Cybersecurity Predictions for 2025

Schedule a Demo

Solutions
- - - Solutions
      Security Solutions
      
      Productivity Solutions
Platform
- - - HOSTING
      AutoRABIT Foundation Flexible Hosting Options for Your Salesforce Environment
  - - PRODUCTS
      Automated Release ManagementCI/CD for Salesforce
      
      VaultData Protection for Salesforce
      
      CodeScanStatic Code Analysis for Salesforce
      
      FlowCenter InsightsVisual Analytics for Salesforce
  - - INDUSTRY SOLUTIONS
      nCino (Banking & Finance)
      
      Salesforce Industries (Healthcare)
      
      Mulesoft
      
      More…
Pricing
Resources
- - - RESOURCES
      Ebooks
      
      Data Sheets
      
      Case Studies
      
      Infographics
      
      Videos
  - - COMMUNITY
      AutoRABIT LearningHub
      
      Blogs
      
      Podcast
  - - HELP CENTER
      Knowledge Base
      
      Support
Company
- - - Connect
      Partner
      
      About Us
      
      Careers
      
      News Room
Events
- - - Webinars
      Live Webinars
      
      On-Demand Webinars
  - - 2025 Dev(H)Ops Conference
      Conference
      
      Agenda

Schedule a Demo

Presented by

Jason Lord

The key for people in regulated environments is to have a DevOps process and the awareness and capability to manage your settings to understand what your exposure can be.” – Vernon Keenan, Sr. Industry Analyst at SalesforceDevops.net

The steps you take today will impact the stability of your Salesforce environment in the face of emerging data security threats. Jason Lord, AutoRABIT Chief Information Security Officer, and Vernon Keenan, Sr. Industry Analyst at SalesforceDevops.net, examine current trends and look down the road to identify the tools, tactics, and processes that will offer the best protection throughout the year. 

