SlideShare a Scribd company logo

Secure Development on the Salesforce Platform - Part I

Download as PPTX, PDF
Salesforce Developers
Salesforce Developers

In this first installment of our Secure Salesforce Development webinar series members of the Salesforce Trust team will introduce the core concepts behind developing secure applications on the Salesforce platform using Apex and Visualforce. We’ll walk through creation and development of a simple, on-platform app and examine common security vulnerabilities that developers unintentionally introduce to their applications. After discussing the danger of these vulnerabilities and demonstrating their impact we’ll go in depth into how to avoid introducing them in your code, how to review existing code and find them, and how to fix them.

Technology
1 of 52
March 10, 2016 Secure Salesforce Development on the Salesforce Platform
Speakers Max Feldman Product Security Engineer Lehan Huang Web Application Security Engineer Vinayendra Nataraja Product Security Engineer @vinayendra
Forward-Looking Statement Statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Go Social! Salesforce Developers Salesforce Developers Salesforce Developers The video will be posted to YouTube & the webinar recap page (same URL as registration).This webinar is being recorded! @salesforcedevs / #forcewebinar
▪ Don’t wait until the end to ask your question! – Technical support will answer questions starting now. ▪ Respect Q&A etiquette – Please don’t repeat questions. The support team is working their way down the queue. ▪ Stick around for live Q&A at the end – Speakers will tackle more questions at the end, time- allowing. ▪ Head to Developer Forums – More questions? Visit developer.salesforce.com/forums Have Questions?
Agenda 1. Roadmap for the year: – Four webinars, one per quarter 2. Plan for today: – SDL, CRUD/FLS, Sharing, SOQL, Q&A 3. Introductions: – Max – Lehan – Vinayendra
Security and the Force.com Platform  Force.com was designed to be flexible and support delevoper and business needs  Force.com provides many built-in protections to protect developers and their user base  Salesforce protects end users by ensuring that all applications listed in the AppExchange undergo a security review
Background  Principle of Least Privilege – Users should only have access to the minimum amount of information required to accomplish their duties – Their ability to take advantage of excess privilege purposefully or accidentally should be minimized  Context – User context: Enforces user permissions, field-level security, and sharing rules of the current user – System context: Ignores user permissions, field-level security, and rules of the current user
Secure Development Lifecycle  Design – Plan your application with security in mind – https://developer.salesforce.com/page/Security_Design_Resources  Development – Follow best practicies for secure development, implement securely – https://developer.salesforce.com/page/Secure_Coding_Guideline  Testing – Test for security (as one would test functionality)  Release – Be prepared for the discovery of any security flaws – Staying secure is an ongoing process
FourZip App  Display zip codes in 12345-1234 format – Read from Account object for the shipping address – Take the 5 digit zip and make an external call to retrieve the 4 digit extension – Display associated Opportunities
Account Profiles  System Administrator – Default administrator profile – Has access to everything  ZipFour User – Cloned profile from standard user – Can access ZipFour app – Cannot see Account’s Annual Revenue field – Cannot see Opportunity
FourZip  What will we develop today? – One VF page – One Apex controller – Mock API call for the external call • This will be covered in part 3 of the webinar series – External application/system integration best practices – Wrapper classes to hold the zip+4 information, plus opportunities – Let’s take a look at the code!
CRUD
What is CRUD? Create, Read, Update, Delete  Define user’s access for each object  Controlled on the profile and permission set
CRUD  Apex classes do not enforce CRUD – Runs in system context  Visualforce pages enforce CRUD – Runs in user context
CRUD Demo
<sObject>.sObjectType.getDescribe() • isCreateable() • isAccessible() • isUpdateable() • isDeletable() 1 Public Class MyController { 2 Public String getmyAccount { 3 if (!Account.sObjectType.getDescribe().isAccessible()) { 4 return ''; 5 } 6 } Enforcing CRUD in Apex
Visualforce code patterns respect read in CRUD: 1. <apex:outputField value="{!sObject.Field__c}"/> 2. <apex:outputText value="{!sObject.Field__c}"/> 3. {!sObject.Field__c} Visualforce code pattern does not respect read: 1. <apex:outputText value="{!wObject.String}"/> 2. <apex:outputText value="{!someVariable}"/> Enforcing CRUD in Visualforce
CRUD Fix Let’s fix the vulnerability and demo the fix
