Customer Third-Party Connections Recommended Security Settings

At Salesforce, Trust is our #1 value, and protecting your data is our top priority. 

Security is a shared responsibility. To help our customers strengthen their cybersecurity posture and mitigate potential supply-chain risks associated with third-party integrations, we strongly recommend reviewing and immediately implementing the measures outlined below.  

While not exhaustive, this list includes links to additional resources so customers can make informed security decisions that best protect their Salesforce instances. If you require assistance, we encourage you to reach out to Support via the Help portal.

Recommended Actions for your Organization: 

1. Comprehensive Review of all Non-SFDC Applications: We encourage an immediate and thorough review of any Non-SFDC Applications that are connected to your Salesforce Services. This includes, but is not limited to, any applications or integrations provided to you by a third-party or otherwise developed by you or on your behalf that are connected to your Salesforce Services. Your review should:

• Record all connected Non-SFDC Applications.

• Include a thorough review for signs of malicious activity or vulnerabilities.

• Apply extra scrutiny to applications leveraging the OAuth device flow. We strongly recommend reconsidering approval for these applications due to their associated security risks.

2. Implementation of Recommended Security Controls: Immediately implement the following key platform features and best practices outlined in the blog, Protect Your Salesforce Environment from Social Engineering Threats to mitigate against Supply Chain compromises impacting Non-SFDC Applications. 

3. Proactive Security Maintenance via Periodic Secret Rotation: We recommend  periodically changing consumer secrets, OAuth app Client IDs and Client Secrets, and rotate tokens used with any Non-SFDC Applications. 

4. Incident Response Protocols: If a Non-SFDC Application is compromised, we recommend rotating all user passwords, secrets, and enforcing IP access controls.

5. Add a Security Contact to Your Organization: To ensure that we can reach your organization in the case of a security event, we encourage all Signature and Premier customers to add a Security Contact by following the steps outlined in the Help article, Manage Security Contacts for your Salesforce Organization. We encourage Standard Users to update and maintain a current System Admin.

We’re dedicated to ensuring the highest levels of security and empowering you with the tools necessary to safeguard your organization. For more tips and insights on securing your Salesforce environment, please visit security.salesforce.com and review the Salesforce Security Guide.