Podcast Transcript

Jason Lord
Welcome to From Code to the Cloud, a DevSecOps podcast focused on the Salesforce ecosystem. I’m Jason Lord, the Chief Information Security Officer at AutoRABIT, and I’ll be your host.
My guest today is Vernon Keenan, a senior industry [email protected] and a member of the Low Code Security Alliance. Welcome, Vernon. Thank you very much for taking the time to join me. I greatly look forward to this conversation.
Vernon Keenan
Hey, Jason, it’s going to be fun. Let’s get into it.
Jason Lord
Yeah, absolutely. So if you wouldn’t mind, take a minute or two to give our listening viewers a quick background who you are and what brings you to the podcast.
Vernon Keenan
Sure. Well, my name is Vernon Keenan.
I’m the publisher of SalesforceDevOps.net, where I cover Auto Rabbit and all the other Salesforce DevOps companies and all of the things they do. And I also write a lot about AI and all the new things that are happening in the Salesforce ecosystem.
I’m an analyst and commenter on the Salesforce ecosystem.
I’ve also been involved in security matters my entire IT career and have been a champion of trying to get the message out about how Salesforce DevOps customers need to integrate, you know, security practices into their. Their operations.
Jason Lord
Wonderful. Thank you very much. And my name is Jason Lord. I’ve been in the security space for about 29, 30 years now.
Most recently, I spent time as a security executive at Bridgewater Associates, and prior to that, I was the Chief Information Security Officer at the White House and lengthy career in the DoD intel community, government contracting space in and around D.C. wow.
Vernon Keenan
I can’t wait to have this podcast. I think everyone’s going to learn a lot. Let’s have some fun.
Jason Lord
Yeah, absolutely. So let’s jump into it. It’s 2025. Cybersecurity is no longer a thing that’s hidden in the dark closets and ignored by boards.
There’s a lot of risks out there. What are we looking at for 2025? What are you seeing and where are we going?
Vernon Keenan
Well, I think for our listeners, the state of SaaS security is. Is a little foggy right now, how I would put it.
I think that a lot of people get involved in creating SaaS systems and they may not always be aware of a key thing which we call the shared security model here. And I think that awareness can lead to incidents, especially when you’re talking about exposing customer data through portals and user portals.
This has turned out to be a fairly significant problem with some Salesforce deployments.
There was the famous Irish health incident last year where they exposed information through their Covid portal and that actually was a Salesforce health cloud incident.
And I think we also are coming off of the famous Disney Slack security incident which happened last year where somebody used, I believe it was spear phishing and other types of security exploits to get credentials into a Slack system and downloaded content and use that in a cyber attack essentially against Disney.
So I think that’s where we’re at is that we’re trying to educate people that if you’re deploying SaaS systems, if you’ve got low code users, if you’re Dynamically modifying your SaaS deployments, A, you probably need to have a DevOps process to manage that first of all, because.
And that’s where AutoRABIT, I think, and all the others are really, really key for people in regulated environments is to have that DevOps process and then I think to have the awareness and the capability to manage your settings and to understand what your exposure can be is where we’re at. We’re still ramping up on that.
Jason Lord
Yeah. So if we look at Salesforce for an example, it’s an ecosystem that is designed for anyone to be able to go out and build an application.
It’s the whole concept of low code.
And when we look at DevOps, we see that as part of traditional development process where coders develop code, there’s a release process, there’s security reviews that hopefully are happening and you know, code goes into, you know, monitoring and through the software development life cycle. When we take something like Salesforce.
Should it be operating without a DevOps? Like what, what risks are, are inherent to that that we’re seeing?
Vernon Keenan
Well, I think in 2025 there is no doubt that DevOps Salesforce, DevOps is a critical process for anybody in a regulated environment or creating critical applications with Salesforce.
So that may be distinguished from other, let’s say a rev Ops application where maybe you’re allowing the admins to kind of go in there and go wild to in that type of environment. Because you may not consider that to be a critical system, but let’s say you are a bank and you’re using Encino. That is a critical situation.
Or the health cloud environment I mentioned earlier, or financial services cloud.
I think that these are all environments that require, require source code management, artifact management, simulated deployments, metadata Coordination, all of the things that go into a Salesforce DevOps system. So I think. And it’s also important, I think, for our listeners to know that Salesforce needs and supports the DevOps ecosystem that’s out there.
They know that it’s critical for partners like AutoRABIT and all the rest to be there to provide that kind of structure.
So I think this is a reality in 2025 in Salesforce is that you kind of have to mute the, you know, an admin can go in there and just change anything for regulated systems. So I think that we’re well into that cycle now where people understand that and there’s a class of applications that have to be managed.