Best Practices for CRUD  Always check CRUD permissions before performing the operation in apex classes  Not checking can give elevated access to users who should not have it
FLS
What is FLS? Field-Level Security  Define user’s access to fields on a given object  Controlled on the profile and permission sets
FLS for Developers  Apex classes do not enforce FLS – Runs in system context  Visualforce pages enforce FLS – Runs in user context – Does not enforce FLS for dereferenced fields • {!Contact.Email} = yes • {!contact Email} = no
FLS Demo
Schema.sObjectType.<sObject>.fields.<field> • isAccessible() • isUpdateable() 1 Public Class MyController { 2 Public String getmyAccount { 3 if (!Schema.sObjectType.Account.fields.Name.isAccessible()) { 4 return ''; 5 } 6 ... 7 } Enforcing FLS in Apex
When Sobject is assigned a primitive Apex: Random_Sensitive_Object_1__c r; // Salesforce sObject wRandom_Sensitive_Object_1 wR; // Custom wrapper object wR.Sensitive_Number = r.Sensitive_Number__c; Visualforce: <apex:OutputText value="{!r.Sensitive_Number__c}" /> <!-- FLS RESPECTED --> <apex:OutputText value="{!wR.Sensitive_Number}" /> <!-- FLS IGNORED --> When does the Platform stop respecting FLS?
FLS Fix Let’s fix the vulnerability and demo the fix
Best Practices for FLS  Use sObject references whenever possible  Iterate through your list of fields and check FLS for each field
Sharing
What is Sharing? Record-level access  Dictates which records of an object a user can see  Controlled outside the profile via org-defaults, roles, ownership, and sharing rules
How is Sharing Enforced?  Apex classes do not enforce sharing by default – Runs in system context – Exceptions: anonymous code blocks, developer console, and standard controllers execute in user context  Visualforce pages depend on controllers for record access
Sharing/CRUD/FLS FLS Sharing CRUD
Sharing Demo
1 Public with sharing Class MyController { 2 // Code enforces current user’s sharing rules 3 Public without sharing Class MyInnerClass { 4 // Code doesn’t enforce current user’s sharing rules 5 } 6 } Enforcing Sharing in Apex  Default behavior is without sharing – Use with sharing keyword to enforce sharing  If a class isn’t declared as either with or without sharing, the current sharing rules remain in effect  The sharing setting of the class where the method is defined is applied, not of the class where the method is called
Sharing Fix Let’s fix the vulnerability and demo the fix
Best Practices for Sharing  Explicitly declare with sharing or without sharing for all classes in your code  If you must use without sharing, document the reasoning in a comment block  Sharing keywords don’t enforce CRUD and FLS
SOQL
SOQL vs SQL Salesforce Object Query Language vs Structured Query Language  SOQL is the query language used in the Salesforce platform  SOQL only allows the SELECT command portion SQL  SOQL does not allow command execution, or wild card (*) for fields
SQL Injection  SQL Injection is an attack where user input is allowed to modify the structure of an SQL query and perform unexpected actions  Sample SQL query subject to SQL injection:  If un_iput= admin’-- and user input is not modified before passing it to the query we get:
SOQL Injection  SOQL Injection only occurs when dynamic SOQL queries are used without proper manipulation of user input  Sample code block:  User input:  Final query:
SOQL Injection Demo
SOQL Injection Mitigations  Static query + bind variable:  Wrap user input in string.escapeSingleQuotes() – This will not prevent all the attacks. – Sample query: – User input that could bypass this defense mechanism
SOQL Injection Fix Let’s fix the vulnerability and demo the fix
Summary Developer practices for respecting authorization model  CRUD – Object-level permission. Should the user have access to this object?  FLS – Field-level permission. Should the user have access to this field?  Sharing – Record-level permission. Should the user have access to this record?  SOQL – Salesforce Object Query Language. Is there injection?
Additional Resources Security Implementation Guide https://developer.salesforce.com/././securityImplGuide/ (full link hidden) CRUD & FLS Enforcement Guide https://developer.salesforce.com/page/Enforcing_CRUD_and_FLS Using with sharing or without sharing Keywords https://developer.salesforce.com/./././apex_classes_keywords_sharing (full link hidden) SOQL Injection http://sfdc.co/SOQLInjection Secure Coding Guidelines https://developer.salesforce.com/page/Secure_Coding_Guideline Salesforce Developer Security Forum https://developer.salesforce.com/forums
Salesforce World Tour @ CeBIT Hannover, 14.-18. März 2016
Q & A Share Your Feedback: http://bit.ly/securedevelopment Join the conversation: @salesforcedevs @SecureCloudDev
Survey Your feedback is crucial to the success of our webinar programs. Thank you! http://bit.ly/securedevelopment
Thank You

