SlideShare a Scribd company logo

Force.com security

Download as PPTX, PDF
Vijay Naik
Vijay Naik

Guidelines for building secure apps on force.com

Technology
1 of 29
FORCE.COM SECURITY BUILDING SECURE APPS ON FORCE.COM PLATFORM
OVERVIEW • What is Security? • Is force.com platform not Secure?! • What is Security Review? • Common Security Vulnerabilities • Why do these Vulnerabilities occur? • How to fix these Vulnerabilities?
WHAT IS SECURITY? • Prevent unauthorized external access of data and logic • Prevent unauthorized internal access of data and logic • Principle of Least Privilege “Users should only have access to the minimum amount of information required to accomplish their duties” “Users’ ability to take advantage of excess privilege purposefully or accidentally should be minimized”
IS FORCE.COM NOT SECURE?! • All standard apps built on force.com are secure & respect all data access and security settings • Because force.com is a platform, it gives some power & flexibility to the developers; some of the security controls are released to developers • So, when building custom apps its developers responsibility to take care of some security aspects
WHAT IS SECURITY REVIEW?! • Salesforce security experts look at application’s source code to ensure proper security standards are followed • Is security only important for AppExchange apps? • Security is more significant for AppExchange apps, but the guidelines should be followed all the time.
COMMON SECURITY VULNERABILITIES • Not respecting CRUD • Not respecting FLS • Not respecting Sharing Settings • SOQL Injection • XSS (Cross-Site Scripting) • CSRF (Cross-Site Request Forgery) • Open Redirects • Insecure Remote Resource Interactions
NOT RESPECTING CRUD! • Occurs when an application violates CRUD settings on Profiles/ Permission sets • Execution Context: User Context: Enforces CRUD System Context: Ignores CRUD • Apex runs in system context, which means it ignores CRUD settings Users can query the data even if there is no READ permission Users can Create records even if there is no CREATE permission Users can Update records even if there is no EDIT permission Users can Delete records even if there is no DELETE permission • VF Pages respect CRUD, but not always true!
CRUD IN VF PAGE • VF code respects CRUD: • VF code does not respect CRUD: • VF Pages with JS Remoting do not respect CRUD
MAKING APEX RESPECT CRUD • Before query or DML use:
NOT RESPECTING FLS! • Occurs when an application violates Field Level Security settings • Execution Context: User Context: Enforces FLS System Context: Ignores FLS • Apex runs in system context, which means it ignores FLS settings Users can see data of a field which is hidden Users can update/ create data of a field which is hidden/ read-only • VF Pages respect FLS, but not always true!
FLS IN VF PAGE • VF code respects FLS: • VF code does not respect FLS: • VF pages with JS Remoting do not respect FLS
MAKING APEX RESPECT FLS • Before query or DML use:
NOT RESPECTING SHARING SETTINGS! • Occurs when the application violates Sharing Settings • Execution Context: User Context: Enforces Sharing Settings System Context: Ignores Sharing Settings • Apex runs in system context, which means it ignores Sharing settings Users can see the records which are not shared with them
SHARING SETTINGS SCENARIOS! • Apex does not Respect Sharing Settings • Apex Respects Sharing Settings
FIXING SHARING ISSUE! • Use “with sharing” key word for every class • You should have a strong reason if you are not using “with sharing” key word
SOQL INJECTION! • SOQL injection is the vulnerability which allows attackers to modify queries at run time, thereby getting access to unauthorized data • Occurs when user input starts behaving like code instead of text! • This happens when user input is directly inserted into a dynamic query without validating or escaping • Users can access fields or data that a developer did not intend to reveal!
PREVENTING SOQL INJECTION! • Use static queries wherever possible • Escaping Single Quotes: - This adds a “” before every single quote - This prevents inputs from being treated as code and treat them as strings
XSS – (CROSS SITE SCRIPTING)! • XSS is the vulnerability which allows attackers to insert unauthorized javascript, VBScript, HTML or other active content into a web page. • When the web page loads the malicious code executes, which may lead to a wide range to security issues. • Occurs due to poor separation between code and data contexts. • Occurs when user input is treated as code! - Data starts acting as code!
TYPES OF XSS! • Reflected XSS - Malicious script is injected as url parameter - Malicious script is injected into a text field • Stored XSS - Malicious script is stored in data base - Malicious script executes when data is retrieved and displayed on a web page
SOME IMPACTS OF XSS! • Malicious script can be used to steal sensitive data • Malicious script can be used to deface a web page and impact a company’s reputation • Attackers can steal a user’s session and make unauthorized requests • Attackers can show a pop up which looks legitimate, but could download a virus • Malicious script can be used to log key strokes and steal user credentials • Many more………
PREVENTING XSS! • Avoid use of “escape=false” with VF tags • Use “JSENCODE()” in javascript context • Use “HTMLENCODE()” in HTML context • Use “JSINHTMLENCODE()” when both javascript and html are involved
CSRF (CROSS SITE REQUEST FORGERY) • CSRF is vulnerability where a malicious application causes user to perform an unwanted action on a trusted site • User is tricked to click on a URL - which looks legitimate - but performs unwanted action • Can lead to unwanted data updates or deletes
PREVENTING CSRF • Avoid any state changing operations in “apex:page” tag • Avoid DML actions which create, update or delete data in “apex:page” tag
OPEN REDIRECTS • Open Redirects is a vulnerability where a users is redirected to an unauthorized site • Also know as “Arbitrary Redirect” • Occurs when values that are controlled by the users determine where the app redirects
OPEN REDIRECTS
OPEN REDIRECTS
PREVENTING OPEN REDIRECTS • Allow only local redirects, i.e. allow only partial urls • Whitelist all allowed external domains & validate before redirection
REMOTE RESOURCE INTERACTION • Avoid using CDNs - Risk is not that big, but we want to achieve 100% security - some malicious code could steal data, redirection to malicious sites etc • Use static resource for storing all third-party libraries and scripts
• Not respecting CRUD • Not respecting FLS • Not respecting Sharing Settings • SOQL Injection • XSS (Cross-Site Scripting) • CSRF (Cross-Site Request Forgery) • Open Redirects • Insecure Remote Resource Interactions