Jason Lord
Yeah, that’s wonderful. We’ve seen several data breaches or data leakage with a shared security model. I know security breach is now a legal term of, hey, this data happened.
But what happens when an organization, through this shared security model, an admin grants permissions to everyone and shares information internally. How are we seeing that as a growing risk?
Vernon Keenan
Well, I think it’s actually key. So here you’re referring to internal security practices, right? Yeah.
So, yeah, you don’t want a rep to be able to go in there and see what the VP is doing in another division, and you don’t want to have reps spying on other reps and things of that nature. So there’s a hierarchical security model.
In fact, this is one of the advantages of working on the Salesforce ecosystem is that you have to use these models accurately. And there’s also kind of, I think, a challenge maybe, Jason, you can tell me a little bit what’s going on in this area.
But I think there’s a real challenge in terms of the complexity of analyzing all this, all of the profiles and all the things that kind of come together in a Salesforce ecosystem.
And that’s where I think maybe, you know, the vendors are, are going to maybe come in and help us analyze some of these security postures that you’ve established and like make suggestions because it, it’s quite frankly very complex.
So that the amount of metadata involved in defining all of these different security settings and the profiles and all that kind of stuff is extensive. And it’s always been kind of my feeling you need computer assistance to work on that. Do you see that trend?
Jason Lord
Yeah, absolutely.
And it’s one of the things that we’ve worked on in the Low Code Security alliance to start doing the research and documenting this and sharing those findings with the community.
Obviously this is a big thing and I don’t think anyone who’s developing in a low code environment wants to make mistakes or wants to overexpose information. So I think it’s part of the education process.
Whether, whether it’s from someone like you that’s a leader in the space or the software companies, it’s all of our responsibility to share those lessons of what we’re doing and seeing especially simple, easy mistakes that can be done.
And of course I live by a concept of automate as many things as possible in a good way, but building those repeatable sustainable practices to make sure that we’re securing our environments.
Vernon Keenan
Yeah. Do you think that we’re going to have an advance in tooling to help us with some of this stuff?
Jason Lord
Well, I hope so, but I guess we can transition into the automation piece of the conversation. It’s 2025 and especially this week everyone’s talking about AI and automation.
So yeah, we can build the tools, but the question is how do we build those tools? How do we build them with guardrails and, or should we be building these tools? What are your thoughts on automation and cyber threats?
Vernon Keenan
Oh boy, talk about a two edged sword there. I think a, it means that cyber attacks and threats like spear phishing and other things of that nature are going to get better and better.
They’re going to become personalized.
I think we’re seeing the merger of big data with cyber threats where, where attackers are able to access personalized information about their targets and create, you know, attack vectors that are more, you know, realistic than, than ever. So I think that that’s just, just one of the many, uh, threats we’re looking at there.
And then I think in terms of tooling, I’m hoping that, I mean one of the. Let me back up a little bit and say, I think one of the challenges for the Salesforce DevOps industry is always to kind of deal with this complexity.
And I think we have these things like all of the companies ingest a lot of metadata already and so a lot of them kind of have the information in there to kind of provide some sort of framework for, for testing or for providing some sort of notifications about a possible security breach. Almost like kind of like an SRE type or system where you would be throwing out notifications.
And I, that’s where I, I would hope the, we see some of the AI tooling going.
Because the thing I’ve noticed about using Salesforce metadata in an AI environment is that the, the concept of semantic matching and semantic organization seems to work very well with Salesforce metadata.
So you’re able to, by ingesting metadata into an LLM, you’re able to, either through a RAG system or other type of search index, you’re able to get these relationships out and seemingly unconnected features of different portions of metadata which may exhibit security flaw, for example.
So I think I’m hoping to see a new level of tooling come out that helps to automate some of these shared security responsibilities because it’s definitely overwhelming all of the options. And the dimensionality of a salesforce setup is really considerable.
I mean, you have the dimension of metadata, you got the dimension of the different security models, you have the hierarchical security model, then you have permission set security model and then you have other security models that kind of get layered upon each other. So there’s a lot of dimensions in there that can go undiscovered and create flaws.
Jason Lord
Yeah, well, there’s the rub. Everything that an attacker would want to have access to, to use is all easily readily available.
And in an AI environment, current security tools, you know, alert and monitoring isn’t going to be able to stop that, especially at large scale. So security operations or DevSecOps is going to have to move in the exact same direction. It’s the, it’s the arms race. It’s the arms race of 2025.
