Salesforce Configuration Drift: A DevSecOps Security Guide

Most Salesforce orgs have no idea what changed in production last week. That's not a DevOps problem. It's a security problem. Matt Meyers, Salesforce CTA and CEO of EzProtect, sits down with Richard Clark, 14x Salesforce certified with 35 years in technology, to break down why configuration drift is one of the most underestimated threat vectors in the Salesforce ecosystem. Three principles from this session: → DevOps isn't a tool. It's a practice of moving changes safely, consistently, and repeatably from sandbox to production. → Configuration debt accumulates silently. Cloned profiles, over-scoped permission sets, and unchecked checkboxes open invisible access paths for attackers. → A change record answers three questions: what changed, who changed it, and when. Without one, the first 48 hours after an incident are spent reverse engineering instead of responding. If you can't see what's changing in your org, you can't defend it. ➡️ Download the official guide to protect your data from hackers in Salesforce https://ezprotect.io/platform/ Timecodes 0:00 Introduction and Office Hours overview 0:50 Why Office Hours exists: data breaches in the Salesforce ecosystem 2:21 Richard Clark introduction and background 3:48 EzProtect overview 4:35 Previous session recap: vibe coding securely 5:25 Session intro: securing a Salesforce org when you can't see what's changing 5:39 DevOps is not a tool, it's what you do 6:30 Why change sets fall short on governance and risk 7:10 The problem with having your org as your only source of truth 8:03 The DevOps infinity loop: dev and ops, not just deployment 8:56 CI/CD is only part of DevOps 9:54 Configuration changes in production: role hierarchy risks 10:35 How configuration debt accumulates through profiles and permission sets 11:54 Over-permissioning: how one checkbox creates a threat vector 13:31 Configuration debt as an open security risk 14:25 Attacker access paths: phishing, OAuth tokens, targeting admins 15:52 Incorrectly scoped integrations as overlooked entry points 17:39 What a configuration baseline actually gives you 18:23 Why you should check security in sandboxes, not just production 19:51 Environment drift explained 21:31 Custom settings, metadata, and hardcoded URLs as drift sources 22:57 Using DevOps tools for auditing, not just deploying 24:09 Encryption key changes and ransomware risk in Salesforce 25:11 Change records: what changed, who changed it, when 26:28 Full traceability from requirements to production 28:03 Shared responsibility: Salesforce platform vs. your configuration 29:51 Salesforce is super secure until the day you start configuring it 30:36 Richard Clark's three takeaways 31:51 Upcoming sessions and resources 32:37 Q&A: Field level security and data classification deployments 35:29 Tribute to Pat Patterson 🔔 Subscribe to EzProtect - For Salesforce Best Practices here    / @mattmeyers-cta   📚Learn More About Virus Scanning in Salesforce ➡️ https://www.ezprotect.io 📚Learn Common Virus Scanning Myths in Salesforce https://ezp.fyi/3NeZY48 📆 Book a time to talk with us https://ezprotect.io/schedule ----------------SOCIAL--------------- ✅ Twitter:   / ezprotect   ✅ Instagram:   / ezprotect.co   ✅ LinkedIn:   / matt-meyers-cta