SlideShare a Scribd company logo

Salesforce Security Review Tips and Tricks

Download as PPTX, PDF
R
Ryan Flood

1) The document provides tips and tricks for passing Salesforce's security review process for apps on the AppExchange. 2) It discusses the importance of security for maintaining customer trust, and outlines Salesforce's security review process including development best practices, security testing tools, and requirements for submission. 3) Developers are advised to utilize security training modules, documentation, scanning tools, and office hours for assistance in developing securely and preparing for the security review.

Software
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Tips and Tricks to Pass the Salesforce Security Review Process Manishi Singh, Ryan Flood
Ryan Flood rflood@salesforce.com Senior Director, ISV Technical Enablement Manishi Singh msingh@salesforce.com Senior Product Security Engineer
Forward-Looking Statements Statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Website. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Security Review - Importance, Resources, Roles Building security in your app Development phases Tools & Resources After Security Review Agenda
Why is Security Important Trust is our #1 value Salesforce is a cloud computing company Customer Trust is integral to our success • They have to trust us with their data • That’s our job • Secure our products and marketplace • Reinforce and maintain the trust that customers put in our platform 8 industry leading apps, 1 platform
AppExchange is a Trusted Ecosystem Both Salesforce and partners are critical parts of that trust We provide documentation, tools, and guidance to maintain a secure offering Your secure offering will help better sell to and serve our mutual customers Enterprise customers expect security built-in Maintaining a secure lifecycle ensures you always maintain customer trust Trust is our #1 value
How we secure the ecosystem Layers of Protection Platform • In protection for XSS, CSRF, scoped access control, separate domains • Auth, Session Handling, Filtering, TLS, Infrastructure, Patching, Auditing & Logging Process • Security Review • Initial Review • Re-reviews • Spot Checks Content • Secure cloud development • Outreach to partners • Trailhead modules Tools • Code scanner • Chimera web scanner • Monitoring Partners • Partners maintain security consistent with best practices
Who is Who in the SR process ISV Partner Team ISV Partner Account Manager (PAM) - Your primary point of contact ISV Technical Evangelist (TE) - Helps partner prepare for SR Security Review Operations (SR Ops) - Reviews submission, responsible for notifications to partners Product Security Team Product Security Engineer - Provide guidance, review/test applications Other Product Development Outsourcer (PDOs) - Can assist with SR success
The Security Review Process
The Security Review Process Design Develop Testing Release - Review Trailhead modules - Review best practices documentation - Attend Office Hours - Continuous integration tools for ongoing security scanning - Run Force.com Scanner - Run Chimera/ZAP Scanner - Submit for Manual Security Review
The Security Review Process Design Develop Testing Release - Review Trailhead modules - Review best practices documentation - Attend Office Hours
Design Comprehensive, hands-on Trailhead modules for learning secure coding on the platform. Go to sfdc.co/devsecuritytrail Training
Design App Cloud Security Dev Center Landing page for all things AppExchange Security Go to sfdc.co/securitydevcenter Documentation
Design Submission Process Office Hours https://sfdc.co/submissionofficehours Submission Process questions Security Review Technical Office Hours https://sfdc.co/securityofficehours Technical Security questions Available both in US and EU time zones. Office hours
The Security Review Process Design Develop Testing Release - Continuous integration tools for ongoing security scanning
Develop Now Supporting Rulesets for Apex and Visualforce in PMD Maven PMD Plugin Gradle: The PMD Plugin Eclipse Plugin NetBeans Plugin JBuilder Plugin JDeveloper Plugin IntelliJ IDEA Plugin Upcoming Sublime Plugin Atom Plugin Force.com IDE Integration PMD – Source Code Analyzer
Develop Providence is a commit-time analysis tool to find security anti-patterns in your code. https://github.com/salesforce/Providence Integrated with PMD scanner to find Apex and Visualforce issues PMD + Providence