Recommended

Coding in the App Cloud
Coding in the App CloudCoding in the App Cloud
Coding in the App Cloud
Salesforce Developers
 
Secure Salesforce: Common Secure Coding Mistakes
Secure Salesforce: Common Secure Coding MistakesSecure Salesforce: Common Secure Coding Mistakes
Secure Salesforce: Common Secure Coding Mistakes
Salesforce Developers
 
Best Practices for Lightning Apps
Best Practices for Lightning AppsBest Practices for Lightning Apps
Best Practices for Lightning Apps
Mark Adcock
 
Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2
Salesforce Developers
 
10 Principles of Apex Testing
10 Principles of Apex Testing10 Principles of Apex Testing
10 Principles of Apex Testing
Salesforce Developers
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3
Mark Adcock
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and Testing
Salesforce Developers
 
Lightning components performance best practices
Lightning components performance best practicesLightning components performance best practices
Lightning components performance best practices
Salesforce Developers
 

Recommended

Coding in the App Cloud
Coding in the App CloudCoding in the App Cloud
Coding in the App Cloud
Salesforce Developers
 
Secure Salesforce: Common Secure Coding Mistakes
Secure Salesforce: Common Secure Coding MistakesSecure Salesforce: Common Secure Coding Mistakes
Secure Salesforce: Common Secure Coding Mistakes
Salesforce Developers
 
Best Practices for Lightning Apps
Best Practices for Lightning AppsBest Practices for Lightning Apps
Best Practices for Lightning Apps
Mark Adcock
 
Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2
Salesforce Developers
 
10 Principles of Apex Testing
10 Principles of Apex Testing10 Principles of Apex Testing
10 Principles of Apex Testing
Salesforce Developers
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3
Mark Adcock
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and Testing
Salesforce Developers
 
Lightning components performance best practices
Lightning components performance best practicesLightning components performance best practices
Lightning components performance best practices
Salesforce Developers
 
Mastering Force.com: Advanced Visualforce
Mastering Force.com: Advanced VisualforceMastering Force.com: Advanced Visualforce
Mastering Force.com: Advanced Visualforce
Salesforce Developers
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce data
Salesforce Developers
 
Salesforce API Series: Integrating Applications with Force.com Webinar
Salesforce API Series: Integrating Applications with Force.com WebinarSalesforce API Series: Integrating Applications with Force.com Webinar
Salesforce API Series: Integrating Applications with Force.com Webinar
Salesforce Developers
 
Lightning Component - Components, Actions and Events
Lightning Component - Components, Actions and EventsLightning Component - Components, Actions and Events
Lightning Component - Components, Actions and Events
Durgesh Dhoot
 
Integrating with salesforce
Integrating with salesforceIntegrating with salesforce
Integrating with salesforce
Mark Adcock
 
Building apps faster with lightning and winter '17
Building apps faster with lightning and winter '17Building apps faster with lightning and winter '17
Building apps faster with lightning and winter '17
Salesforce Developers
 
Salesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep DiveSalesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep Dive
Salesforce Developers
 
Elevate workshop programmatic_2014
Elevate workshop programmatic_2014Elevate workshop programmatic_2014
Elevate workshop programmatic_2014David Scruggs
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura Interoperability
Salesforce Developers
 
Introduction to the Wave Platform API
Introduction to the Wave Platform APIIntroduction to the Wave Platform API
Introduction to the Wave Platform API
Salesforce Developers
 
Lightning Design System and Components for Visualforce Developers
Lightning Design System and Components for Visualforce DevelopersLightning Design System and Components for Visualforce Developers
Lightning Design System and Components for Visualforce Developers
Salesforce Developers
 
Process Automation on Lightning Platform Workshop
Process Automation on Lightning Platform WorkshopProcess Automation on Lightning Platform Workshop
Process Automation on Lightning Platform Workshop
Salesforce Developers
 
Coding Apps in the Cloud with Force.com - Part 2
Coding Apps in the Cloud with Force.com - Part 2Coding Apps in the Cloud with Force.com - Part 2
Coding Apps in the Cloud with Force.com - Part 2
Salesforce Developers
 
Introduction to Apex for Developers
Introduction to Apex for DevelopersIntroduction to Apex for Developers
Introduction to Apex for Developers
Salesforce Developers
 
SLDS and Lightning Components
SLDS and Lightning ComponentsSLDS and Lightning Components
SLDS and Lightning Components
Salesforce Developers
 
Build and Package Lightning Components for Lightning Exchange
Build and Package Lightning Components for Lightning ExchangeBuild and Package Lightning Components for Lightning Exchange
Build and Package Lightning Components for Lightning Exchange
Salesforce Developers
 
Using Apex for REST Integration
Using Apex for REST IntegrationUsing Apex for REST Integration
Using Apex for REST Integration
Salesforce Developers
 
Write bulletproof trigger code
Write bulletproof trigger codeWrite bulletproof trigger code
Write bulletproof trigger codeSalesforce Developers
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base Components
Salesforce Developers
 
Build Better Communities with Lightning
Build Better Communities with LightningBuild Better Communities with Lightning
Build Better Communities with Lightning
Salesforce Developers
 
Secure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / SharingSecure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / Sharing
Salesforce Developers
 
Secure Coding: Field-level Security, CRUD, and Sharing
Secure Coding: Field-level Security, CRUD, and SharingSecure Coding: Field-level Security, CRUD, and Sharing
Secure Coding: Field-level Security, CRUD, and Sharing
Salesforce Developers
 

More Related Content

What's hot

Mastering Force.com: Advanced Visualforce
Mastering Force.com: Advanced VisualforceMastering Force.com: Advanced Visualforce
Mastering Force.com: Advanced Visualforce
Salesforce Developers
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce data
Salesforce Developers
 
