Skip to content
Platform Security · Salesforce

Salesforce security — config, code, sharing and data.

Salesforce secures the platform — you own the configuration, sharing model, permissions, Apex/LWC code and connected apps. WoneShield secures exactly that layer: continuous SSPM plus expert assessment, hardening and monitoring.

Free Salesforce assessmentBook a demo
Salesforce · Security
Over-shared
412
CIS score
74%
Insecure Apex
7
Findings by area
Sharing / OWD
12
Profiles
9
Apex / LWC
7
Connected apps
4
Guest user can read Cases · Experience Cloudnow
Apex class runs without sharing1h

Salesforce security done right · mapped to the CIS Salesforce benchmark

CIS SalesforceISO 27001SOC 2OWASP (Apex/LWC)
OverviewHow it worksWhat we securePricingFAQBook a demo

Why Salesforce security

Your biggest Salesforce risk is a setting or a line of code.

Over-permissive sharing

Loose org-wide defaults, broad sharing rules and public groups quietly expose records to users — and guests — who should never see them.

Insecure Apex & LWC code

Custom code that bypasses CRUD/FLS, runs without sharing, or is open to SOQL injection turns your own customizations into the attack path.

Excessive profiles & connected apps

‘Modify All Data’, API-enabled profiles and over-scoped OAuth connected apps grant far more access than anyone audits.

Config + code

Settings reviews miss where breaches actually start.

What a settings-only review covers
Config only (native Health Check)partial
Config + code + sharing (WoneShield)full
Custom Apex/LWC and the sharing model are where most real Salesforce incidents originate.
Time to a full Salesforce assessment
Manual consultant auditweeks
WoneShield (automated + expert)hours → report
Insecure Apex caught
In CI
before production
OWASP for Salesforce
Mapped

Apex & LWC code security

Secure the code that runs on your data.

Custom Apex and Lightning Web Components are where over-broad access and injection flaws hide. WoneShield scans them with OWASP-aligned rules built for Salesforce — CRUD/FLS bypass, SOQL injection, sharing violations — in your org and your CI pipeline.

  • CRUD/FLS bypass & ‘without sharing’ misuse
  • SOQL/SOSL injection detection
  • Scans in CI so insecure code never ships

The lifecycle

Evaluate. Plan. Deploy & harden. Monitor.

Not just a scan — a complete Salesforce security program, product plus specialists.

Start with a free assessment
  1. 1

    Evaluate

    A full Salesforce security assessment — org configuration, sharing model, profiles & permission sets, Apex/LWC code, connected apps and guest access — mapped to the CIS Salesforce benchmark.

  2. 2

    Plan

    A prioritized remediation roadmap and least-privilege design: what to fix first, the secure target architecture, and the dev practices to keep it that way.

  3. 3

    Deploy & harden

    Implement the fixes — tighten sharing, right-size profiles, remediate insecure Apex, lock down connected apps and guest users — with secure-development guardrails.

  4. 4

    Monitor & enhance

    Continuous drift detection and Apex code scanning in CI, so a clean org stays clean release after release — not just on audit day.

How we connect

Agentless, read-first, no changes to your org.

Salesforce (Metadata + APIs)
Agentless connect (read-first)
Config · sharing · code · apps analysis
CIS-mapped findings
Remediate (Respond) / evidence (Comply)

Least-privilege API access; self-hostable for full data residency.

What we secure

Every layer of your Salesforce org.

Org configuration & security settings
Sharing model (OWD, rules, public groups)
Profiles & permission sets (least privilege)
Apex / LWC code security (OWASP for Salesforce)
Connected apps & OAuth scopes
Guest user & Experience Cloud exposure
Field-level security & data exposure
Identity, MFA & login policies

How it compares

Native tools check settings. We secure the whole org.

Manual auditSalesforce Health CheckWoneShield
Configuration & settings reviewPoint-in-time
Apex / LWC code securityRare
Sharing model & permission analysisManualPartial
Connected-app & guest-user exposureManualLimited
Continuous drift detection
Expert remediation & monitoringConsultant

Works with

Fits your Salesforce and your dev workflow.

Salesforce
Sales/Service CloudExperience CloudManaged packagesMetadata API
DevOps (Apex CI)
GitHubGitLabAzure DevOps
Identity
Salesforce IdentityOktaEntra ID
Remediation & evidence
Respond (SOAR)Comply (GRC)Jira
Detection
Argus (XDR)Event Monitoring
Alerting
SlackTeamsEmail / SMTP

Why WoneShield for Salesforce

A Salesforce security partner, not just a scanner.

