Scribd
Upload
14 views4 pages

vulnerability-penetration-report-summary-salesforce-services_2024-12-26

NCC Group conducted a web application penetration test for Salesforce's Core Web applications from December 4, 2024, to January 29, 2025, identifying one high, two medium, and one low severity findings. The assessment focused on new features and modifications in various Salesforce applications, with a total of eighty consultant days of effort. Following a retest, all identified vulnerabilities were reported to Salesforce, with findings categorized as fixed or open based on their resolution status.

Uploaded by

Ayyappa Vengalthuri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views4 pages

vulnerability-penetration-report-summary-salesforce-services_2024-12-26

NCC Group conducted a web application penetration test for Salesforce's Core Web applications from December 4, 2024, to January 29, 2025, identifying one high, two medium, and one low severity findings. The assessment focused on new features and modifications in various Salesforce applications, with a total of eighty consultant days of effort. Following a retest, all identified vulnerabilities were reported to Salesforce, with findings categorized as fixed or open based on their resolution status.

Uploaded by

Ayyappa Vengalthuri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

NCC Group

11 E Adams St, Suite 400


Chicago, IL 60603
https://nccgroup.com

December 26, 2024

Salesforce, Inc
Salesforce Tower
415 Mission Street, 3rd Floor
San Francisco, CA. 94105

Introduction
This letter supersedes the letter produced by NCC Group on 13 May 2024.
From the dates of 4th of December, through January 29th four (4) consultants from NCC
Group engaged in a web application penetration test for a total of eighty (80) consultant
days of effort reviewing Salesforce’s Core Web applications, Winter ‘24 Product Release. The
Salesforce Core Applications are a suite of Software-as-a-Service (SaaS) applications that
assist customer organizations with business operations such as sales, billing, customer
support, case management, and more. Testing focused on new features and modifications
of existing features that have been implemented since the Summer FY24 iteration of this
assessment, with any additional time spent on time-boxed, exploratory testing. Source code
was not provided.

The following list details the applications and the key focus areas which were in scope for
this engagement:

Sales Cloud
• Sales Engagement
• Opportunity and Leads
• Revenue Intelligence
• All items and subsections under the Security, Identity, and Privacy section in release
notes: https://help.salesforce.com/s/articleView?id=release-
notes.rn_security.htm&release=244&type=5

Service Cloud

• Email to Case
• Chat (formerly Live Agent)
• Salesforce Scheduler

Experience Cloud (previously called Community Cloud)

• Site.com (Community Builder)


• All items under security and sharing and other changes in release notes:
• https://help.salesforce.com/s/articleView?id=release-notes.rn_experiences_sharing.htm&r
elease=244&type=5
• https://help.salesforce.com/s/articleView?id=releasenotes.rn_experiences_additional_feat
ures.htm&release=244&type=5

CMS API endpoints were not in scope for this test

1 / 4 – NCC Group Client Confidential


Lightning Platform

• Platform Backup and Restore


• Flow Orchestration

Revenue Cloud

• Salesforce CPQ + Billing


• Subscription Management

Industries Cloud

• NetZero Cloud
• Health Cloud (Home Health)
• Financial Services Cloud
• Education Cloud / Accounting Subledger

Loyalty Cloud

Chatter
The purpose of this assessment was to identify application-level security issues that could
adversely affect the security of the Salesforce Core application. This assessment was
performed by NCC Group under the guidelines provided in the statement of work for the
engagement.

Detailed Letter of Engagement Overview


NCC Group is a global information assurance firm that, in the US, specializes in application,
mobile, network, host, and product security. Security conscious companies use NCC Group’s
Detailed Letters of Engagement to verify product attributes in view of current security best
practices, standard security functionality, and product protection. More information about
the Group’s processes and products can be found at https://nccgroup.com/us.

It is important to note that this document represents a point-in-time evaluation of security


posture. Security threats and attacker techniques evolve rapidly, and the results of this
assessment are not intended to represent an endorsement of the adequacy of current
security measures against future threats. This Detailed Letter of Engagement necessarily
contains information in summary form and is therefore intended for general guidance only; it
is not intended as a substitute for detailed research or the exercise of professional
judgment. The information presented here should not be construed as professional advice or
service.

2 / 4 – NCC Group Client Confidential


Testing Methods
Testing was performed using NCC Group’s standard methodology for zero-knowledge web
application security testing. No source code or non-public documentation was provided for
testing. NCC Group testing methodology leverages a combination of automated and manual
tooling with internal testing practices, application context, and guidance from supplemental
entities (e.g. OWASP Top 10, ASVS, etc.). No source code or non-public documentation was
provided for testing.

• Configuration issues such as incorrect use of TLS when connecting to web servers
• Information leaks through exposed files, APIs, inappropriate error handling, and more
• Common web application vulnerabilities including Cross-Site Scripting, SQL Injection, and
Cross-Site Request Forgery
• Authentication and authorization mechanisms
• Ability to obtain inappropriate access to sensitive and private information across users
and tenants
• Business logic and ability to make unauthorized changes
• Privilege escalation from a normal user to higher-privileged roles
• Insecure storage of sensitive data

Limitations
Some limitations were encountered while testing the in-scope features of the in-scope
applications, they are listed below:

Configuration issues led to limited testing availability for Revenue Cloud, Loyalty Cloud and
Service Cloud.

Summary of Findings
During the assessment, NCC Group identified:
• One (1) High Severity Finding
• Two (2) Medium Severity Findings
• One (1) Low Severity Finding

Upon completion of the assessment, all findings were reported to Salesforce along with
recommendations.

Retest Results
On 25th of November, 26th November and 23rd December 2024, three (3) consultants from
NCC Group engaged in a retest of one (1) high finding, one (1) medium finding and one (1)
low severity finding. During the retest, NCC Group identified:

• One (1) Fixed High Severity Finding


• One (1) Fixed Medium Severity Finding
• One (1) Fixed Low Severity Finding

3 / 4 – NCC Group Client Confidential


Upon completion of the assessment, all findings statuses were reported to Salesforce
according to the following legend:

• Count: Number of Vulnerabilities Identified


• Fixed: Item has been fixed
• Partially Fixed: Item has been partially fixed
• Open: Item has not been fixed
• Accepted Risk: Item has been accepted as a risk and will not be fixed

Vulnerability Count Fixed Partially Open Accepted Retested


Severity Fixed Risk
Critical 0 0 0 0 0 N/A
High 1 1 0 0 0 Yes
Medium 2 1 0 1 0 Yes
Low 1 1 0 0 0 Yes

© 2024 NCC Group

Prepared by NCC Group Security Services for Salesforce Inc.. Portions of this document and the templates used in
its production are the property of NCC Group and cannot be copied (in full or in part) without NCC Group's
permission. While precautions have been taken in the preparation of this document, NCC Group the publisher, and
the author(s) assume no responsibility for errors, omissions, or for damages resulting from the use of the
information contained herein. Use of NCC Group's services does not guarantee the security of a system, or that
computer intrusions will not occur.

4 / 4 – NCC Group Client Confidential

You might also like