Salesforce API Series: Integrating Applications with Force.com Webinar
Salesforce API Series: Integrating Applications with Force.com WebinarSalesforce API Series: Integrating Applications with Force.com Webinar
Salesforce API Series: Integrating Applications with Force.com Webinar
Salesforce Developers
 
Lightning Component - Components, Actions and Events
Lightning Component - Components, Actions and EventsLightning Component - Components, Actions and Events
Lightning Component - Components, Actions and Events
Durgesh Dhoot
 
Integrating with salesforce
Integrating with salesforceIntegrating with salesforce
Integrating with salesforce
Mark Adcock
 
Building apps faster with lightning and winter '17
Building apps faster with lightning and winter '17Building apps faster with lightning and winter '17
Building apps faster with lightning and winter '17
Salesforce Developers
 
Salesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep DiveSalesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep Dive
Salesforce Developers
 
Elevate workshop programmatic_2014
Elevate workshop programmatic_2014Elevate workshop programmatic_2014
Elevate workshop programmatic_2014David Scruggs
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura Interoperability
Salesforce Developers
 
Introduction to the Wave Platform API
Introduction to the Wave Platform APIIntroduction to the Wave Platform API
Introduction to the Wave Platform API
Salesforce Developers
 
Lightning Design System and Components for Visualforce Developers
Lightning Design System and Components for Visualforce DevelopersLightning Design System and Components for Visualforce Developers
Lightning Design System and Components for Visualforce Developers
Salesforce Developers
 
Process Automation on Lightning Platform Workshop
Process Automation on Lightning Platform WorkshopProcess Automation on Lightning Platform Workshop
Process Automation on Lightning Platform Workshop
Salesforce Developers
 
Coding Apps in the Cloud with Force.com - Part 2
Coding Apps in the Cloud with Force.com - Part 2Coding Apps in the Cloud with Force.com - Part 2
Coding Apps in the Cloud with Force.com - Part 2
Salesforce Developers
 
Introduction to Apex for Developers
Introduction to Apex for DevelopersIntroduction to Apex for Developers
Introduction to Apex for Developers
Salesforce Developers
 
SLDS and Lightning Components
SLDS and Lightning ComponentsSLDS and Lightning Components
SLDS and Lightning Components
Salesforce Developers
 
Build and Package Lightning Components for Lightning Exchange
Build and Package Lightning Components for Lightning ExchangeBuild and Package Lightning Components for Lightning Exchange
Build and Package Lightning Components for Lightning Exchange
Salesforce Developers
 
Using Apex for REST Integration
Using Apex for REST IntegrationUsing Apex for REST Integration
Using Apex for REST Integration
Salesforce Developers
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base Components
Salesforce Developers
 
Build Better Communities with Lightning
Build Better Communities with LightningBuild Better Communities with Lightning
Build Better Communities with Lightning
Salesforce Developers
 

What's hot (20)

Mastering Force.com: Advanced Visualforce
Mastering Force.com: Advanced VisualforceMastering Force.com: Advanced Visualforce
Mastering Force.com: Advanced Visualforce
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce data
 
Salesforce API Series: Integrating Applications with Force.com Webinar
Salesforce API Series: Integrating Applications with Force.com WebinarSalesforce API Series: Integrating Applications with Force.com Webinar
Salesforce API Series: Integrating Applications with Force.com Webinar
 
Lightning Component - Components, Actions and Events
Lightning Component - Components, Actions and EventsLightning Component - Components, Actions and Events
Lightning Component - Components, Actions and Events
 
Integrating with salesforce
Integrating with salesforceIntegrating with salesforce
Integrating with salesforce
 
Building apps faster with lightning and winter '17
Building apps faster with lightning and winter '17Building apps faster with lightning and winter '17
Building apps faster with lightning and winter '17
 
Salesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep DiveSalesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep Dive
 
Elevate workshop programmatic_2014
Elevate workshop programmatic_2014Elevate workshop programmatic_2014
Elevate workshop programmatic_2014
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura Interoperability
 
Introduction to the Wave Platform API
Introduction to the Wave Platform APIIntroduction to the Wave Platform API
Introduction to the Wave Platform API
 
Lightning Design System and Components for Visualforce Developers
Lightning Design System and Components for Visualforce DevelopersLightning Design System and Components for Visualforce Developers
Lightning Design System and Components for Visualforce Developers
 
Process Automation on Lightning Platform Workshop
Process Automation on Lightning Platform WorkshopProcess Automation on Lightning Platform Workshop
Process Automation on Lightning Platform Workshop
 
Coding Apps in the Cloud with Force.com - Part 2
Coding Apps in the Cloud with Force.com - Part 2Coding Apps in the Cloud with Force.com - Part 2
Coding Apps in the Cloud with Force.com - Part 2
 
Introduction to Apex for Developers
Introduction to Apex for DevelopersIntroduction to Apex for Developers
Introduction to Apex for Developers
 
SLDS and Lightning Components
SLDS and Lightning ComponentsSLDS and Lightning Components
SLDS and Lightning Components
 