How do we go build quick, you know, AI built tooling to stop what could potentially be, you know, happening inside or outside the environment.
Vernon Keenan
I mean, you’ve seen this before several times in your career, right? I mean the good guys certainly win, right?
Jason Lord
Well, that’s, that’s what we were taught as kids.
Vernon Keenan
So, but I mean practically speaking that are usually industry efforts are, are effective in meeting cyber threats or, or, or we’re losing the battle. Do you think?
Jason Lord
I think where we’ve grown as industry and in the, in the past, you know, 20 years is a, is a good place to be where we have defense in depth, we have layered strategic approach to defending our networks, to you know, scanning, you know, all the way down to the, you know, DevSecOps piece of the house and, but now AI is a force multiplier. It’s taking all of that to a level that’s, you know, unable to be defended against by human interaction.
I mean, the best security operations team in the world can only handle X amount of incidents and you know, build alerts and tune alerts, you know, quickly enough.
Vernon Keenan
I think one of the things that we’re dealing with is somewhat public complacency on the subject. I think that there does Seem to be a decrease in some of these incidents recently.
And we also need to, I think highlight, unfortunately for me, as a marketer, like an industry marketer and maybe you could help me with this.
But it seems like it’s one of the most important things to get the message out is about the incidents because unfortunately I think most executives are reactive in this way.
So I think, you know, we have this slack incident, we have the Irish health incident, there’s other salesforce incidents that we can talk about and other types of SaaS, data breaches. But I mean how do we, how do you educate, how have you tried to educate the target audiences?
Jason Lord
Yeah, this is a great question. And you know, it’s the, it’s the, the fear of unknowns that you know, the security industry has always been subjected to.
But over the last couple of years I’ve done some consulting for some Fortune 100 boards and going in and talking to them about security and, and the roles of the security organization. And one of the biggest things I always tell everyone is like, don’t be scared of what you find. Don’t be scared of, you know, vulnerabilities.
Don’t be scared of, you know, reporting. Don’t be scared of penetration tests and red teaming. Like, you know, lean into those things, take them and use them for what they are.
Take those reports and make sure that your team is not glossing over the bad parts and showing you, oh, this is how many systems that we’ve patched or updated. Look at the, hey, where are the areas we need to go throw resources that, and it’s a hygiene issue.
As you know, an organization grows, the low hanging fruit is always going to stay there. That’s going to fall off the tree and rot and then that becomes the biggest problem. And because those are where the easy exposures come from.
And you know, just like knowing that, oh, hey, we’re doing a penetration test, sure there might be confidential information that you don’t want shared, but why not share that with the development teams and the network engineering teams and the SaaS computing teams to make sure that they know and see what the risks are within an organization. And you know, it comes down to, you know, the, the basis of the, the security industry. Right.
We have to protect the intellectual property in the company while the technology performs to make the company operational or to make it money, whatever the case might be. You can’t have one or the other. So how are you seeing the rise of embedded security play into low code application development?
Vernon Keenan
Absolutely. I think the answer is that we’re kind of in the middle of the shift left evolution.
So I think in the Salesforce realm we tend to not even have like a CISO phase in code reviews. So I think the, the same kind of attention has not been played to Salesforce.
So I think that this is a, an evolution in terms of corporate roles that are out there. But I think in the meantime we are looking at the shift left concept that’s been going around for the last five years applied here.
And that’s where I think you have products like CodeScan and other products like that that are directly integrated into the CICD processes, the software develop development lifecycle processes more directly.
Now when I responded to this, I said we’re in the middle of the shift left evolution and I think that developers are getting a little sick of being responsible for everything too.
So I’m not sure where we’re going, where we’re going to go with this, but I think it’s it automation in terms of security reviews that aren’t necessarily governed by the developers, that maybe it’s more of a process. But currently in Salesforce we are definitely focused on a shift left strategy where we’re putting it in the hands of the developers.
So I’m always a little worried how well that’s executed.
Jason Lord
Yeah, so it’s the shared security model in reverse. Right.
So security needs to be leaning in on the development side of the house, helping the development and the code be produced and into production in a secure method which, you know, allows the app developers to go and do their jobs easier instead of, you know, being the, the roadblock or the wall that says no, you can’t do this.
Vernon Keenan