Develop Checkmarx is a source scanner with support for Salesforce technologies Detailed information for better handoff to Checkmarx https://lp.checkmarx.com/salesforce/ Salesforce presets available for free: https://sfdc.co/cxpresets Continuous Integration with Checkmarx
The Security Review Process Design Develop Testing Release - Run Force.com Scanner - Run Chimera/ZAP Scanner
Testing Force.com Source Scanner Static analysis tool to find common security issues in your native code Looks for common issues in Apex, Visualforce and Lightning like XSS, CSRF, CRUD/FLS etc. Manual code review for adherence to Secure Coding Guidelines. Native code
Testing ZAP Scanner - sfdc.co/zapsetup Automated web app scanner to find common web vulnerabilities Chimera Scanner - sfdc.co/ChimeraScanner Fire and forget web application scanner that uses ZAP as an engine Manual Testing Scanners are limited in what they can find Composite apps
Testing Centralized portal to help you track and manage Force.com security scans Schedule scans, download scan reports Search all scans for your org Manage scan credits for your org https://sfdc.co/scan Source scanner portal
The Security Review Process Design Develop Testing Release - Submit for Manual Security Review
Release Trailhead module to prepare for security review. Go to sfdc.co/SecurityReviewPrep
Release Submission Process Office Hours https://sfdc.co/submissionofficehours Submission Process questions Security Review Technical Office Hour https://sfdc.co/securityofficehours Technical Security questions Available both in US and EU time zones. Office hours
Submit for Security Review Requirements Native Native + Lightning Components Composite Web App/Service Client Composite Mobile/Client API Only Force.com environment Yes Yes (With components configured for testing) Yes Yes Yes External components / credentials Yes e.g. urls, credentials Yes e.g. link to APK Yes e.g. urls, credentials Managed package Yes Yes Yes Force.com code scanner report Yes Yes Yes ZAP/Burp/ Chimera report Yes Yes (ZAP/Burp) Yes False positive report If required If required If required If required If required Documentation Recommended Recommended Recommended Recommended Recommended
Common causes of delay Problems with submission • Invalid or expired environment credentials • Missing Web Scans for endpoints in scope • Incorrect package version installed • Missing false positive documents
Sorry! Your App Failed Don’t Panic • Product Security Office Hours • The report is focused on breadth, not depth. Test is time-boxed* • Conduct a comprehensive review - make required fixes • Re-run reports (Checkmarx, ZAP/Burp/Chimera) • Ensure the test environment has the latest package version • Schedule a follow-up Security Review *We can’t include every instance of a vulnerability/issue in the report Interpreting results Congratulations! Your App Passed Next Steps • Get to work on Trialforce/Templates (if applicable), TSO/Templates require a Security Review as well • Complete your AppExchange listing • Market/Sell/Succeed!
Security @ Dreamforce Salesforce Security Booth & Developer Sessions Information Find the “Salesforce Security” booth in Developer Forest Security Sessions @ Dreamforce Monday, November 6 10:15 a.m. | Creating LockerService Ready Lightning Components With Webpack Moscone West, Developer Theater 1:30 p.m. | Common Web Security Vulnerabilities and their Fixes Moscone West, Frontier Theater 2:00 p.m. | Avoiding Common Security Mistakes Moscone West, Frontier Theater Tuesday, November 7 9:15 a.m. | Secure Apps Using the Salesforce Mobile SDK Moscone West, Canyon Theater 1:00 p.m. | Securing Heroku Apps Moscone West, Frontier Theater Wednesday, November 8 9:00 a.m. | Tips and Tricks to Pass the Salesforce Security Review Process Park Central Hotel, Olympic 1:00 p.m. | Security Best Practices for Building Lightning Components Park Central Hotel, Olympic Thursday, November 9 10:30 a.m. | Scaling Security at your Company Moscone West, Frontier Theater 11:00 a.m. | Data Access for Apex, Visualforce, and Lightning Moscone West, Frontier Theater 11:30 a.m. | Lightning Security Within Components Moscone West, Frontier Theater 12:00 p.m. | Lightning Security Across Components Moscone West, Frontier Theater 12:30 p.m. | Getting The Most Out of Security Scans
Salesforce Security Review Tips and Tricks

More Related Content

What's hot (20)