Build and Package Lightning Components for Lightning Exchange
Build and Package Lightning Components for Lightning ExchangeBuild and Package Lightning Components for Lightning Exchange
Build and Package Lightning Components for Lightning Exchange
 
Using Apex for REST Integration
Using Apex for REST IntegrationUsing Apex for REST Integration
Using Apex for REST Integration
 
Write bulletproof trigger code
Write bulletproof trigger codeWrite bulletproof trigger code
Write bulletproof trigger code
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base Components
 
Build Better Communities with Lightning
Build Better Communities with LightningBuild Better Communities with Lightning
Build Better Communities with Lightning
 

Similar to Secure Development on the Salesforce Platform - Part I

Secure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / SharingSecure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / Sharing
Salesforce Developers
 
Secure Coding: Field-level Security, CRUD, and Sharing
Secure Coding: Field-level Security, CRUD, and SharingSecure Coding: Field-level Security, CRUD, and Sharing
Secure Coding: Field-level Security, CRUD, and Sharing
Salesforce Developers
 
Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...
Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...
Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...
Salesforce Developers
 
Building Apps Faster with Lightning and Winter '17
Building Apps Faster with Lightning and Winter '17Building Apps Faster with Lightning and Winter '17
Building Apps Faster with Lightning and Winter '17
Mark Adcock
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web Components
Salesforce Developers
 
TDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer ToolsTDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer Tools
Doug Ayers
 
Elevate Tel Aviv
Elevate Tel AvivElevate Tel Aviv
Elevate Tel Aviv
sready
 
ISV Lightning Webinar Series - Part 2 (December 8, 2015)
ISV Lightning Webinar Series - Part 2 (December 8, 2015)ISV Lightning Webinar Series - Part 2 (December 8, 2015)
ISV Lightning Webinar Series - Part 2 (December 8, 2015)
Salesforce Partners
 
Crossbrowser Testing at Salesforce Analytics
Crossbrowser Testing at Salesforce AnalyticsCrossbrowser Testing at Salesforce Analytics
Crossbrowser Testing at Salesforce Analytics
Salesforce Engineering
 
Hands-on Workshop: Intermediate Development with Heroku and Force.com
Hands-on Workshop: Intermediate Development with Heroku and Force.comHands-on Workshop: Intermediate Development with Heroku and Force.com
Hands-on Workshop: Intermediate Development with Heroku and Force.com
Salesforce Developers
 
Building JavaScript Applications on the Salesforce1 Platform
Building JavaScript Applications on the Salesforce1 PlatformBuilding JavaScript Applications on the Salesforce1 Platform
Building JavaScript Applications on the Salesforce1 Platform
Salesforce Developers
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An Introduction
Salesforce Developers
 
Spring '14 Release Developer Preview Webinar
Spring '14 Release Developer Preview WebinarSpring '14 Release Developer Preview Webinar
Spring '14 Release Developer Preview Webinar
Salesforce Developers
 
Building and Distributing a Salesforce App
Building and Distributing a Salesforce AppBuilding and Distributing a Salesforce App
Building and Distributing a Salesforce App
Ross Belmont
 
Best Practices for Team Development in a Single Org
Best Practices for Team Development in a Single OrgBest Practices for Team Development in a Single Org
Best Practices for Team Development in a Single Org
Salesforce Developers
 
Sandboxes: The Future of App Development by Evan Barnet & Pam Barnet
Sandboxes: The Future of App Development by Evan Barnet & Pam BarnetSandboxes: The Future of App Development by Evan Barnet & Pam Barnet
Sandboxes: The Future of App Development by Evan Barnet & Pam Barnet
Salesforce Admins
 
Lightning Web Components - A new era, René Winkelmeyer
Lightning Web Components - A new era, René WinkelmeyerLightning Web Components - A new era, René Winkelmeyer
Lightning Web Components - A new era, René Winkelmeyer
CzechDreamin
 
Force.com Friday - Intro to Visualforce
Force.com Friday - Intro to VisualforceForce.com Friday - Intro to Visualforce
Force.com Friday - Intro to Visualforce
Shivanath Devinarayanan
 
Salesforce Lightning workshop
Salesforce Lightning workshopSalesforce Lightning workshop
Salesforce Lightning workshop
Shivanath Devinarayanan
 
SGCertifiedPlatformDeveloperI
SGCertifiedPlatformDeveloperISGCertifiedPlatformDeveloperI
SGCertifiedPlatformDeveloperIMonika Shewale
 

Similar to Secure Development on the Salesforce Platform - Part I (20)

Secure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / SharingSecure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / Sharing
 
Secure Coding: Field-level Security, CRUD, and Sharing
Secure Coding: Field-level Security, CRUD, and SharingSecure Coding: Field-level Security, CRUD, and Sharing
Secure Coding: Field-level Security, CRUD, and Sharing
 
Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...
Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...
Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...
 
