Salesforce Apex: Security Concerns and the Role of Hands-on Secure Coding Training

Any modern-day entity with a requirement to manage customers and derive marketing insight from their operations and external feedback will no doubt have come across Salesforce, a software giant that supports one of the world’s most popular Customer Relationship Management (CRM) tools.

And there’s a reason for its popularity too - it can be both easy to implement and use and is also built with flexibility in mind for those organizations that require custom development capabilities to build SaaS applications on top of the core CRM functionality. For such “custom development”, organizations can use Salesforce’s proprietary language Apex.

The first implementation of Apex occurred way back in 2007 and was initially only meant for internal use. However, as with many internal projects of promise, the language evolved, growing in its popularity as a suitable tool to create third-party applications for Salesforce.

In this brief article, we review Apex’s key features and use cases. We also explore its security concerns and explain how SecureFlag’s hands-on secure coding training can help developers make the most of Apex - while avoiding its security pitfalls.

What Is Apex in Salesforce?

Apex (short for Advanced Programming Experience) is a strongly-typed, object-oriented language designed to create on-demand applications on the Salesforce server quickly. These applications are entirely interpreted, executed, and controlled by the force.com platform. All Apex code is stored in the cloud as metadata, eliminating the need to install infrastructure or purchase software licenses or upgrades.

Apex Logo

Apex is versatile enough to extend the Salesforce CRM’s existing functionalities and allow numerous third-party integrations. Developers can create new applications by accessing Salesforce’s back-end database and client-server interfaces. They can also access the included Application Programming Interface (API) to build their application quickly with common SaaS components.

What are the Benefits of Apex?

Apex is a popular programming language because it offers many benefits. For one, it provides built-in support for common idioms, including:

  • Data Manipulation Language (DML) calls
  • Inline Salesforce Object Query Language (SOQL) queries
  • Salesforce Object Search Language (SOSL) queries
  • Locking syntax to prevent record update conflicts
  • Looping for bulk and simultaneous processing of records

Apex is easy to use since it is based on familiar Java-like syntax that’s straightforward to understand and code.

Since it is a strongly-typed language, users must define the data type for every variable. Also, if any references are invalid, it fails quickly, with such rigor ensuring no mistakes result at compile time.

Apex runs in a multi-tenanted environment, meaning only a single instance runs on the server and serves multiple tenants. Further, its runtime engine guards against runaway code and prevents it from monopolizing shared resources. Code that violates limits generates simple error messages so developers can take quick action to fix issues.

Apex offers built-in support to create and run unit tests for code, which are always executed before any platform upgrades.

Finally, developers don’t have to worry about rewriting Apex code when other parts of the force.com platform are upgraded since Apex upgrades automatically with every new Salesforce release.

With Apex, development teams can create new third-party SaaS applications or customize pre-built applications. They can execute flow and transaction control statements on the force.com platform server and add business logic like button clicks to most system events.

Apex also provides many features and functionalities to create:

  • Web services integrated with different systems
  • Email services
  • Applications using API calls
  • Applications requiring complex transactional logic

Security Concerns in Apex

Despite its many advantages, security is a concern in Apex. Custom development could introduce security vulnerabilities within code, which a malicious actor may exploit to compromise the organization.

Some common security issues in Apex are:

  • SOQL injections may return record information to bad actors.
  • Missing Object/Field level security and insecure sharing across custom classes.
  • Underlying Lightning components communicating over the Aura API may expose vulnerabilities to the open Internet.
  • Cross-site scripting (XSS) attacks allow bad actors to insert malicious scripts into web applications to hijack user sessions, steal confidential information, or submit unauthorized transactions.

Salesforce has incorporated many security defenses into Apex. For instance, all standard Visualforce components (starting with <apex>) have anti-XSS filters to screen out harmful characters. Nonetheless, a lack of attentiveness to these built-in security controls can result in them being bypassed completely, exposing applications and customers to potential damage.

If some of these attacks sound familiar - well, they should! XSS, Injections… these are nothing new, and the mere fact that they replicate in yet another language - a language that has built-in security controls (like so many others) - cements the argument that effective tools are only as robust as the developer implementing them.

Hands-on Secure Coding Training in Apex with SecureFlag

Old-fashioned training programs with slides, videos, and text are boring and not conducive to learning. Quizzes merely test surface knowledge but don’t prepare developers for real-world scenarios.

SecureFlag’s training addresses all these weaknesses with 100% hands-on labs and no contrived examples. The environment is created on-demand and is easily accessible through a standard web browser.

Participants can get started quickly by simply selecting the exercise code. They can then practice their new skills to identify, prioritize and verify security issues - all in a hands-on environment that promotes real learning for real-world situations.

Once they complete a learning path - which is individualized to match their skills and knowledge level - they gain a certificate. They must take refresher exercises to maintain this certificate, update their knowledge, and consistently benefit the organization.

Apex Lab

To know more about SecureFlag’s 100% practical secure coding training platform for Apex, contact us today.