So I think we’re still in the evolution of how that’s actually going to be handled, probably both within the regular cloud native development environments where you’re developing JavaScript, go Kubernetes, types of applications and SAS as well. I think they’ve been.
We always get our clues, I think in the Salesforce DevOps industry for what’s happening in the traditional DevOps industry and you know, platformization, shift left, other types of trends. We’re seeing that in Salesforce as well.
And I think in that realm they’re trying to figure out exactly how to handle shift left because there is a bit of a revolt coming from developers.
Jason Lord
Um, well, how do you see that at the, at the, taking it up to the, the global level? How do you see that working in like a, a governance or governance risk compliance perspective, you know, like you know, an ISO standard for low Code.
Vernon Keenan
Oh, wow. Well, that’d be fantastic.
I think, I think what we’re talking about there is automated reviews in the CICD process and then having some sort of filtering or mitigation layer that goes on through those processes because there’s there frequently those type of systems, scanning systems can be not used because, or ignored because it’s overload on the messaging that’s coming out.
I think that’s, that’s where we have AI to help us to try to prioritize those, those messages and to try to automate the handling and maybe even mitigation of some of those a little bit more automatically. So I think that’s where we’re going with embedded systems in deployment processes and AI assisted mitigation processes.
Jason Lord
I want to switch topics a little bit. Something that we had briefly touched on in previous conversations I think is very interesting.
The, the role of the, the virtual employee in cybersecurity.
Vernon Keenan
Wow. Okay. Yeah.
Jason Lord
How do you think that’s going to play out this year and going forward?
Vernon Keenan
Okay, well, I think it’s actually going to be a big deal, probably bigger deal than most people imagine. Here’s why is that this is an in demand role that people are having a hard time filling and it’s also one of those roles that can be run 24 7.
So I think it’s by virtual employee, I mean an agentic AI system that’s able to perform tasks and functions that you would normally associate with a regular job title.
So the SRE AI or the SOC Compliance Analyst virtual employee are two categories of virtual employee where you have multiple startups pursuing the opportunity right now. So I think that it’s definitely going to happen more.
I believe that with the development of agentic systems, it’s being spurred on by this competition that we’re seeing right now that was kind of exhibited this week that we’re recording. This was the deepseek news that took the market, took Nvidia down 14% on their chip news or whatever.
And I think the way to unpack the deep SEQ news is that they have come up with a new way to take LLM outputs and kind of manipulate them in an intelligent way to get further cognitive scaling out of it. It’s called test time, compute various other words on this.
But it’s essentially you’re training the AI models to think more like a human in terms of considering options, weighing, weighing different ways of doing things and so forth and then picking an optimal method and then maybe even going back and trying another method and comparing the two methods. Things that we all kind of do in our head when we’re, when we’re thinking about a hard problem as opposed to intuitively just spitting out an answer.
And I’m taking the actual. I actually call these systems that incorporate reasoning like this to be. I actually call them AGI like systems right now.
Meaning that you can get human like performance and characteristics out of some of these systems. And because we have this competitive spurt going on and I think we also have another.
So, so we have the, on one hand we have the technology kind of like coming together on multiple vectors, creating this, this weird super fast extra exponential AI world that we’re living in.
And then the other thing about virtual employees that’s happening is what I call the, the giant sucking sound at the end of the room, which is, which is the CEOs and the CIOs and other people who have to do workforce management thinking, wow, here’s a new way to build my operational workforce or my staffing functions even. I can hire more employees now for exponentially less money and they’re going to work 24 7. So I think that’s what I mean by the giant sucking sound.
There’s a.
This is different than the SaaS revolution because in the SaaS revolution it took us maybe five or ten years to convince people that putting your data in the cloud was a good idea.
Jason Lord
Sure. Yeah.
Vernon Keenan
And I think we’ve already convinced some CEOs and some operators, especially startup operators, that they can grow their workforce through agents and not AI and not necessarily necessarily people. And I, so, so I think the VE thing is real. The V, like I said, the giant sucking sound thing is happening.
And then if you look at IT sector by sector, I think it’s the IT sector is the one that’s going to go first. So it is things like software engineering, SOC analyst, SRE, maybe even Salesforce DevOps release manager, a Salesforce DevOps admin.
So yeah, we’re getting more and more to the point where you can have a business manager communicate with one of these VEG’s and business language and then the VE is able to actually operationalize that through using the SaaS product. And another thing that happened this week, I mean, I can’t believe it’s all happening all at once.