Building Apps Faster with Lightning and Winter '17
Building Apps Faster with Lightning and Winter '17Building Apps Faster with Lightning and Winter '17
Building Apps Faster with Lightning and Winter '17
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web Components
 
TDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer ToolsTDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer Tools
 
Elevate Tel Aviv
Elevate Tel AvivElevate Tel Aviv
Elevate Tel Aviv
 
ISV Lightning Webinar Series - Part 2 (December 8, 2015)
ISV Lightning Webinar Series - Part 2 (December 8, 2015)ISV Lightning Webinar Series - Part 2 (December 8, 2015)
ISV Lightning Webinar Series - Part 2 (December 8, 2015)
 
Crossbrowser Testing at Salesforce Analytics
Crossbrowser Testing at Salesforce AnalyticsCrossbrowser Testing at Salesforce Analytics
Crossbrowser Testing at Salesforce Analytics
 
Hands-on Workshop: Intermediate Development with Heroku and Force.com
Hands-on Workshop: Intermediate Development with Heroku and Force.comHands-on Workshop: Intermediate Development with Heroku and Force.com
Hands-on Workshop: Intermediate Development with Heroku and Force.com
 
Building JavaScript Applications on the Salesforce1 Platform
Building JavaScript Applications on the Salesforce1 PlatformBuilding JavaScript Applications on the Salesforce1 Platform
Building JavaScript Applications on the Salesforce1 Platform
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An Introduction
 
Spring '14 Release Developer Preview Webinar
Spring '14 Release Developer Preview WebinarSpring '14 Release Developer Preview Webinar
Spring '14 Release Developer Preview Webinar
 
Building and Distributing a Salesforce App
Building and Distributing a Salesforce AppBuilding and Distributing a Salesforce App
Building and Distributing a Salesforce App
 
Best Practices for Team Development in a Single Org
Best Practices for Team Development in a Single OrgBest Practices for Team Development in a Single Org
Best Practices for Team Development in a Single Org
 
Sandboxes: The Future of App Development by Evan Barnet & Pam Barnet
Sandboxes: The Future of App Development by Evan Barnet & Pam BarnetSandboxes: The Future of App Development by Evan Barnet & Pam Barnet
Sandboxes: The Future of App Development by Evan Barnet & Pam Barnet
 
Lightning Web Components - A new era, René Winkelmeyer
Lightning Web Components - A new era, René WinkelmeyerLightning Web Components - A new era, René Winkelmeyer
Lightning Web Components - A new era, René Winkelmeyer
 
Force.com Friday - Intro to Visualforce
Force.com Friday - Intro to VisualforceForce.com Friday - Intro to Visualforce
Force.com Friday - Intro to Visualforce
 
Salesforce Lightning workshop
Salesforce Lightning workshopSalesforce Lightning workshop
Salesforce Lightning workshop
 
SGCertifiedPlatformDeveloperI
SGCertifiedPlatformDeveloperISGCertifiedPlatformDeveloperI
SGCertifiedPlatformDeveloperI
 

More from Salesforce Developers

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Salesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Salesforce Developers
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer Highlights
Salesforce Developers
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX India
Salesforce Developers
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local Development
Salesforce Developers
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web Components
Salesforce Developers
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer Highlights
Salesforce Developers
 
Live coding with LWC
Live coding with LWCLive coding with LWC
Live coding with LWC
Salesforce Developers
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCP
Salesforce Developers
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in Salesforce
Salesforce Developers
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data Capture
Salesforce Developers
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DX
Salesforce Developers
 
Get Into Lightning Flow Development
Get Into Lightning Flow DevelopmentGet Into Lightning Flow Development
Get Into Lightning Flow Development
Salesforce Developers
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS Connect
Salesforce Developers
 
Introduction to MuleSoft
Introduction to MuleSoftIntroduction to MuleSoft
Introduction to MuleSoft
Salesforce Developers
 
Modern App Dev: Modular Development Strategies
Modern App Dev: Modular Development StrategiesModern App Dev: Modular Development Strategies
Modern App Dev: Modular Development Strategies
Salesforce Developers
 
Dreamforce Developer Recap
Dreamforce Developer RecapDreamforce Developer Recap
Dreamforce Developer Recap
Salesforce Developers
 
Vs Code for Salesforce Developers
Vs Code for Salesforce DevelopersVs Code for Salesforce Developers
Vs Code for Salesforce Developers
Salesforce Developers
 
Vs Code for Salesforce Developers
Vs Code for Salesforce DevelopersVs Code for Salesforce Developers
Vs Code for Salesforce Developers
Salesforce Developers
 
Manage Massive Datasets with Big Objects & Async SOQL
Manage Massive Datasets with Big Objects & Async SOQLManage Massive Datasets with Big Objects & Async SOQL
Manage Massive Datasets with Big Objects & Async SOQL
Salesforce Developers
 

More from Salesforce Developers (20)

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component Performance
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer Highlights
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX India
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local Development
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web Components
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer Highlights
 
Live coding with LWC
Live coding with LWCLive coding with LWC
Live coding with LWC
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCP
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in Salesforce
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data Capture
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DX
 
Get Into Lightning Flow Development
Get Into Lightning Flow DevelopmentGet Into Lightning Flow Development
Get Into Lightning Flow Development
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS Connect
 
