Your SlideShare is downloading. ×
  • Like
Df10101 badhwar
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply


  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Secure Cloud Development
    VarunBadhwar:Senior Manager, Security,
  • 2. Safe Harbor
    Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
    The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of, inc. is included in our annual report on Form 10-K for the most recent fiscal year ended January 31, 2010. This documents and others are available on the SEC Filings section of the Investor Information section of our Web site.
    Any unreleased services or features referenced in this or other press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available., inc. assumes no obligation and does not intend to update these forward-looking statements.
  • 3.
  • 4. Agenda’s Philosophy
    Secure Cloud Development Lifecycle:
    Secure Design
    Secure Development
    Secure Testing
    Security Libraries for Common Development Platforms
    Recommended Free Testing Tools
    Spot the Bug Contest
  • 5.
    • Success of cloud computing dependant on earning and maintaining customer trust
    • 6. Protecting the privacy of customer data is’s core value
    • 7. Details available at: Philosophy
    “Security better be on top of everyone’s mind.”
    - Marc Benioff CEO,
  • 8. Vision
    Create a security conscious community within which all developers / ISVs value trust as a priority
    Provide free educational resources, tools and processes that help deliver trusted applications
    Reduce overall development costs
    According to NIST*, eliminating vulnerabilities in the design stage can cost 30 times less than fixing them post-release
    * NIST –The National Institute of Standard and Technology
  • 9. Secure (Software) Development Lifecycle
    Seamless integration of security into your existing SDLC
  • 10. Secure Development Lifecycle: Education
    Overview of Security
    Learn about the sharing model and various security controls available to org administrators
    Developer Training
    Get educated on writing secure code on
    Developer Quiz
    Assess your security awareness and learn to identify vulnerabilities within code
  • 11. Secure Development Lifecycle: Design
    Security Design Resources
    Generic articles and resources. Topics include authentication, single sign-on, sharing, etc.
    Security Discussion Board
    Discuss your questions & concerns with developers and employees
    Security Self-Assessment
    Receive a customized report with links to security articles and resources specific to your application architecture
    Office Hours
    Receive free consultation from a member of the security team
  • 12. Secure Development Lifecycle: Development
    Secure Coding Guidelines
    Obtain platform-specific (, Java, .Net, etc.) recommendations on mitigating security vulnerabilities such as XSS, Injection, Session Management, etc.
    Secure Coding Library
    Open source library for implementing additional security features (CRUD/FLS, input validation, output encoding, etc.)
    Follows OWASP Enterprise Security API
  • 13. Secure Development Lifecycle: Testing Security Source Code Scanner
    On-demand static source code analysis tool to identify security vulnerabilities within your Apex and Visualforce code
    Web Application Security Scanner
    Integrating a web-application with AppExchange & OEM partners are entitled to receive a free license for Burp Suite Professional
  • 14. Secure Development Lifecycle: Release Security Review
    Periodic security review of AppExchange and OEM applications
    Details published at:
    Incident Response (Coming Soon)
    Guidance on engaging with customers and in case of a security incident
  • 15. Recommended Security Libraries for Common Development Platforms
    ESAPI (authentication, validation, encoding/decoding, WAF, cryptography)
    Apache Shiro (authentication, authorization, session management, cryptography)
    ESAPI (authentication, validation, encoding/decoding, WAF, cryptography)
    HTML Purifier (white-list based filtering & XSS protection)
    MS Web Protection Library (XSS and SQLi protection)
    ESAPI (authentication, validation, encoding/decoding, WAF, cryptography)
    Ruby on Rails
    Loofah (XSS protection)
    ESAPI coming soon
  • 16. Recommended (Free) Testing Tools
    Acunetix Free Edition (XSS only)
    Netsparker Community Edition (SQLi & XSS only)
    SWFScan & Nemo440 (Flash)
    CookieDigger (Cookies)
    OpenSSL, SSLDigger
    Nessus, nMap
    Multi-purpose Proxies & Plug-ins:
    Proxies: Paros, WebScarab, Burp
    Plug-ins: Web Developer, Firebug, Tamper Data
  • 17. Checkmarx Eclipse Plug-in for
    Direct visibility into security and quality issues
    Eclipse Plugin
    Line by line click-through
    Free 90 day trial for first 1000 downloads
    Download at
  • 18. Spot the Bug Contest
    Identify the bug in this code snippet and win a $50 Amazon gift card!
  • 19. Key Take Aways
    Deliver Secure Applications
    Educate developers on security
    Consider security implications at design time
    Leverage guidelines, open-source code and assistance from to your advantage
    Incorporate security testing into each release cycle
    Earn & Maintain Customer Trust
    Save $$$ in Development Costs
  • 20. Question & Answer
    Varun Badhwar
  • 21. Secure Cloud Development
  • 22. Visit the Developer Training and Support Booth in Zone
    D I S C O V E R
    Developer training, certification and support resources
    that help you achieve
    S U C C E S S
    Find us in the Partner Demo Area of Zone 2nd Floor Moscone West
    Learn about Developer Certifications
    Discover Developer Learning Paths
  • 23. How Could Dreamforce Be Better? Tell Us!
    Log in to the Dreamforce app to submit
    surveys for the sessions you attended
    Use the Dreamforce Mobile app to submit surveys
    Every session survey you submit is a chance to win an iPod nano!