PPTX
Salesforce App Cloud First Call Deck
Salesforce Partners
 
PPTX
Salesforce integration architecture 20200529
Hiroki Iida
 
PDF
Choosing the Right Demo Environment (Salesforce Partners)
Salesforce Partners
 
PPTX
Salesforce Multitenant Architecture: How We Do the Magic We Do
Salesforce Developers
 
PPTX
Platform Events by Tim Taylor
Christine Smith
 
PDF
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Salesforce Developers
 
PDF
Single Sign-On Best Practices
Salesforce Developers
 
PDF
Lightning web components - Episode 4 : Security and Testing
Salesforce Developers
 
PDF
Designing Salesforce Platform Events
CodeScience
 
PDF
Lightning customization with lightning app builder
Salesforce Developers
 
PDF
Salesforce Sales Cloud: Best Practices to Win More Deals
Cloud Analogy
 
PPTX
Microsoft power apps
Confiz Limited - Dynamics AX
 
PDF
Integrating Active Directory With Salesforce Using Identity Connect
Salesforce Developers
 
PDF
[Workshop] API-driven Integration
WSO2
 
PDF
Lightning web components - Episode 1 - An Introduction
Salesforce Developers
 
PDF
Understanding the Salesforce Architecture: How We Do the Magic We Do
Salesforce Developers
 
PDF
Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...
Edureka!
 
PDF
Introduction to Apex Triggers
Salesforce Developers
 
PPTX
Salesforce Overview For Beginners/Students
Sujesh Ramachandran
 
PDF
LWC Episode 3- Component Communication and Aura Interoperability
Salesforce Developers
 
Salesforce App Cloud First Call Deck
Salesforce Partners
 
Salesforce integration architecture 20200529
Hiroki Iida
 
Choosing the Right Demo Environment (Salesforce Partners)
Salesforce Partners
 
Salesforce Multitenant Architecture: How We Do the Magic We Do
Salesforce Developers
 
Platform Events by Tim Taylor
Christine Smith
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Salesforce Developers
 
Single Sign-On Best Practices
Salesforce Developers
 
Lightning web components - Episode 4 : Security and Testing
Salesforce Developers
 
Designing Salesforce Platform Events
CodeScience
 
Lightning customization with lightning app builder
Salesforce Developers
 
Salesforce Sales Cloud: Best Practices to Win More Deals
Cloud Analogy
 
Microsoft power apps
Confiz Limited - Dynamics AX
 
Integrating Active Directory With Salesforce Using Identity Connect
Salesforce Developers
 
[Workshop] API-driven Integration
WSO2
 
Lightning web components - Episode 1 - An Introduction
Salesforce Developers
 
Understanding the Salesforce Architecture: How We Do the Magic We Do
Salesforce Developers
 
Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...
Edureka!
 
Introduction to Apex Triggers
Salesforce Developers
 
Salesforce Overview For Beginners/Students
Sujesh Ramachandran
 
LWC Episode 3- Component Communication and Aura Interoperability
Salesforce Developers
 

Similar to Salesforce Security Review Tips and Tricks (20)

PDF
An Insider's Guide to Security Review (October 13, 2014)
Salesforce Partners
 
PDF
Quality Control in Development
Salesforce Developers
 
PDF
How to Launch Your AppExchange App at Dreamforce
CodeScience
 
PPTX
ApExchange Security Review and Compliance
CEPTES Software Inc
 
PPTX
Coding in the App Cloud
Salesforce Developers
 
PPTX
DevOps in Salesforce AppCloud
rsg00usa
 
PPTX
ISV Tech Talk: Distributing Lightning Components
CodeScience
 
PPTX
CCT London 2013 Theatre Intro to Apex
Peter Chittum
 
PPTX
How a PDO Can Help Get You to Market Faster
CodeScience
 
PPTX
Kitchener Salesforce Developer Group Event - Introduction to dev ops with Sal...
Sudipta Deb ☁
 