Config and code — not just settings

Salesforce's own Health Check looks at settings. We also secure your Apex/LWC code, where real breaches start.

Product + expertise

Continuous SSPM plus Salesforce security specialists who assess, plan, harden and monitor — not just a scanner you're left to interpret.

Continuous, not point-in-time

Drift detection and CI code scanning keep your org secure across every release, not just at the annual review.

Audit-ready

Findings map to the CIS Salesforce benchmark, ISO 27001 and SOC 2, and flow into Comply as evidence.

Watch: Aegis in 2 minutes

See it in action

Watch a Salesforce assessment run in two minutes.

Connect an org and watch WoneShield surface over-shared records, risky profiles, insecure Apex and exposed guest access — mapped to CIS, with a prioritized remediation plan.

  • Agentless connect
  • Config + code + sharing
  • CIS-mapped remediation roadmap

By design

A Salesforce org you can prove is secure.

100%
Layers covered
config · code · sharing · data
100%
Findings mapped
CIS · ISO · SOC 2
Apex + LWC
code security
Agentless
read-first connect
Continuous
drift detection
Experts
assess & remediate

Return on investment

One exposed record can cost more than years of protection.

Config + code
covers where breaches actually start
Weeks → hours
automated assessment vs consultants
Audit-ready
CIS-mapped evidence on tap

A single over-shared object or insecure Apex class can expose your most sensitive CRM data. Continuous Salesforce security is cheap by comparison.

Part of the platform

Salesforce security, powered by WoneShield.

Salesforce is one of 13+ platforms WoneShield Posture secures:

Posture — SSPM/CSPM

The engine securing Salesforce, M365, ServiceNow and your cloud.

Comply — GRC

Turns Salesforce findings into audit-ready evidence.

Respond — SOAR

Remediates Salesforce risks with governed playbooks.

Related

Where Salesforce security fits.

SaaS security
See use case →
Continuous compliance
See use case →
Identity & access (CIEM)
See use case →
Insider threat
See use case →
Case study · design partner
WoneShield's assessment found 400+ over-shared records, 60 over-privileged profiles and an insecure Apex class — then their team helped us fix it and put CI scanning in place so it stays fixed.
Salesforce Security Lead · SaaS (placeholder — replace with named customer)
412
over-shared records
60
profiles right-sized
CI
code scanning live

What Salesforce teams say

Config and code, finally covered.

WoneShield found 400+ over-shared records and an insecure Apex class our last pen test missed. The remediation plan was the real value.
Rebecca StoneRebecca StoneSalesforce Security Lead · SaaS
Guest-user exposure on our Experience Cloud site was wide open. They caught it and walked us through the fix in a day.
Daniel OseiDaniel OseiSalesforce Architect · Fintech
Apex code scanning in our CI stopped an insecure-sharing bug from ever reaching production. That alone paid for it.
Mariam YusufMariam YusufSalesforce DevOps · Healthcare
We right-sized 60 over-privileged profiles using their least-privilege plan. Audit went from dread to a dashboard.
Victor EzeVictor EzeCISO · Banking
Continuous drift detection caught a loosened sharing rule hours after a release. We fixed it before anyone noticed.
Hannah WeissHannah WeissSalesforce Admin · Insurance
Config plus code in one assessment, mapped to CIS. Finally a Salesforce security partner, not just a scanner.
Tom BeckerTom BeckerHead of Security · Public sector
WoneShield found 400+ over-shared records and an insecure Apex class our last pen test missed. The remediation plan was the real value.
Rebecca StoneRebecca StoneSalesforce Security Lead · SaaS
Guest-user exposure on our Experience Cloud site was wide open. They caught it and walked us through the fix in a day.
Daniel OseiDaniel OseiSalesforce Architect · Fintech
Apex code scanning in our CI stopped an insecure-sharing bug from ever reaching production. That alone paid for it.
Mariam YusufMariam YusufSalesforce DevOps · Healthcare
We right-sized 60 over-privileged profiles using their least-privilege plan. Audit went from dread to a dashboard.
Victor EzeVictor EzeCISO · Banking
Continuous drift detection caught a loosened sharing rule hours after a release. We fixed it before anyone noticed.
Hannah WeissHannah WeissSalesforce Admin · Insurance
Config plus code in one assessment, mapped to CIS. Finally a Salesforce security partner, not just a scanner.
Tom BeckerTom BeckerHead of Security · Public sector

The basics

Whose job is Salesforce security?