It’s hard to keep track of actually OpenAI released this thing called Operator. Yeah, and I think that that’s.
So the, the way that, to look at Operator is that we have a world where maybe 10% of the, of the functions that you use a website for have been converted into APIs. And with Salesforce this is actually maybe like 60 to 70% of the things that you do with the website have been converted into API capabilities.
But there’s this tale of things that are not implemented through APIs that you still have to use the SaaS product to do.
So now with things like Operator and an API access to Operator, you’re going to have these VEG’s able to command directly virtual web browsers in the Cloud to operate SaaS products for you in the background.
So I think this operator thing was a key unlock for the whole virtual employee realm and I think we’re going to see it first in it and I think actually security might be one of the first sectors to see this in because of actually the lack of available talent to fill some of these roles.
Jason Lord
Yeah, I’m excited and terrified of what this means. Obviously I look at the technical increases that can be hugely beneficial for any organization that’s able to use this.
I look at the hurdles and all the chopping of wood over the years, especially when we look at it of data that goes into security operations.
Security operations and incident response being a large part of my background and being able to collect and log information around those that makes the security operator more effective and, and see more information. But it’s like I said, highly exciting and terrifying at the same time and.
Vernon Keenan
I’m a little terrified too. And specifically the reason why is, is entry level jobs.
Jason Lord
No, absolutely.
Like, because any organization that I’ve ever worked in, you know, call it flat, call it, you know, a structured network, but I’ve never worked in an environment where the entry level employee or the admin or the, you know, first year SRE guy doesn’t have access, you know, in the same way inside of a network. So you know, it’s those, you know, accounts, those capabilities that can be overtaken and wreak absolute havoc, create chaos.
Vernon Keenan
Plus I think the career ladder here is that I think the VE capabilities that are being developed now directly target kind of like entry level capability, you know, job titles. So I, I get, I worry about the hollowing out of the workforce.
I think that, that you’re going to have super skilled AI people kind of like commanding these things and there’s going to be fewer and fewer people learning how the AIs actually work. I don’t think we figured out, figured this thing out exactly, but there’s a market forces, you know, giant sucking sound.
I definitely hear it, I definitely hear it from the startup community here in the Bay Area. And I also hear it from Salesforce customer CEOs, the, that they’re.
The thing I, I, I called around and I found out the Agent Force thing is real is I called a bunch of system integrators and the thing that they were reporting to me is that they were getting, they’re getting the calls in themselves now from operations leaders that they got to get moving on this agent stuff. It’s so the, like I said, the, the difference between the SAS evolution and the AI evolution is very tangible.
Jason Lord
Yeah. I think we’re at our stopping point, which is very unfortunate.
I think you and I could keep going on this for hours, but I greatly appreciate you taking the time to speak to me today. I just want to give you an opportunity to leave any parting thoughts that you might have.
Vernon Keenan
Well, this let me try to accomplish my mission here, which is to educate people that there’s a lot that you need to know about maintaining your security posture if you’re a SaaS platform user.
I think the Low Code Security alliance is definitely an organization that you can get information from and participate in and to be part of the evolving world that’s out there. I think we need more leadership in this area. I think we kind of need a CISO function to be done more strategically within Salesforce implementations.
And it’s something to look at from day one, especially if you’re in one of these regulated industries. I think you have to realize from day one that you have to have a detailed security posture.
And we need to figure out how to help our developers incorporate tooling and do, like I said before, to try to get those scanning tools in there from the beginning.
Jason Lord
Yeah, absolutely. Well, thank you very, very much, Fernand. It was wonderful talking to you. I look forward to working with you.
Vernon Keenan
And it’s quite a host for this podcast, so I think everybody should tune in.
Jason Lord
Yeah. So we’re going to switch it up. We’re going to have a couple other hosts doing it. Andrew and I are also going to do.

Andrew Davis and I are also going to do a couple collaborative events and maybe take this on the road. Who knows, see what’s out there.
Vernon Keenan
But yeah, well, you’re as the new CISO for AutoRABIT. I think that is a wonderful sign for the industry. So congratulations.
Jason Lord
Hi. Well, thank you very much. Thank you for joining us on the inaugural episode of From Code to the Cloud.
We’ll be releasing informative conversations with industry leaders every month, so be sure to subscribe to the show wherever you stream podcasts. You can also visit us at www.autorabit.com for show notes, helpful links, and access to every episode as they’re released.
Stay safe out there, and we’ll see you next time. Thank you.