The relentless expansion of Salesforce across the business world has created a parallel digital universe, one in which administrators and developers are trained differently from their IT counterparts, apps run on a SaaS/cloud platform with a confusing shared-responsibility model, and security and AppSec best practices may not be followed or even understood.

The results are over-permissioning, configuration drift, security blind spots, abandoned profiles and poorly administered security within many Salesforce environments. Some of these factors contributed to the waves of Salesforce breaches earlier this year, which may serve as a wake-up call about the vulnerabilities within.

More security managers, CISOs and CIOs need to be aware of the Salesforce-based shadow ecosystem that may be growing within their own organizations. Salesforce admins and developers will ultimately have to be cross-trained in best practices. Until then, it's best to take advantage of the tools and practices that can help secure your Salesforce environment...