Recommended

How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
Web Hacking Series Part 5
Web Hacking Series Part 5Web Hacking Series Part 5
Web Hacking Series Part 5Aditya Kamat
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
 
CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicSam Bowne
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 

Recommended

How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
Web Hacking Series Part 5
Web Hacking Series Part 5Web Hacking Series Part 5
Web Hacking Series Part 5Aditya Kamat
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
 
CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicSam Bowne
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Istio Security Overview
Istio Security OverviewIstio Security Overview
Istio Security OverviewMichael Furman
 
How to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteHow to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteDNN
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechFernando Redondo Ramírez
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application SecurityUniface
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Writing Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday TorontoWriting Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday TorontoEli Robillard
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
 
Securing java web applications
Securing java web applicationsSecuring java web applications
Securing java web applicationsJonas Elias Flesch
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecurityWill Tran
 
Sql Injection
Sql InjectionSql Injection
Sql InjectionAju Thomas
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsSam Bowne
 
Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Shrutirupa Banerjiee
 
Omni channel - Salesforce Developer Group Bengaluru
Omni channel - Salesforce Developer Group BengaluruOmni channel - Salesforce Developer Group Bengaluru
Omni channel - Salesforce Developer Group BengaluruAbhilash Kuntar
 
Lightning experience (LEX)_Dec meetup
Lightning experience (LEX)_Dec meetupLightning experience (LEX)_Dec meetup
Lightning experience (LEX)_Dec meetupAbhilash Kuntar
 

More Related Content

What's hot

Istio Security Overview
Istio Security OverviewIstio Security Overview
Istio Security OverviewMichael Furman
 
How to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteHow to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteDNN
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application SecurityUniface
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Writing Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday TorontoWriting Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday TorontoEli Robillard
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
 
Securing java web applications
Securing java web applicationsSecuring java web applications
Securing java web applicationsJonas Elias Flesch
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecurityWill Tran
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsSam Bowne
 
Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Shrutirupa Banerjiee
 

What's hot (20)

Istio Security Overview
Istio Security OverviewIstio Security Overview
Istio Security Overview
 
How to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteHow to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET Website
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application Security
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Writing Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday TorontoWriting Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday Toronto
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management
 
Securing java web applications
Securing java web applicationsSecuring java web applications
Securing java web applications
 
Securing Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud SecuritySecuring Microservices with Spring Cloud Security
Securing Microservices with Spring Cloud Security
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side Controls
 
Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)
 

Viewers also liked

Omni channel - Salesforce Developer Group Bengaluru
Omni channel - Salesforce Developer Group BengaluruOmni channel - Salesforce Developer Group Bengaluru
Omni channel - Salesforce Developer Group BengaluruAbhilash Kuntar
 
Lightning experience (LEX)_Dec meetup
Lightning experience (LEX)_Dec meetupLightning experience (LEX)_Dec meetup
Lightning experience (LEX)_Dec meetupAbhilash Kuntar
 
Lightning Developer Week - Bangalore Salesforce Developer Group
Lightning Developer Week - Bangalore Salesforce Developer GroupLightning Developer Week - Bangalore Salesforce Developer Group
Lightning Developer Week - Bangalore Salesforce Developer GroupAbhilash Kuntar
 
