Valo.ai at Dreamforce 2025 | October 12-16, 2025 | San Francisco, CA

The Hidden Dangers of Salesforce Managed Packages

Post-image

Salesforce boasts a vibrant ecosystem of applications, with the AppExchange often touted as a secure marketplace. All vendors publishing on AppExchange undergo Salesforce's vetting process, making it highly unlikely for a maliciously designed app to be initially listed. Furthermore, many AppExchange apps are managed packages that run within the Salesforce Org, supposedly preventing vendors from accessing your sensitive data. But is this truly the case?

The reality is more complex.

Understanding the Hidden Risks

Many managed packages on AppExchange aren't entirely "native." They frequently rely on inbound and outbound integrations with their "mothership" or other third-party services to deliver their advertised functionality. For instance, an application designed to validate a mailing address's zip code would typically transmit the address to an external API and then receive the validation back. This external communication introduces potential risks often overlooked.

Even if an AppExchange application is initially benign, there's a risk of it being "trojanized" later. This isn't a theoretical concern; we've seen this threat materialize in the Windows ecosystem (think NotPetya) and with browser extensions, as explored in our previous post on Salesforce admin Chrome extensions. This highlights a crucial vulnerability: an app you trust today could become a conduit for malicious activity tomorrow.

Managed packages can originate from several sources: the Salesforce AppExchange, direct links from publishers, or even internal development by a company or its subcontractors. While AppExchange apps are generally available to a wider audience (often requiring a license), the underlying technology and potential risks remain consistent regardless of the distribution channel.

Salesforce AppExchange push upgrades offer developers the powerful ability to automatically deploy new versions of their managed packages directly into customer Orgs. These updates, deployable via Salesforce CLI, SOAP API, or the Salesforce UI (for first-generation packages), are invaluable for critical bug fixes and feature enhancements. However, this convenience also introduces a unique set of security considerations.

While push upgrades streamline updates, they also carry inherent risks. Incompatible versions or faulty installation logic can lead to significant disruptions, which is why many Salesforce Admins view automatic upgrades with caution, and not all vendors utilize them. Critically, because all vendors possess this upgrade capability, a compromised vendor environment could allow an attacker to push malicious code directly into their customers' Salesforce Orgs.

How could a vendor's publishing environment be compromised? Several scenarios pose a threat:

  1. Direct Compromise of the Publishing Environment: An attacker could infiltrate the vendor's systems or target their technical team through phishing, malware, or social engineering. Once compromised, a malicious update could be pushed to customer Orgs.
  2. Insider Threat: While more common in open-source projects, a malicious individual could join the development team and intentionally inject a backdoor into the managed package.
  3. Acquisition by a Malicious Entity: An attacker could strategically acquire a Salesforce ISV (Independent Software Vendor) with the sole intent of pushing out a malicious update. Even a smaller acquisition cost (e.g., $200k) pales in comparison to the potential profit from a large-scale attack (e.g., $10M).

Unpacking the Risks of Managed Packages

To summarize the potential dangers, consider these specific risks associated with managed packages in Salesforce:

1. Data Exfiltration via Third-Party Services:

  • Managed packages with remote site settings, Apex REST APIs, or connected apps can establish communication with external services, potentially sending sensitive Salesforce data outside your organization.

2. Unforeseen Software Vulnerabilities:

  • While Salesforce conducts a security audit for initial AppExchange publication, vulnerabilities can still exist or be introduced.
  • Even with Apex code scanning tools, not all potential weaknesses may be detected.

3. Stability and Performance Degradation:

  • A poorly performing or resource-intensive managed package can disrupt your entire Salesforce Org, leading to slowdowns or even complete system failures if limits are breached.

4. Vendor Sunset/Maintenance Risks:

  • Should a vendor cease operations or discontinue maintaining their package, your Org could be left with unsupported code, posing security and functionality risks.

5. Trojanized Upgrades:

  • A seemingly harmless application can be updated with malicious code through push upgrades, turning a trusted tool into a significant security threat.

Mitigating Managed Package Risks

Just as with desktop software or browser extensions, the most effective way to reduce the attack surface and mitigate risks from AppExchange packages is proactive management:

  1. Regularly Review and Uninstall Unused Packages: Periodically audit your installed managed packages and their usage. Promptly uninstall any packages that are no longer needed to minimize potential vulnerabilities.
  2. Scrutinize Data Flows (Inbound & Outbound): Investigate whether your installed apps are initiating inbound or outbound communication. While API logs from Event Monitoring can provide insights, you can also review configuration items like remote site settings. Use this information as a critical component of your risk assessment: remove any apps that you do not explicitly authorize to transmit your data externally.
  3. Strategic Package Updates: Keep your managed packages updated to their latest versions. However, consider a brief waiting period (e.g., a couple of weeks) after a new release, unless a critical vulnerability requires immediate patching. This delay allows the broader community time to identify and report any new bugs or, in the rare event of a provider compromise, detect and address malicious code before it impacts your Org.

Ultimately, robust security for managed packages hinges on two core principles: thorough vetting of your software providers and diligently removing applications when they are no longer essential.

How can Valo help?

Valo.ai provides a comprehensive solution to navigate the complexities and mitigate the inherent risks of Salesforce managed packages. Our platform empowers you to:

  • Gain Visibility into Your Managed Package Landscape: Valo.ai helps you identify and inventory all installed managed packages within your Salesforce Org, providing a clear overview of your attack surface.
  • Map and Understand Data Flows: We go beyond basic installation data, helping you scrutinize inbound and outbound communication.
  • Proactive Risk Assessment: By centralizing information on package installations, data flows, and usage, Valo.ai provides the critical insights needed for robust risk assessments, ensuring you only authorize applications that align with your security posture.

By leveraging Valo, you can move beyond reactive security measures and implement a proactive strategy for managing your Salesforce managed packages, significantly reducing your organization's exposure to hidden dangers.


  • Mika Stahlberg

    Mika Stahlberg