This document provides an overview of building secure applications in the cloud. It discusses Salesforce's philosophy of putting customer privacy and security first. It also covers Salesforce's security review process for applications, common vulnerabilities tested for like injection flaws and cross-site scripting, and resources available to help partners develop securely like guidelines, code scanning tools, and office hours support.

1. Building Secure Applications
in the Cloud
James Dolph, Salesforce.com, Product Security Senior Manager
@SecureCloudDev

2. Safe harbor
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties
materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or
implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking,
including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements
regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded
services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality
for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results
and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other
litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating
history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful
customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers.
Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-
Q for the most recent fiscal quarter ended July 31, 2012. This documents and others containing important disclosures are available on the SEC
Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available
and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features
that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

3. Agenda
• Philosophy and overview
• Resources and tips
• Collaborate and get help
• Takeaways

4. Philosophy and Overview

5. Nothing is more important to
our company than the privacy
of our customer's data
-Parker Harris Executive VP, Technology Salesforce.com

6. In the news
1.5 Million Hotel chain BitCoin bank
credit card multiple hacked
numbers stolen compromises • $250K stolen
• Stock dropped • $10.6m in Fraud • Suspended
operations
• Visa dropped from • FTC fine
compliant list • 600k+ accounts

7. Security Review
• Mandatory
• Enterprise level
• Application Focused

8. What’s in scope
Force.com Native: Apex, Visualforce, Anything in a
package.
Web Apps: Application or web service hosted on
Heroku, other PAAS or hosting provider.
PAAS
Web Client and
Applications Mobile Apps Client and Mobile: Apps installed on customer
computers, mobile devices or data center.

9. What we test
• Automated code scan
• Manual code review and black box testing
• Client side components (Flash. JavaScript)
• Integrations and web services
• Automated testing and manual black box testing
Web • Client side components (Flash, JavaScript)
Applications • Integrations and web services
• Architecture review and web server testing
• Manual hands on testing of the application
Client and • Integrations and web services
Mobile Apps
• Architecture review and web server testing

10. OWASP Top 10 (2010)
1. Injection (SQLi, XML, LDAP etc.)
2. Cross Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access (e.g. admin pages)
9. Insufficient Transport Layer Protection (SSL, Config)
10. Unvalidated Redirects and Forwards

11. ISV Security Review Outcomes
Approved:
• Meets our requirements
• Offering can be listed on the AppExchange
• Subsequent review is scheduled
Provisionally Approved (very rarely issued):
• Meets our requirements but may have very low risk issues as determined by review team
• The offering can be temporarily listed on the AppExchange
• Failure to remedy issues in a timely manner results in removal from the AppExchange
Not Approved:
• Does not meet our requirements
• New Partners are not permitted to list on AppExchange until all issues are fixed
• Existing offerings are delisted from the AppExchange if they fail to remediate issues

12. Why do offerings pass or fail
Why offerings pass Why offerings don’t pass
• Early testing and prep • Lack of testing and prep
• Understanding • Misunderstanding
requirements requirements
• Understanding scope • Limiting scope
• Use ISV resources • Not using ISV resources

13. Security Resources

14. Secure Cloud Development
http://developer.force.com/security
• Secure Coding Guidelines
• Secure Coding Library
• Security Self-Assessment
• Partner security office hours
• Force.com Security Code Scanner
• ISV program partners receive a free web
application scanning tool license

15. Native app security tips
• Business logic issues
• Client side issues
• Flash and Silverlight
• Merge fields in JavaScript blocks or on* methods
• S-Controls and custom buttons/links
• Secure callouts / secure JS includes
Native
• Secure storage of data

16. Web app and client app tips
• Business logic issues
• Multitenancy access control enforcement
• CSRF
• Client side issues
• Flash and Silverlight issues
• Secure JS includes
Composite
and Client • Secure storage of credentials, tokens, and keys

17. Collaborate and get help

18. Collaborate and get help
• Secure Cloud Development
• Force.com discussion boards
• Partner Portal
• Twitter @SecureCloudDev
• ISV Office hours
• Email

19. ISV Office Hours
http://bit.ly/ISVSecurityOfficeHours

20. Takeaways

21. Takeaways
• We want you to succeed
• Preparation is key
• Take advantage of our resources
• Give yourself time
• We’re here to help

22. Wrap up

23. DF12 ISV Success Sessions
Great sessions for each phase of the lifecycle
Plan Build Distribute Sell Support
ISV Kickoff: Getting Started Distributing & Licensing Your App How to Support Your Customers
How to Architect & Design Your App Automate Your App Sales ISV PM Product Roadmap
Designing Social Apps (Workshop)
Extend Your Commercial Force.com App Expanding Your Marketing Reach with AppExchange
Team Development and Release Mgmt Marketing Best Practices in the Social Era
Building Secure Applications in the Cloud Mastering the Direct Sales Model
Selling Social Apps
Follow sessions and join the Partner Success Group on

24. A Few Reminders. . .
Why Work With a PDO Partner Success Experts
Innovation Theater and Lounge
1:1 Success Clinics
Innovation Theater and Lounge
Need to relax? Have a massage!
Check out the Partner Hub
540 Howard Street
Survey (Session Record) Cloud Crawl (Thursday Night)
Follow us on Twitter @partnerforce

25. Partner Hub – Speaker Debrief
Why Work With a PDO
Partner
Success
Clinics
Welcome Desk
Speaker
Debrief
Area