SlideShare a Scribd company logo

Secure Salesforce: External Integration Security with Chimera

Salesforce Developers
Salesforce Developers

One of the main goals of the Salesforce AppExchange Security Team is giving developers and partners ownership of their security posture with free education, tools, and resources. Our newest cloud-based security tool, Chimera, actively scans your external web application integrations quickly and comprehensively. With just a few clicks you can receive a detailed security report - results which until now required downloading and installing multiple pieces of software and hours of manual effort. Join us to learn about the technology behind Chimera and how you can use it to streamline security review. We will also touch on how Salesforce uses Chimera behind the scenes to continuously monitor the security of the AppExchange ecosystem.

Technology
1 of 24
Download to read offline
Secure Salesforce Chimera External Integration Security ​ Tim Bach ​ Product Security Engineer ​ Salesforce ​ Travis Safford ​ Product Security Engineer ​ Salesforce
Tim Bach Product Security Engineer
Travis Safford Product Security Engineer
Secure Salesforce Dreamforce 2015
Overview ​  What is the AppExchange Security Review process? ​  Why does external application security matter? ​  Goals for Chimera ​  What can Chimera do for you? ​  Demo! ​  Chimera technical overview ​  What’s coming next [week / month / quarter / year]? ​  Q&A
Security Review Process Overview
The AppExchange 1-slide primer ​  The Salesforce App Marketplace ​  Independent Software Vendors (ISV’s) build and list apps for customers to install & expand the platform’s capabilities ​  Apps may be platform-only or interface with external web systems, mobile apps, and desktop software ​  Currently, 2,800+ apps available for free or for purchase ​  Apps may have scoped or total access to users and/or data within the Salesforce org they are installed in or authenticated against ​  Apps listed on the AppExchange must undergo a rigorous Security Review by the Product Security team and regular re- reviews
AppExchange Security Review ​  Managed by the Salesforce Product Security team ​  Comprehensive security audit and penetration test of the application ​  Partner/ISV provides automated code and application security scans – repeat this process until automated scanners find nothing or only false positives ​  Partners are provided with ZAP (previously Burp Suite), which they must install and configure before using to run a web application security test against their application ​  Product Security reviews scan results and application code ​  In the case of external systems/software connecting to the platform, full penetration test
AppExchange Security Review
External Threats Why is Security Review Important?
ZAP What is it? How do partners use it?
Introducing Chimera
Chimera What and why? ​ Chimera (mythology): ​  …a monstrous fire-breathing hybrid creature composed of the parts… ​ Chimera (genetics): …a single organism composed of genetically distinct cells… ​ Chimera (Salesforce): A web security scanner composed of parts of the best open-source scanning, analysis, and fingerprinting tools available today. Consolidated and analyzed by purpose-built code and powered on the Heroku platform for massive scalability. “ ”
Chimera ​  A fully featured, cloud-based security scanner ​  Fire-and-forget scanning – just give it a target ​  Made up of multiple industry-standard security tools ​  Free for all AppExchange ISV’s for the life of their AppExchange offering
Chimera Goals ​  Give partners and ISV’s better tools that make it easier to become secure ​  Reduce confusion and delay in the Security Review process ​  Use our resources to make security easier for our AppExchange partners ​  Drive down the number of tests it takes a partner to pass Security Review and allow them to get to market faster on the AppExchange ​  Promote the security of the AppExchange ecosystem
Let’s start a scan…
What are we scanning with? ​  A variety of open-source tools as well as some internally developed ones ​  ZAP – general web application security scanner ​  Nikto – web application vulnerability scanner ​  SSLyze – SSL vulnerability scanner ​  nmap – port scanner ​  Plus: SSL fingerprinting, web application fingerprinting
Background Magic ​  Chimera isn’t just running scans and sending you raw results files ​  After all scans complete on your target, Chimera correlates all results into a single report ​  Report includes remediation steps for you to resolve issues between scans ​  Chimera will remove duplicate issues as much as possible to provide you with an accurate and actionable report ​  Thanks to Heroku, Chimera scales based on activity ​  Even around the Dreamforce AppExchange spike, you won’t be waiting long
Chimera Technology ​  Chimera’s scanners are entirely Heroku-based ​  Architecture allows for massive scaling ​  Portal to submit scans and receive results is Force platform-based, allowing for integration with existing Partner portal and AppExchange accounts ​  Chimera core code + internal components are written in mostly Python
Get Started! ​  Chimera will be live on October 1st, 2015 ​  Links will be live on DeveloperForce - Security
What’s Next? Future Work
We’re not done yet! ​  Chimera will become the primary means of preparing for Security Review ​  We want to go one step further towards promoting partner security ​  As Chimera becomes more stable, we’ll start to experiment with automatic, periodic scans of live offerings to ensure continuous security for partners and customers ​  Threat intelligence and proactive vulnerability notification will become possible for our partners at no cost or burden to them – ensuring partner success on the platform
Demo Scan Complete ​  Let’s take a look at that scan that we kicked off earlier…
Thank you http://sforce.co/1HHrjRL