PDF
APP Academy: Build Your First App (October 13, 2014)
Salesforce Partners
 
PPTX
Adopting Salesforce DX
Salesforce Developers
 
PPTX
Wrestling Alligators: How Salesforce Partners Can Increase Close Rates & Deli...
CodeScience
 
PDF
Introduction to Apex Triggers
Salesforce Developers
 
PPT
Building and Distributing a Salesforce App
Ross Belmont
 
PPTX
Diving Into Heroku Private Spaces
Salesforce Developers
 
PPT
Using AppExchange to Automate Complex Business Processes
dreamforce2006
 
PDF
How to Become a Security-Minded Admin
Salesforce Admins
 
PPTX
Dreamforce 2014 - Salesforce Python SDK for REST/SOAP APIs
Hormoz Tarevern
 
PPTX
Dev ops.enterprise.2014 (1)
Salesforce Engineering
 
An Insider's Guide to Security Review (October 13, 2014)
Salesforce Partners
 
Quality Control in Development
Salesforce Developers
 
How to Launch Your AppExchange App at Dreamforce
CodeScience
 
ApExchange Security Review and Compliance
CEPTES Software Inc
 
Coding in the App Cloud
Salesforce Developers
 
DevOps in Salesforce AppCloud
rsg00usa
 
ISV Tech Talk: Distributing Lightning Components
CodeScience
 
CCT London 2013 Theatre Intro to Apex
Peter Chittum
 
How a PDO Can Help Get You to Market Faster
CodeScience
 
Kitchener Salesforce Developer Group Event - Introduction to dev ops with Sal...
Sudipta Deb ☁
 
APP Academy: Build Your First App (October 13, 2014)
Salesforce Partners
 
Adopting Salesforce DX
Salesforce Developers
 
Wrestling Alligators: How Salesforce Partners Can Increase Close Rates & Deli...
CodeScience
 
Introduction to Apex Triggers
Salesforce Developers
 
Building and Distributing a Salesforce App
Ross Belmont
 
Diving Into Heroku Private Spaces
Salesforce Developers
 
Using AppExchange to Automate Complex Business Processes
dreamforce2006
 
How to Become a Security-Minded Admin
Salesforce Admins
 
Dreamforce 2014 - Salesforce Python SDK for REST/SOAP APIs
Hormoz Tarevern
 
Dev ops.enterprise.2014 (1)
Salesforce Engineering
 
Ad

Recently uploaded (20)

PDF
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
PDF
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
PPTX
ChiSquare Procedure in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
PDF
Add Background Images to Charts in IBM SPSS Statistics Version 31.pdf
Version 1 Analytics
 
PPTX
iaas vs paas vs saas :choosing your cloud strategy
CloudlayaTechnology
 
PDF
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
PDF
ERP Consulting Services and Solutions by Contetra Pvt Ltd
jayjani123
 
PPTX
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
PDF
AI Prompts Cheat Code prompt engineering
Avijit Kumar Roy
 
PPTX
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
Smart Doctor Appointment Booking option in odoo.pptx
AxisTechnolabs
 
PDF
IObit Driver Booster Pro 12.4.0.585 Crack Free Download
henryc1122g
 
PDF
UITP Summit Meep Pitch may 2025 MaaS Rebooted
campoamor1
 
PPTX
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 
PPTX
AEM User Group: India Chapter Kickoff Meeting
jennaf3
 
PDF
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
PPTX
Foundations of Marketo Engage - Powering Campaigns with Marketo Personalization
bbedford2
 
PDF
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
PPTX
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
ChiSquare Procedure in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
Add Background Images to Charts in IBM SPSS Statistics Version 31.pdf
Version 1 Analytics
 
iaas vs paas vs saas :choosing your cloud strategy
CloudlayaTechnology
 
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
ERP Consulting Services and Solutions by Contetra Pvt Ltd
jayjani123
 
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
AI Prompts Cheat Code prompt engineering
Avijit Kumar Roy
 
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Smart Doctor Appointment Booking option in odoo.pptx
AxisTechnolabs
 
IObit Driver Booster Pro 12.4.0.585 Crack Free Download
henryc1122g
 
UITP Summit Meep Pitch may 2025 MaaS Rebooted
campoamor1
 
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 
AEM User Group: India Chapter Kickoff Meeting
jennaf3
 
