Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

An Insider's Guide to the AppExchange Security Review

2,873 views

Published on

Learn all the essentials of the Security Review process — from both an operations and technical standpoint.

Published in: Technology
  • Be the first to comment

An Insider's Guide to the AppExchange Security Review

  1. 1. Astha Singhal Manishi Singh Insider’s Guide to AppExchange Security Review
  2. 2. #TDX17 @astha_singhal astha.singhal@salesforce.com Manishi Singh Senior Director ISV Technical Enablement Astha Singhal Senior Manager Product Security @singhmanishi msingh@salesforce.com
  3. 3. Forward-Looking Statements Statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non- salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Website. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  4. 4. Why is Security Important Trust is our #1 value • Salesforce is a cloud computing company • Customer Trust is integral to our success – They have to trust us with their data – That’s our job – Secure our products and marketplace – Reinforce and maintain the Trust that our customers place in the Salesforce platform. 8 industry leading apps, 1 platform
  5. 5. AppExchange is a Trusted Ecosystem Trust is our #1 value • Both Salesforce and partners are critical parts of that trust • We provide documentation, tools, and guidance to maintain a secure offering • Your secure offering will help you better sell to and serve our mutual customers • Enterprise customers expect Security built-in • Maintaining a secure lifecycle ensures you always maintain customer trust
  6. 6. How we secure the ecosystem Layers of Protection Platform • in protection for XSS, CSRF, scoped access control, separate domains • Auth, Session Handling, Filtering, TLS, Infrastructure, Patching, Auditing & Logging Process • Security Review • Initial Review • Re-reviews • Spot Checks Partners • Partners maintain security consistent with best practices Tools • Code scanner • Chimera web scanner • Monitoring Content • Secure cloud development • Outreach to partners • Trailhead modules
  7. 7. The Team in the Security Review Process • ISV Partner Team – ISV Partner Account Manager - Your primary point of contact – ISV Technical Evangelist - Helps partner prepare for SR – Security Review Operations - Reviews submission, responsible for notifications to partners • Product Security Team – Product Security Engineer - Provide guidance, review/test applications • Other – Product Development Outsourcer - Can assist with SR success
  8. 8. What do we test? Users APIs REST SOAP Custom UI Data Processing Data Storage External Integrations Client Apps
  9. 9. The Security Review Process Design Develop Testing Release - Review Trailhead modules - Review best practices documentation - Attend Office Hours - Continuous integration tools for ongoing security scanning - Run Force.com Scanner - Run Chimera/ZAP Scanner - Submit for Manual Security Review
  10. 10. The Security Review Process Design Develop Testing Release - Review Trailhead modules - Review best practices documentation - Attend Office Hours
  11. 11. Design Training • Comprehensive, hands-on Trailhead modules for learning secure coding on the platform. • Go to – https://sfdc.co/devsecuritytrail
  12. 12. Design Documentation • App Cloud Security Dev Center • Landing page for all things AppExchange Security • Go to – https://sfdc.co/secdevcenter
  13. 13. Design Office hours • Submission Process Office Hours – https://sfdc.co/submissionofficehours – Submission Process questions • Security Review Technical Office Hours – https://sfdc.co/securityofficehours – Technical Security questions – Available both in US and EU time zones.
  14. 14. The Security Review Process Design Develop Testing Release - Continuous integration tools for ongoing security scanning
  15. 15. Develop PMD – Source Code Analyzer • Now Supporting Rulesets for Apex and Visualforce in PMD • Maven PMD Plugin • Gradle: The PMD Plugin • Eclipse Plugin • NetBeans Plugin • JBuilder Plugin • JDeveloper Plugin • IntelliJ IDEA Plugin • Upcoming • Sublime Plugin • Atom Plugin • Force.com IDE Integration
  16. 16. Develop PMD + Providence • Providence is a commit-time analysis tool to find security anti-patterns in your code. • https://github.com/salesfor ce/Providence • Integrated with PMD scanner to find Apex and Visualforce issues
  17. 17. Develop Continuous integration with Checkmarx • Detailed information for better handoff to Checkmarx • Salesforce presets available for free: – https://sfdc.co/cxpresets
  18. 18. The Security Review Process Design Develop Testing Release - Run Force.com Scanner - Run Chimera/ZAP Scanner
  19. 19. Testing Native code • Force.com Source Scanner – Static analysis tool to find common security issues in your native code. – Looks for commonly found issues in Apex, Visualforce and Lightning like XSS, CSRF, CRUD/FLS etc. • Manual code review for adherence to Secure Coding Guidelines. Automated tools are no substitute for manual testing!
  20. 20. Testing Composite apps • ZAP Scanner – Go to https://sfdc.co/zapsetup – Automated web application scanner to find common web vulnerabilities • Chimera Scanner – Go to https://sfdc.co/ChimeraScanner – Fire-and-forget cloud scanner that runs ZAP as an engine. • Manual testing – Scanners are limited in terms of what they can find.
  21. 21. Testing Source Scanner Portal • Centralized portal that lets you track and manage your Force.com Security Scans. • Schedule scans, download scan reports • Search all the scans for your org • Manage scan credits for your orgs
  22. 22. The Security Review Process Design Develop Testing Release - Submit for Manual Security Review
  23. 23. Release • Trailhead module to prepare for security review. • Go to – https://sfdc.co/SecurityReview Prep
  24. 24. Submit for Manual Security Review Requirements Native Native + Lightning Components Composite Web App/Service Client Composite Mobile/Client API Only Force.com environment Yes Yes (With components configured for testing) Yes Yes Yes External components / credentials Yes e.g. urls, credentials Yes e.g. link to APK Yes e.g. urls, credentials Managed package Yes Yes Yes Force.com code scanner report Yes Yes Yes ZAP/Burp/ Chimera report Yes Yes (ZAP/Burp) Yes False positive report If required If required If required If required If required Documentation Recommended Recommended Recommended Recommended Recommended
  25. 25. Common causes of delay • Problems with submission – Invalid or expired environment credentials – Missing Web Scans for endpoints in scope – Incorrect package version installed – Missing false positive documents
  26. 26. Interpreting results • Sorry! Your App Failed! Don’t Panic – Product Security Office Hours – The report is focused on breadth, not depth. Test is time-boxed. We can’t include every instance of a vulnerability/issue in the report – Conduct a comprehensive review - make required fixes – Re-run reports (Checkmarx, ZAP/Burp/Chimera) – Ensure the test environment has the latest package version – Schedule a follow-up Security Review • Congratulations! Your App Passed • Next Steps – Get to work on Trialforce/Templates (if applicable), TSO/Templates require a Security Review as well – Complete your AppExchange listing – Market/Sell/Succeed!

×