Are you a fan of time saving tools? Did you know that Salesforce has teamed up with Checkmarx to offer free security scans of your platform code? Join us to learn how the Checkmarx code scanner will save you time and improve your security by analyzing your code and providing you with a free report. When you leave, you'll know exactly how to submit a scan request, which vulnerabilities will be found, and how to interpret the report.

1. Secure Salesforce:
Static Analysis as a Service
Best Practices for using our Source Scanner
​ Robert Sussland
​ SMTS Product Security
​ rsussland@salesforce.com
​

2. ​ Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
​ This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties
materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed
or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-
looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any
statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new,
planned, or upgraded services or technology developments and customer contracts or use of our services.
​ The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new
functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our
operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any
litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our
relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our
service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger
enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our
annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter.
These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section
of our Web site.
​ Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available
and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features
that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Safe Harbor

3. Robert Sussland
SMTS Product Security, Salesforce

4. Agenda
• Service Overview
• Intro to Static Analysis
• Static Analysis as a Service
• Parsing Results
• Pain Points and Solutions
• Demo
• Special Guest
• QA

5. Service Overview

6. Static Analysis with Checkmarx Suite

7. Static Analysis with Checkmarx Suite

8. Static Analysis with Checkmarx Suite
• Look for data flows from sources to sinks
• Sources:
• URL Parameters
• sObject Values
• User Input (e.g. in a form)
• @AuraEnabled methods
• Sinks
• Unescaped HTML (e.g. aura:unescapedHtml or VF escape=“false”) //XSS
• Database.query() //SOQL injection

9. Static Analysis with Checkmarx Suite
• If data flows from a source to sink without passing through a sanitizer, then report a
vulnerability.
• Sanitizers:
• String.escapeSingleQuote() //SOQL injection
• HTMLENCODE() //VF page
• We don’t have a full string solver, or full information about data types or context:

10. Static Analysis with Checkmarx Suite
• If data flows from a source to sink without passing through a sanitizer, then report a
vulnerability.
• Sanitizers:
• String.escapeSingleQuote() //SOQL injection
• HTMLENCODE() //VF page
• We don’t have a full string solver, or full information about data types or context:
//vulnerable
qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + taint + “ ‘ “;

11. Static Analysis with Checkmarx Suite
• If data flows from a source to sink without passing through a sanitizer, then report a
vulnerability.
• Sanitizers:
• String.escapeSingleQuote() //SOQL injection
• HTMLENCODE() //VF page
• We don’t have a full string solver, or full information about data types or context:
//vulnerable
qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + taint + “ ‘ “;
//vulnerable
qry = “SELECT Name, “ + taint + “FROM Account LIMIT 1”;

12. Static Analysis with Checkmarx Suite
• False Positives and False Negatives
String sanitized = String.escapeSingleQuotes(taint);
//safe
qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + sanitized + “ ‘ “;
Database.query(qry);
//vulnerable (FN)
qry = “SELECT Name, “ + sanitized + “FROM Account LIMIT 1”;
Database.query(qry);

13. Static Analysis with Checkmarx Suite
• False Negatives
<a href=“{!HTMLENCODE(taint)}”>click here</a> //taint=javascript:
• Trade off between False Positives and False negatives
• Should a substring of a tainted string be tainted?
• Should the string replace of a tainted string be tainted?
• Should the concatenation of a tainted and untainted string be tainted?
• How do we know whether to HTMLENCODE, JSENCODE,URLENCODE?

14. How to Audit a Result Path
• Look at ends of path
• source should be a valid source
• sink should be a valid sink
• Follow from source to sink to verify that
• Escaping is appropriate for output context
• Escaping happens at the right place
• Escaping complies with your developer policies

15. Static Analysis as a Service
• We make access to Checkmarx static analysis available online for free
• Primary use case is Appexchange, not bespoke development
• Scan approximately 900 million lines of code per year (closing in on 1 billion lines/year)
• Average lines of code per app ~ 37,000
• Approximately 20,000 apps per year (e.g. average of 54 apps/day)
• During peak usage, we process about 200 apps per day
• Scan time is averages approximately 12.5 lines of code/second, but highly variable
• Dramatic increase in pass rates

16. Contract with Checkmarx
• Previous contract
• Was for license (1 server) to be used for Appexchange scans
• Strategy was to throttle based on wait times
• Current contract
• Flexible licenses, but limit quantity and types of scans
• Appexchange – 3 free scans per app
• Non-appexchange – 30K lines of code per month

17. Pain Points and Solutions

18. Pain points and solutions
• False positives/false negatives
• Recommend to purchase your own scanner to adjust the rules
• Throttling based on code too large
• Limit increased to 750,000 lines of code in the new portal
• Limit will remain 500,000 lines of code for customers that are not parters
• Throttling based on email domain/too many scans submitted
• Removed in new Portal
• No report if no issues found
• New reports

19. Pain points and solutions
• Issues getting reports
• Many problems with emailing large files
• Addressed in new Portal
• Knowing scan status
• Addressed in new Portal
• Wait too long
• Solution is to add more capacity
• We added 3 servers this year, plan to add 3-6 more servers next year.
• But some scans will still get stuck and need to be resubmitted
• We will still be delayed during monthly patch times (third weekend of each month)
• We will still be delayed during upgrades/service (approx. 4 times per year)

20. Demo

21. Special Guest – Igor Matlin, Checkmarx

22. Integrate into your SDLC and Automate security scans
Developers
Source repository
Fix suggestions
Build management
Auditor control
panel
Bug
tracking
SVN
TFS
TFS
Bamboo
Web Service API
CLI
CxAudit
Checkmarx web client
TeamMentor
Dashboards
DAST
Integrations

23. Scan & Fix Your Code Security Flaws
detailed
remediation
advice
where to fix
(best place to fix)
vulnerable line of
code
IDE integration
?
Attack vector
IDE Plugins available for

24. Eclipse Checkmarx© Plugin

25. For more information about
Checkmarx© Enterprise Grade Security Scanner
please visit www.checkmarx.com/salesforce

26. Summary

27. Summary
• Understand the basics of dataflows to help detect false positives and false negatives
• Sign up for new portal! http://goo.gl/forms/OsZVkwWKR2
• Look at CX offerings for your enterprise!

28. Secure Salesforce at Dreamforce 2015
​ 10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of
Security on the Salesforce Platform
​ Visit our booth in the DevZone with any security questions
​ Check out the schedule and details at http://bit.ly/DF15Sec
​ Admin-related security questions?
​ Join us for coffee in the Admin Zone Security Cafe

29. Secure Salesforce – Thursday Afternoon
Lightning Components Best Practices
​ Robert Sussland and Sergey Gorbaty
​ 4:45pm in Moscone West 2007
​ Common Secure Coding Mistakes
​ Rachel Black and Alejandro Raigon Munoz
​ 5:00pm in Moscone West 2006

30. Secure Salesforce – Friday
​ Chimera: External Integration Security
​ Tim Bach and Travis Safford
​ 10:00am in Moscone West 2009

31. Thank you