Shift Left Security for Salesforce: What Enterprise DevSecOps Actually Looks Like

Description

Learn how to build secure DevSecOps pipelines for Salesforce with Mala Punyani, Director of Engineering at DocuSign, who has spent 18 years implementing security and DevSecOps practices from zero to fully automated pipelines across enterprise SaaS applications. In this Salesforce Security Office Hours session, host Matt Myers, Salesforce CTA and CoFounder and CEO of EzProtect, and Mala discuss shift left security strategies including secret scanning implementation, just-in-time access for service accounts, automated CI/CD security gates, policy as code, static code analysis with custom rules, and data masking for sandbox environments. Discover why continuous auditing matters more than one-time guardrails, how to build security champions within development teams, and why starting with credential security delivers quick wins before tackling legacy code scanning. 📚 Sign Up for Future Salesforce Security Office Hours Sessions https://ezprotect.io/salesforce-security-education/ Timecodes 00:00:00 - Welcome from Cactus Force / Architect Dreaming 00:03:39 - Session Introduction 00:06:24 - Meet Matt Myers, CTA 00:06:43 - Meet Mala Punyani, Director of Engineering 00:08:18 - EzProtect Sponsor 00:08:46 - Recap: Security Certifications Session 00:09:10 - Hot Off the Press: Grubhub Breach via SalesLoft Drift Tokens 00:10:08 - The Slide of Shame: 900+ Breached Companies 00:10:49 - What Does Shift Left Security Look Like for Salesforce 00:14:19 - AI Era: Securing Agentic Models in Salesforce 00:16:05 - Governance Gaps and Compliance 00:18:10 - Why Security Is More Important Than Ever 00:19:30 - Just-in-Time Access Explained 00:21:33 - One Credential Can Put Your Entire Org in Danger 00:23:28 - NIST Threat Response Lifecycle 00:24:18 - Q&A: Procurement Cycles for Security Tools 00:28:00 - Guardrails: Secrets Should Never Exist in Version Control 00:28:57 - Building Security Champions in Dev Teams 00:31:22 - Q&A: How to Implement Just-in-Time Access 00:33:58 - Automated CI/CD Security Gates and Policy as Code 00:36:47 - Unit Testing and Security Requirements 00:38:32 - Data Masking for Sandbox Environments 00:39:14 - Q&A: Tool Selection Advice 00:42:19 - Key Takeaways 00:45:27 - Q&A: JIT Access Implementation Approaches 00:49:49 - Using Okta for Automated Access Requests 00:51:44 - Q&A: Security Certifications for Salesforce Pros 00:55:26 - Closing 🔔 Subscribe to EzProtect - For Salesforce Best Practices here https://www.youtube.com/channel/UC6MtFmvugBxRxQ2dKpFKn2Q 📚Learn More About Virus Scanning in Salesforce ➡️ https://www.ezprotect.io 📆 Book a time to talk with us https://ezprotect.io/schedule -----------------SOCIAL---------------- ✅ Twitter: https://twitter.com/ezprotect ✅ Instagram: https://www.instagram.com/ezprotect.co ✅ LinkedIn: https://www.linkedin.com/in/matt-meyers-cta/