Salesforce Configuration Drift: A DevSecOps Security Guide

Описание: Most Salesforce orgs have no idea what changed in production last week. That's not a DevOps problem. It's a security problem.

Matt Meyers, Salesforce CTA and CEO of EzProtect, sits down with Richard Clark, 14x Salesforce certified with 35 years in technology, to break down why configuration drift is one of the most underestimated threat vectors in the Salesforce ecosystem.

Three principles from this session:
→ DevOps isn't a tool. It's a practice of moving changes safely, consistently, and repeatably from sandbox to production.
→ Configuration debt accumulates silently. Cloned profiles, over-scoped permission sets, and unchecked checkboxes open invisible access paths for attackers.
→ A change record answers three questions: what changed, who changed it, and when. Without one, the first 48 hours after an incident are spent reverse engineering instead of responding.

If you can't see what's changing in your org, you can't defend it.

➡️ Download the official guide to protect your data from hackers in Salesforce
https://ezprotect.io/platform/

Timecodes
0:00 Introduction and Office Hours overview
0:50 Why Office Hours exists: data breaches in the Salesforce ecosystem
2:21 Richard Clark introduction and background
3:48 EzProtect overview
4:35 Previous session recap: vibe coding securely
5:25 Session intro: securing a Salesforce org when you can't see what's changing
5:39 DevOps is not a tool, it's what you do
6:30 Why change sets fall short on governance and risk
7:10 The problem with having your org as your only source of truth
8:03 The DevOps infinity loop: dev and ops, not just deployment
8:56 CI/CD is only part of DevOps
9:54 Configuration changes in production: role hierarchy risks
10:35 How configuration debt accumulates through profiles and permission sets
11:54 Over-permissioning: how one checkbox creates a threat vector
13:31 Configuration debt as an open security risk
14:25 Attacker access paths: phishing, OAuth tokens, targeting admins
15:52 Incorrectly scoped integrations as overlooked entry points
17:39 What a configuration baseline actually gives you
18:23 Why you should check security in sandboxes, not just production
19:51 Environment drift explained
21:31 Custom settings, metadata, and hardcoded URLs as drift sources
22:57 Using DevOps tools for auditing, not just deploying
24:09 Encryption key changes and ransomware risk in Salesforce
25:11 Change records: what changed, who changed it, when
26:28 Full traceability from requirements to production
28:03 Shared responsibility: Salesforce platform vs. your configuration
29:51 Salesforce is super secure until the day you start configuring it
30:36 Richard Clark's three takeaways
31:51 Upcoming sessions and resources
32:37 Q&A: Field level security and data classification deployments
35:29 Tribute to Pat Patterson

🔔 Subscribe to EzProtect - For Salesforce Best Practices here
   / @mattmeyers-cta  

📚Learn More About Virus Scanning in Salesforce
➡️ https://www.ezprotect.io

📚Learn Common Virus Scanning Myths in Salesforce
https://ezp.fyi/3NeZY48

📆 Book a time to talk with us
https://ezprotect.io/schedule

----------------SOCIAL---------------
✅ Twitter:   / ezprotect  
✅ Instagram:   / ezprotect.co  
✅ LinkedIn:   / matt-meyers-cta