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
Foundations of Marketo Engage - Powering Campaigns with Marketo Personalization
bbedford2
 
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Ad

Salesforce Security Review Tips and Tricks

  • 1. Tips and Tricks to Pass the Salesforce Security Review Process Manishi Singh, Ryan Flood
  • 2. Ryan Flood [email protected] Senior Director, ISV Technical Enablement Manishi Singh [email protected] Senior Product Security Engineer
  • 3. Forward-Looking Statements Statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Website. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  • 4. Security Review - Importance, Resources, Roles Building security in your app Development phases Tools & Resources After Security Review Agenda
  • 5. Why is Security Important Trust is our #1 value Salesforce is a cloud computing company Customer Trust is integral to our success • They have to trust us with their data • That’s our job • Secure our products and marketplace • Reinforce and maintain the trust that customers put in our platform 8 industry leading apps, 1 platform
  • 6. AppExchange is a Trusted Ecosystem Both Salesforce and partners are critical parts of that trust We provide documentation, tools, and guidance to maintain a secure offering Your secure offering will help better sell to and serve our mutual customers Enterprise customers expect security built-in Maintaining a secure lifecycle ensures you always maintain customer trust Trust is our #1 value
  • 7. How we secure the ecosystem Layers of Protection Platform • In protection for XSS, CSRF, scoped access control, separate domains • Auth, Session Handling, Filtering, TLS, Infrastructure, Patching, Auditing & Logging Process • Security Review • Initial Review • Re-reviews • Spot Checks Content • Secure cloud development • Outreach to partners • Trailhead modules Tools • Code scanner • Chimera web scanner • Monitoring Partners • Partners maintain security consistent with best practices
  • 8. Who is Who in the SR process ISV Partner Team ISV Partner Account Manager (PAM) - Your primary point of contact ISV Technical Evangelist (TE) - Helps partner prepare for SR Security Review Operations (SR Ops) - Reviews submission, responsible for notifications to partners Product Security Team Product Security Engineer - Provide guidance, review/test applications Other Product Development Outsourcer (PDOs) - Can assist with SR success
  • 10. The Security Review Process Design Develop Testing Release - Review Trailhead modules - Review best practices documentation - Attend Office Hours - Continuous integration tools for ongoing security scanning - Run Force.com Scanner - Run Chimera/ZAP Scanner - Submit for Manual Security Review
  • 11. The Security Review Process Design Develop Testing Release - Review Trailhead modules - Review best practices documentation - Attend Office Hours
  • 12. Design Comprehensive, hands-on Trailhead modules for learning secure coding on the platform. Go to sfdc.co/devsecuritytrail Training
  • 13. Design App Cloud Security Dev Center Landing page for all things AppExchange Security Go to sfdc.co/securitydevcenter Documentation
  • 14. Design Submission Process Office Hours https://sfdc.co/submissionofficehours Submission Process questions Security Review Technical Office Hours https://sfdc.co/securityofficehours Technical Security questions Available both in US and EU time zones. Office hours
  • 15. The Security Review Process Design Develop Testing Release - Continuous integration tools for ongoing security scanning
  • 16. Develop Now Supporting Rulesets for Apex and Visualforce in PMD Maven PMD Plugin Gradle: The PMD Plugin Eclipse Plugin NetBeans Plugin JBuilder Plugin JDeveloper Plugin IntelliJ IDEA Plugin Upcoming Sublime Plugin Atom Plugin Force.com IDE Integration PMD – Source Code Analyzer
  • 17. Develop Providence is a commit-time analysis tool to find security anti-patterns in your code. https://github.com/salesforce/Providence Integrated with PMD scanner to find Apex and Visualforce issues PMD + Providence
  • 18. Develop Checkmarx is a source scanner with support for Salesforce technologies Detailed information for better handoff to Checkmarx https://lp.checkmarx.com/salesforce/ Salesforce presets available for free: https://sfdc.co/cxpresets Continuous Integration with Checkmarx