Batchable vs @future vs Queueable
Batchable vs @future vs QueueableBatchable vs @future vs Queueable
Batchable vs @future vs QueueableBoris Bachovski
 
Build Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App BuilderBuild Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App BuilderSalesforce Developers
 
Connecticut Salesforce Developer Group - Jan 2017
Connecticut Salesforce Developer Group - Jan 2017Connecticut Salesforce Developer Group - Jan 2017
Connecticut Salesforce Developer Group - Jan 2017Jitendra Zaa
 
REST API in Salesforce
REST API in SalesforceREST API in Salesforce
REST API in SalesforceVivek Deepak
 

Viewers also liked (13)

Omni channel - Salesforce Developer Group Bengaluru
Omni channel - Salesforce Developer Group BengaluruOmni channel - Salesforce Developer Group Bengaluru
Omni channel - Salesforce Developer Group Bengaluru
 
Lightning experience (LEX)_Dec meetup
Lightning experience (LEX)_Dec meetupLightning experience (LEX)_Dec meetup
Lightning experience (LEX)_Dec meetup
 
Git basics
Git basicsGit basics
Git basics
 
OAuth
OAuthOAuth
OAuth
 
Lightning Developer Week - Bangalore Salesforce Developer Group
Lightning Developer Week - Bangalore Salesforce Developer GroupLightning Developer Week - Bangalore Salesforce Developer Group
Lightning Developer Week - Bangalore Salesforce Developer Group
 
OAuth
OAuthOAuth
OAuth
 
How to Create and Exit Strategy
How to Create and Exit StrategyHow to Create and Exit Strategy
How to Create and Exit Strategy
 
Batchable vs @future vs Queueable
Batchable vs @future vs QueueableBatchable vs @future vs Queueable
Batchable vs @future vs Queueable
 
Using Apex for REST Integration
Using Apex for REST IntegrationUsing Apex for REST Integration
Using Apex for REST Integration
 
Build Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App BuilderBuild Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App Builder
 
Connecticut Salesforce Developer Group - Jan 2017
Connecticut Salesforce Developer Group - Jan 2017Connecticut Salesforce Developer Group - Jan 2017
Connecticut Salesforce Developer Group - Jan 2017
 
REST API in Salesforce
REST API in SalesforceREST API in Salesforce
REST API in Salesforce
 
Exploring the Salesforce REST API
Exploring the Salesforce REST APIExploring the Salesforce REST API
Exploring the Salesforce REST API
 

Similar to Force.com security

Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015Joe Ferguson
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Detailed Developer Report.pdf
Detailed Developer Report.pdfDetailed Developer Report.pdf
Detailed Developer Report.pdfnalla14
 

Similar to Force.com security (20)

Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforce
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Software security
Software security Software security
Software security
 
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
 
Detailed Developer Report.pdf
Detailed Developer Report.pdfDetailed Developer Report.pdf
Detailed Developer Report.pdf
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 

Recently uploaded

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Recently uploaded (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Force.com security