Under Salesforce's shared-responsibility model, Salesforce secures the underlying platform and infrastructure. Everything you build on top — configuration, the sharing model, profiles and permissions, custom Apex/LWC code, connected apps and who can access what — is your responsibility.

That customer-owned layer is where virtually all Salesforce data exposure happens. WoneShield secures it: assessing it, hardening it, and monitoring it continuously, with both product and Salesforce security expertise.

SSPM for Salesforce
SaaS Security Posture Management applied to Salesforce — continuous checks on config, sharing, permissions and code.
Shared responsibility
Salesforce secures the platform; you secure your configuration, code and access. We secure your half.

Resources

Go deeper.

Checklist
Salesforce Security Hardening Checklist
Read →
Guide
Securing Apex & LWC: an OWASP guide
Read →
Article
Salesforce shared responsibility, explained
Read →

Pricing

Start free. Protect continuously.

Begin with a free Salesforce security assessment, then protect your org continuously. Multi-org, regulated and at-scale estates are priced to your environment — talk to sales.

Salesforce Essentials
$750 /mo
Continuous Salesforce SSPM
  • Config, sharing & permission checks
  • Continuous drift detection
  • CIS Salesforce benchmark mapping
  • Guest-user & connected-app monitoring
  • Standard support
Start free assessment
Most popular
Salesforce Complete
$2,000 /mo
Posture + code + remediation
  • Everything in Essentials
  • Apex / LWC code security (CI scanning)
  • Connected-app & OAuth review
  • Least-privilege remediation support
  • Evidence into Comply (GRC)
  • Priority support
Start free assessment
Salesforce Enterprise
Custom
Multi-org · regulated · at scale
  • Everything in Complete
  • Multi-org & managed-package coverage
  • Architecture & secure-dev advisory
  • Self-host / data residency
  • Dedicated Salesforce security team
Talk to sales

Powered by WoneShield Posture (SSPM). Volume and multi-org discounts available at scale.

Free download

The Salesforce Security Hardening Checklist

The settings, sharing rules, profiles and Apex practices to lock down — a practical checklist used in real Salesforce security reviews.

Inherited a messy org?

Acquired, merged, or just never assessed?

WoneShield connects agentlessly, gives you a full CIS-mapped picture of config, code and access in hours, and a prioritized plan to harden it — without disrupting your admins or your release cadence.

Plan your assessment

FAQ

Salesforce security, answered.

Is Salesforce secure by default?+

Salesforce secures the platform, but under the shared-responsibility model your configuration, sharing model, permissions, custom Apex/LWC code and connected apps are your responsibility — and that's where almost all Salesforce incidents originate. WoneShield secures that layer.

How is this different from Salesforce Health Check or Security Center?+

Salesforce's native tools check configuration settings. WoneShield covers configuration AND custom code (Apex/LWC), sharing model, connected apps and guest exposure — continuously — and maps everything to the CIS Salesforce benchmark with expert remediation.

Do you assess custom Apex and Lightning code?+

Yes. We scan Apex and Lightning Web Components for insecure patterns — CRUD/FLS bypass, SOQL injection, sharing violations, insecure connected logic — using OWASP-aligned rules built for Salesforce, including in your CI pipeline.

What does a Salesforce security assessment cover and how long does it take?+

Config, sharing, profiles/permissions, code, connected apps, guest access and data exposure — mapped to CIS. Because it's automated, the first assessment surfaces findings within hours, with an expert-reviewed report and prioritized roadmap.

Can you help us remediate, not just find issues?+

Yes — that's the lifecycle: evaluate, plan, deploy/harden, then monitor. Our specialists help implement the fixes and put guardrails in place so the org stays secure.

How much does Salesforce security cost?+

Start with a free Salesforce security assessment. Ongoing protection is $750/month (Essentials — continuous SSPM) or $2,000/month (Complete — code security, connected-app review and remediation support), with custom pricing for large or multi-org estates.

Do you cover Experience Cloud (Communities) and guest users?+

Yes — guest user and Experience Cloud exposure is one of the most common Salesforce risks, and it's a core part of every assessment and continuous check.

Is it agentless / safe to connect?+

Yes — WoneShield connects via API with read-first, least-privilege access. No agents, no changes to your org to get assessed.

Free Salesforce security assessment

See your Salesforce risk in hours — free.

Connect your org (read-first, agentless) and get a CIS-mapped report of config, sharing, code and access risks, with a prioritized roadmap. No credit card, no changes to your org.

Run my free assessment

See what's exposed in your Salesforce org

Start with a free assessment, or get a guided demo tailored to your stack.

Run a free assessmentBook a demo