  • 19. The Security Review Process Design Develop Testing Release - Run Force.com Scanner - Run Chimera/ZAP Scanner
  • 20. Testing Force.com Source Scanner Static analysis tool to find common security issues in your native code Looks for common issues in Apex, Visualforce and Lightning like XSS, CSRF, CRUD/FLS etc. Manual code review for adherence to Secure Coding Guidelines. Native code
  • 21. Testing ZAP Scanner - sfdc.co/zapsetup Automated web app scanner to find common web vulnerabilities Chimera Scanner - sfdc.co/ChimeraScanner Fire and forget web application scanner that uses ZAP as an engine Manual Testing Scanners are limited in what they can find Composite apps
  • 22. Testing Centralized portal to help you track and manage Force.com security scans Schedule scans, download scan reports Search all scans for your org Manage scan credits for your org https://sfdc.co/scan Source scanner portal
  • 23. The Security Review Process Design Develop Testing Release - Submit for Manual Security Review
  • 24. Release Trailhead module to prepare for security review. Go to sfdc.co/SecurityReviewPrep
  • 25. Release Submission Process Office Hours https://sfdc.co/submissionofficehours Submission Process questions Security Review Technical Office Hour https://sfdc.co/securityofficehours Technical Security questions Available both in US and EU time zones. Office hours
  • 26. Submit for Security Review Requirements Native Native + Lightning Components Composite Web App/Service Client Composite Mobile/Client API Only Force.com environment Yes Yes (With components configured for testing) Yes Yes Yes External components / credentials Yes e.g. urls, credentials Yes e.g. link to APK Yes e.g. urls, credentials Managed package Yes Yes Yes Force.com code scanner report Yes Yes Yes ZAP/Burp/ Chimera report Yes Yes (ZAP/Burp) Yes False positive report If required If required If required If required If required Documentation Recommended Recommended Recommended Recommended Recommended
  • 27. Common causes of delay Problems with submission • Invalid or expired environment credentials • Missing Web Scans for endpoints in scope • Incorrect package version installed • Missing false positive documents
  • 28. Sorry! Your App Failed Don’t Panic • Product Security Office Hours • The report is focused on breadth, not depth. Test is time-boxed* • Conduct a comprehensive review - make required fixes • Re-run reports (Checkmarx, ZAP/Burp/Chimera) • Ensure the test environment has the latest package version • Schedule a follow-up Security Review *We can’t include every instance of a vulnerability/issue in the report Interpreting results Congratulations! Your App Passed Next Steps • Get to work on Trialforce/Templates (if applicable), TSO/Templates require a Security Review as well • Complete your AppExchange listing • Market/Sell/Succeed!
  • 29. Security @ Dreamforce Salesforce Security Booth & Developer Sessions Information Find the “Salesforce Security” booth in Developer Forest Security Sessions @ Dreamforce Monday, November 6 10:15 a.m. | Creating LockerService Ready Lightning Components With Webpack Moscone West, Developer Theater 1:30 p.m. | Common Web Security Vulnerabilities and their Fixes Moscone West, Frontier Theater 2:00 p.m. | Avoiding Common Security Mistakes Moscone West, Frontier Theater Tuesday, November 7 9:15 a.m. | Secure Apps Using the Salesforce Mobile SDK Moscone West, Canyon Theater 1:00 p.m. | Securing Heroku Apps Moscone West, Frontier Theater Wednesday, November 8 9:00 a.m. | Tips and Tricks to Pass the Salesforce Security Review Process Park Central Hotel, Olympic 1:00 p.m. | Security Best Practices for Building Lightning Components Park Central Hotel, Olympic Thursday, November 9 10:30 a.m. | Scaling Security at your Company Moscone West, Frontier Theater 11:00 a.m. | Data Access for Apex, Visualforce, and Lightning Moscone West, Frontier Theater 11:30 a.m. | Lightning Security Within Components Moscone West, Frontier Theater 12:00 p.m. | Lightning Security Across Components Moscone West, Frontier Theater 12:30 p.m. | Getting The Most Out of Security Scans