  • 2. OVERVIEW • What is Security? • Is force.com platform not Secure?! • What is Security Review? • Common Security Vulnerabilities • Why do these Vulnerabilities occur? • How to fix these Vulnerabilities?
  • 3. WHAT IS SECURITY? • Prevent unauthorized external access of data and logic • Prevent unauthorized internal access of data and logic • Principle of Least Privilege “Users should only have access to the minimum amount of information required to accomplish their duties” “Users’ ability to take advantage of excess privilege purposefully or accidentally should be minimized”
  • 4. IS FORCE.COM NOT SECURE?! • All standard apps built on force.com are secure & respect all data access and security settings • Because force.com is a platform, it gives some power & flexibility to the developers; some of the security controls are released to developers • So, when building custom apps its developers responsibility to take care of some security aspects
  • 5. WHAT IS SECURITY REVIEW?! • Salesforce security experts look at application’s source code to ensure proper security standards are followed • Is security only important for AppExchange apps? • Security is more significant for AppExchange apps, but the guidelines should be followed all the time.
  • 6. COMMON SECURITY VULNERABILITIES • Not respecting CRUD • Not respecting FLS • Not respecting Sharing Settings • SOQL Injection • XSS (Cross-Site Scripting) • CSRF (Cross-Site Request Forgery) • Open Redirects • Insecure Remote Resource Interactions
  • 7. NOT RESPECTING CRUD! • Occurs when an application violates CRUD settings on Profiles/ Permission sets • Execution Context: User Context: Enforces CRUD System Context: Ignores CRUD • Apex runs in system context, which means it ignores CRUD settings Users can query the data even if there is no READ permission Users can Create records even if there is no CREATE permission Users can Update records even if there is no EDIT permission Users can Delete records even if there is no DELETE permission • VF Pages respect CRUD, but not always true!
  • 8. CRUD IN VF PAGE • VF code respects CRUD: • VF code does not respect CRUD: • VF Pages with JS Remoting do not respect CRUD
  • 9. MAKING APEX RESPECT CRUD • Before query or DML use:
  • 10. NOT RESPECTING FLS! • Occurs when an application violates Field Level Security settings • Execution Context: User Context: Enforces FLS System Context: Ignores FLS • Apex runs in system context, which means it ignores FLS settings Users can see data of a field which is hidden Users can update/ create data of a field which is hidden/ read-only • VF Pages respect FLS, but not always true!
  • 11. FLS IN VF PAGE • VF code respects FLS: • VF code does not respect FLS: • VF pages with JS Remoting do not respect FLS
  • 12. MAKING APEX RESPECT FLS • Before query or DML use:
  • 13. NOT RESPECTING SHARING SETTINGS! • Occurs when the application violates Sharing Settings • Execution Context: User Context: Enforces Sharing Settings System Context: Ignores Sharing Settings • Apex runs in system context, which means it ignores Sharing settings Users can see the records which are not shared with them
  • 14. SHARING SETTINGS SCENARIOS! • Apex does not Respect Sharing Settings • Apex Respects Sharing Settings
  • 15. FIXING SHARING ISSUE! • Use “with sharing” key word for every class • You should have a strong reason if you are not using “with sharing” key word
  • 16. SOQL INJECTION! • SOQL injection is the vulnerability which allows attackers to modify queries at run time, thereby getting access to unauthorized data • Occurs when user input starts behaving like code instead of text! • This happens when user input is directly inserted into a dynamic query without validating or escaping • Users can access fields or data that a developer did not intend to reveal!
  • 17. PREVENTING SOQL INJECTION! • Use static queries wherever possible • Escaping Single Quotes: - This adds a “” before every single quote - This prevents inputs from being treated as code and treat them as strings
  • 18. XSS – (CROSS SITE SCRIPTING)! • XSS is the vulnerability which allows attackers to insert unauthorized javascript, VBScript, HTML or other active content into a web page. • When the web page loads the malicious code executes, which may lead to a wide range to security issues. • Occurs due to poor separation between code and data contexts. • Occurs when user input is treated as code! - Data starts acting as code!
  • 19. TYPES OF XSS! • Reflected XSS - Malicious script is injected as url parameter - Malicious script is injected into a text field • Stored XSS - Malicious script is stored in data base - Malicious script executes when data is retrieved and displayed on a web page
  • 20. SOME IMPACTS OF XSS! • Malicious script can be used to steal sensitive data • Malicious script can be used to deface a web page and impact a company’s reputation • Attackers can steal a user’s session and make unauthorized requests • Attackers can show a pop up which looks legitimate, but could download a virus • Malicious script can be used to log key strokes and steal user credentials • Many more………
  • 21. PREVENTING XSS! • Avoid use of “escape=false” with VF tags • Use “JSENCODE()” in javascript context • Use “HTMLENCODE()” in HTML context • Use “JSINHTMLENCODE()” when both javascript and html are involved
  • 22. CSRF (CROSS SITE REQUEST FORGERY) • CSRF is vulnerability where a malicious application causes user to perform an unwanted action on a trusted site • User is tricked to click on a URL - which looks legitimate - but performs unwanted action • Can lead to unwanted data updates or deletes
  • 23. PREVENTING CSRF • Avoid any state changing operations in “apex:page” tag • Avoid DML actions which create, update or delete data in “apex:page” tag
  • 24. OPEN REDIRECTS • Open Redirects is a vulnerability where a users is redirected to an unauthorized site • Also know as “Arbitrary Redirect” • Occurs when values that are controlled by the users determine where the app redirects
  • 27. PREVENTING OPEN REDIRECTS • Allow only local redirects, i.e. allow only partial urls • Whitelist all allowed external domains & validate before redirection
  • 28. REMOTE RESOURCE INTERACTION • Avoid using CDNs - Risk is not that big, but we want to achieve 100% security - some malicious code could steal data, redirection to malicious sites etc • Use static resource for storing all third-party libraries and scripts
  • 29. • Not respecting CRUD • Not respecting FLS • Not respecting Sharing Settings • SOQL Injection • XSS (Cross-Site Scripting) • CSRF (Cross-Site Request Forgery) • Open Redirects • Insecure Remote Resource Interactions