Introduction to MuleSoft
Introduction to MuleSoftIntroduction to MuleSoft
Introduction to MuleSoft
 
Modern App Dev: Modular Development Strategies
Modern App Dev: Modular Development StrategiesModern App Dev: Modular Development Strategies
Modern App Dev: Modular Development Strategies
 
Dreamforce Developer Recap
Dreamforce Developer RecapDreamforce Developer Recap
Dreamforce Developer Recap
 
Vs Code for Salesforce Developers
Vs Code for Salesforce DevelopersVs Code for Salesforce Developers
Vs Code for Salesforce Developers
 
Vs Code for Salesforce Developers
Vs Code for Salesforce DevelopersVs Code for Salesforce Developers
Vs Code for Salesforce Developers
 
Manage Massive Datasets with Big Objects & Async SOQL
Manage Massive Datasets with Big Objects & Async SOQLManage Massive Datasets with Big Objects & Async SOQL
Manage Massive Datasets with Big Objects & Async SOQL
 

Recently uploaded

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 

Recently uploaded (20)

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 

Secure Development on the Salesforce Platform - Part I

  • 1. March 10, 2016 Secure Salesforce Development on the Salesforce Platform
  • 2. Speakers Max Feldman Product Security Engineer Lehan Huang Web Application Security Engineer Vinayendra Nataraja Product Security Engineer @vinayendra
  • 3. Forward-Looking Statement Statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  • 4. Go Social! Salesforce Developers Salesforce Developers Salesforce Developers The video will be posted to YouTube & the webinar recap page (same URL as registration).This webinar is being recorded! @salesforcedevs / #forcewebinar
  • 5. ▪ Don’t wait until the end to ask your question! – Technical support will answer questions starting now. ▪ Respect Q&A etiquette – Please don’t repeat questions. The support team is working their way down the queue. ▪ Stick around for live Q&A at the end – Speakers will tackle more questions at the end, time- allowing. ▪ Head to Developer Forums – More questions? Visit developer.salesforce.com/forums Have Questions?
  • 6. Agenda 1. Roadmap for the year: – Four webinars, one per quarter 2. Plan for today: – SDL, CRUD/FLS, Sharing, SOQL, Q&A 3. Introductions: – Max – Lehan – Vinayendra
  • 7. Security and the Force.com Platform  Force.com was designed to be flexible and support delevoper and business needs  Force.com provides many built-in protections to protect developers and their user base  Salesforce protects end users by ensuring that all applications listed in the AppExchange undergo a security review
  • 8. Background  Principle of Least Privilege – Users should only have access to the minimum amount of information required to accomplish their duties – Their ability to take advantage of excess privilege purposefully or accidentally should be minimized  Context – User context: Enforces user permissions, field-level security, and sharing rules of the current user – System context: Ignores user permissions, field-level security, and rules of the current user
  • 9. Secure Development Lifecycle  Design – Plan your application with security in mind – https://developer.salesforce.com/page/Security_Design_Resources  Development – Follow best practicies for secure development, implement securely – https://developer.salesforce.com/page/Secure_Coding_Guideline  Testing – Test for security (as one would test functionality)  Release – Be prepared for the discovery of any security flaws – Staying secure is an ongoing process
  • 10. FourZip App  Display zip codes in 12345-1234 format – Read from Account object for the shipping address – Take the 5 digit zip and make an external call to retrieve the 4 digit extension – Display associated Opportunities
  • 11. Account Profiles  System Administrator – Default administrator profile – Has access to everything  ZipFour User – Cloned profile from standard user – Can access ZipFour app – Cannot see Account’s Annual Revenue field – Cannot see Opportunity
  • 12. FourZip  What will we develop today? – One VF page – One Apex controller – Mock API call for the external call • This will be covered in part 3 of the webinar series – External application/system integration best practices – Wrapper classes to hold the zip+4 information, plus opportunities – Let’s take a look at the code!
  • 13.
  • 14.
  • 15. CRUD
  • 16. What is CRUD? Create, Read, Update, Delete  Define user’s access for each object  Controlled on the profile and permission set
  • 17. CRUD  Apex classes do not enforce CRUD – Runs in system context  Visualforce pages enforce CRUD – Runs in user context
  • 19. <sObject>.sObjectType.getDescribe() • isCreateable() • isAccessible() • isUpdateable() • isDeletable() 1 Public Class MyController { 2 Public String getmyAccount { 3 if (!Account.sObjectType.getDescribe().isAccessible()) { 4 return ''; 5 } 6 } Enforcing CRUD in Apex
  • 20. Visualforce code patterns respect read in CRUD: 1. <apex:outputField value="{!sObject.Field__c}"/> 2. <apex:outputText value="{!sObject.Field__c}"/> 3. {!sObject.Field__c} Visualforce code pattern does not respect read: 1. <apex:outputText value="{!wObject.String}"/> 2. <apex:outputText value="{!someVariable}"/> Enforcing CRUD in Visualforce
