Insecure Secrets Management

This lab explains how secret exposure occurs in Salesforce integrations and how to implement secure storage, transmission, rotation, and operational controls for credentials and tokens.

Executive Summary

Secrets management failures happen when API keys, client secrets, tokens, or certificates are embedded, logged, or stored in weak locations. In Salesforce ecosystems, this commonly affects callout integrations and custom auth workflows.

Salesforce Attack Surface

  • Hardcoded credentials in Apex classes and metadata
  • Secrets stored in non-protected custom fields or settings
  • Debug logs and error traces leaking tokens
  • Deployment artifacts and repositories containing secret values
  • Integration flows without key rotation or revocation process

Business Impact

  • Unauthorized third-party access: attacker-controlled API usage
  • Data breach risk: secrets enable lateral access to downstream services
  • Fraud and cost impact: abuse of paid APIs and service quotas
  • Compliance exposure: inability to demonstrate key governance controls

PoC Use Cases

// Vulnerable pattern: hardcoded key
private static final String API_KEY = 'sk_live_1234567890abcdef';

// Vulnerable pattern: logging sensitive data
System.debug('OAuth token: ' + accessToken);

Validate exploitability by demonstrating unauthorized callouts or token replay from exposed values.

Testing Methodology

  • Review code and metadata for embedded credentials or key material
  • Scan logs, CI artifacts, and repositories for leaked secret patterns
  • Assess storage controls for encryption and access restriction
  • Verify secret lifecycle controls: rotation, revocation, expiry
  • Document exploit path and containment difficulty

Secure Engineering Patterns

  • Use Named Credentials for outbound authentication
  • Use protected configuration mechanisms for sensitive values
  • Prevent secret logging in debug, telemetry, and error output
  • Enforce key rotation, scoping, and emergency revocation procedures
  • Automate secret scanning in pre-commit and CI pipelines
// Safer callout pattern
HttpRequest req = new HttpRequest();
req.setEndpoint('callout:MyNamedCredential/api/endpoint');
req.setMethod('GET');
HttpResponse res = new Http().send(req);

Verification Checklist

  • No hardcoded credentials in Apex, metadata, or scripts
  • Secrets are not present in logs, URLs, or exception traces
  • Secure storage and access controls are documented and tested
  • Rotation and revocation procedures are operationally validated
  • Pipeline secret-scanning controls block high-confidence leaks

Lab Exercises

This lab includes hands-on exercises to practice identifying and remediating secret-management weaknesses in Salesforce implementations:

  • Exercise 1: Identify exposed secrets across code and configuration
  • Exercise 2: Migrate vulnerable integrations to Named Credentials
  • Exercise 3: Remove secret leakage from logs and diagnostics
  • Exercise 4: Implement rotation and revocation workflow
  • Exercise 5: Validate protections with regression scans
Start Lab Back to Labs