’re done with this module! Don’t worry, we’ll wait here.

With Health Check, you can identify and fix vulnerabilities in your security settings, all from a single page. A summary score shows how well your org is aligned with the Salesforce-recommended standard.

Security Health Check page showing 81 percent score and three high risks

Typically, if you change your settings to be less restrictive, your score decreases. For example, suppose you changed your password minimum length from eight characters (the default value) to five, and changed other Password Policies settings to be less restrictive. These changes make your users’ passwords more vulnerable to guessing and other brute force attacks. As a result, your overall score decreases, and the settings are listed as risks.

Identify and Fix Security Risks in Your Org

So how do you get started fixing your org’s security risks? First, go to Health Check in your own org.

From Setup, enter Health Check in the Quick Find box, then select Health Check.

Each setting listed as a risk has a handy Edit link that takes you to the page where you can adjust the setting to the standard value. For reference, standard values are listed in Health Check.

Here’s a video showing an example of improving your Health Check score.

Want to Review Security Across Multiple Orgs? No Problem

Do you write Salesforce code and support multiple Salesforce orgs? (Or know someone who does?) This section is for you.

If not, don’t worry. Just read this section, and store it in your memory bank.

Using the Tooling API, you can retrieve an org’s security settings, risks, Health Check score, and Salesforce baseline settings. You can add this information to your security monitoring systems and dashboards to verify that multiple Salesforce applications have the same level of security.

The Tooling API objects that you use are SecurityHealthCheck and SecurityHealthCheckRisks. Here’s an example of a SOQL query that gets an org’s Health Check score and a list of high-risk settings.

SELECT Score, (SELECT RiskType, Setting, SettingGroup, OrgValue, StandardValue FROM SecurityHealthCheckRisks WHERE RiskType='HIGH_RISK') FROM SecurityHealthCheck
Note

Note

To get Health Check information through the API, you need command-line and administrative access to your Salesforce application.

Resources

Note

Note

Remember, this module is meant for Salesforce Classic. When you launch your hands-on org, switch to Salesforce Classic to complete this challenge.