  • 21. CRUD Fix Let’s fix the vulnerability and demo the fix
  • 22. Best Practices for CRUD  Always check CRUD permissions before performing the operation in apex classes  Not checking can give elevated access to users who should not have it
  • 23. FLS
  • 24. What is FLS? Field-Level Security  Define user’s access to fields on a given object  Controlled on the profile and permission sets
  • 25. FLS for Developers  Apex classes do not enforce FLS – Runs in system context  Visualforce pages enforce FLS – Runs in user context – Does not enforce FLS for dereferenced fields • {!Contact.Email} = yes • {!contact Email} = no
  • 27. Schema.sObjectType.<sObject>.fields.<field> • isAccessible() • isUpdateable() 1 Public Class MyController { 2 Public String getmyAccount { 3 if (!Schema.sObjectType.Account.fields.Name.isAccessible()) { 4 return ''; 5 } 6 ... 7 } Enforcing FLS in Apex
  • 28. When Sobject is assigned a primitive Apex: Random_Sensitive_Object_1__c r; // Salesforce sObject wRandom_Sensitive_Object_1 wR; // Custom wrapper object wR.Sensitive_Number = r.Sensitive_Number__c; Visualforce: <apex:OutputText value="{!r.Sensitive_Number__c}" /> <!-- FLS RESPECTED --> <apex:OutputText value="{!wR.Sensitive_Number}" /> <!-- FLS IGNORED --> When does the Platform stop respecting FLS?
  • 29. FLS Fix Let’s fix the vulnerability and demo the fix
  • 30. Best Practices for FLS  Use sObject references whenever possible  Iterate through your list of fields and check FLS for each field
  • 32. What is Sharing? Record-level access  Dictates which records of an object a user can see  Controlled outside the profile via org-defaults, roles, ownership, and sharing rules
  • 33. How is Sharing Enforced?  Apex classes do not enforce sharing by default – Runs in system context – Exceptions: anonymous code blocks, developer console, and standard controllers execute in user context  Visualforce pages depend on controllers for record access
  • 36. 1 Public with sharing Class MyController { 2 // Code enforces current user’s sharing rules 3 Public without sharing Class MyInnerClass { 4 // Code doesn’t enforce current user’s sharing rules 5 } 6 } Enforcing Sharing in Apex  Default behavior is without sharing – Use with sharing keyword to enforce sharing  If a class isn’t declared as either with or without sharing, the current sharing rules remain in effect  The sharing setting of the class where the method is defined is applied, not of the class where the method is called
  • 37. Sharing Fix Let’s fix the vulnerability and demo the fix
  • 38. Best Practices for Sharing  Explicitly declare with sharing or without sharing for all classes in your code  If you must use without sharing, document the reasoning in a comment block  Sharing keywords don’t enforce CRUD and FLS
  • 39. SOQL
  • 40. SOQL vs SQL Salesforce Object Query Language vs Structured Query Language  SOQL is the query language used in the Salesforce platform  SOQL only allows the SELECT command portion SQL  SOQL does not allow command execution, or wild card (*) for fields
  • 41. SQL Injection  SQL Injection is an attack where user input is allowed to modify the structure of an SQL query and perform unexpected actions  Sample SQL query subject to SQL injection:  If un_iput= admin’-- and user input is not modified before passing it to the query we get:
  • 42. SOQL Injection  SOQL Injection only occurs when dynamic SOQL queries are used without proper manipulation of user input  Sample code block:  User input:  Final query:
  • 44. SOQL Injection Mitigations  Static query + bind variable:  Wrap user input in string.escapeSingleQuotes() – This will not prevent all the attacks. – Sample query: – User input that could bypass this defense mechanism
  • 45. SOQL Injection Fix Let’s fix the vulnerability and demo the fix
  • 46. Summary Developer practices for respecting authorization model  CRUD – Object-level permission. Should the user have access to this object?  FLS – Field-level permission. Should the user have access to this field?  Sharing – Record-level permission. Should the user have access to this record?  SOQL – Salesforce Object Query Language. Is there injection?
  • 47. Additional Resources Security Implementation Guide https://developer.salesforce.com/././securityImplGuide/ (full link hidden) CRUD & FLS Enforcement Guide https://developer.salesforce.com/page/Enforcing_CRUD_and_FLS Using with sharing or without sharing Keywords https://developer.salesforce.com/./././apex_classes_keywords_sharing (full link hidden) SOQL Injection http://sfdc.co/SOQLInjection Secure Coding Guidelines https://developer.salesforce.com/page/Secure_Coding_Guideline Salesforce Developer Security Forum https://developer.salesforce.com/forums
  • 48. Salesforce World Tour @ CeBIT Hannover, 14.-18. März 2016
  • 49.
  • 50. Q & A Share Your Feedback: http://bit.ly/securedevelopment Join the conversation: @salesforcedevs @SecureCloudDev
  • 51. Survey Your feedback is crucial to the success of our webinar programs. Thank you! http://bit.ly/securedevelopment