Recommended

Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2
Salesforce Developers
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and Tricks
Ryan Flood
 
大量データを扱う際のクイックTips インデックス&スキニーテーブル編-
大量データを扱う際のクイックTips インデックス&スキニーテーブル編-大量データを扱う際のクイックTips インデックス&スキニーテーブル編-
大量データを扱う際のクイックTips インデックス&スキニーテーブル編-Salesforce Developers Japan
 
Understanding Multitenancy and the Architecture of the Salesforce Platform
Understanding Multitenancy and the Architecture of the Salesforce PlatformUnderstanding Multitenancy and the Architecture of the Salesforce Platform
Understanding Multitenancy and the Architecture of the Salesforce Platform
Salesforce Developers
 
Shadow DOM, CSS and Styling Hooks in LWC what you need to know
Shadow DOM, CSS and Styling Hooks in LWC what you need to knowShadow DOM, CSS and Styling Hooks in LWC what you need to know
Shadow DOM, CSS and Styling Hooks in LWC what you need to know
Sudipta Deb ☁
 
Best Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdfBest Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdf
Mohith Shrivastava
 
Decluttering your Salesfroce org
Decluttering your Salesfroce orgDecluttering your Salesfroce org
Decluttering your Salesfroce org
Roy Gilad
 
Secure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSecure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with Checkmarx
Salesforce Developers
 

Recommended

Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2
Salesforce Developers
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and Tricks
Ryan Flood
 
大量データを扱う際のクイックTips インデックス&スキニーテーブル編-
大量データを扱う際のクイックTips インデックス&スキニーテーブル編-大量データを扱う際のクイックTips インデックス&スキニーテーブル編-
大量データを扱う際のクイックTips インデックス&スキニーテーブル編-Salesforce Developers Japan
 
Understanding Multitenancy and the Architecture of the Salesforce Platform
Understanding Multitenancy and the Architecture of the Salesforce PlatformUnderstanding Multitenancy and the Architecture of the Salesforce Platform
Understanding Multitenancy and the Architecture of the Salesforce Platform
Salesforce Developers
 
Shadow DOM, CSS and Styling Hooks in LWC what you need to know
Shadow DOM, CSS and Styling Hooks in LWC what you need to knowShadow DOM, CSS and Styling Hooks in LWC what you need to know
Shadow DOM, CSS and Styling Hooks in LWC what you need to know
Sudipta Deb ☁
 
Best Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdfBest Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdf
Mohith Shrivastava
 
Decluttering your Salesfroce org
Decluttering your Salesfroce orgDecluttering your Salesfroce org
Decluttering your Salesfroce org
Roy Gilad
 
Secure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSecure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with Checkmarx
Salesforce Developers
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security Model
Salesforce Developers
 
Best Practices for Team Development in a Single Org
Best Practices for Team Development in a Single OrgBest Practices for Team Development in a Single Org
Best Practices for Team Development in a Single Org
Salesforce Developers
 
Salesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetupSalesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetup
MuleSoft Meetup
 
Single Sign-On and User Provisioning with Salesforce Identity
Single Sign-On and User Provisioning with Salesforce IdentitySingle Sign-On and User Provisioning with Salesforce Identity
Single Sign-On and User Provisioning with Salesforce Identity
Salesforce Developers
 
McAfee
McAfeeMcAfee
McAfee
Виталий Власенко
 
Build Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App BuilderBuild Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App Builder
Salesforce Developers
 
Building a Zero Trust Architecture
Building a Zero Trust ArchitectureBuilding a Zero Trust Architecture
Building a Zero Trust Architecture
scoopnewsgroup
 
Dreamforce 2009: Behind-the-Scenes at Salesforce.com: Delivering 3 Major Rele...
Dreamforce 2009: Behind-the-Scenes at Salesforce.com: Delivering 3 Major Rele...Dreamforce 2009: Behind-the-Scenes at Salesforce.com: Delivering 3 Major Rele...
Dreamforce 2009: Behind-the-Scenes at Salesforce.com: Delivering 3 Major Rele...
Steve Greene
 
Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...
Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...
Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...
Salesforce Developers
 
Dive Deep Into the Force.com Canvas Framework
Dive Deep Into the Force.com Canvas FrameworkDive Deep Into the Force.com Canvas Framework
Dive Deep Into the Force.com Canvas Framework
Salesforce Developers
 
Introduction to Apex Triggers
Introduction to Apex TriggersIntroduction to Apex Triggers
Introduction to Apex Triggers
Salesforce Developers
 
An Introduction to Lightning Web Components
An Introduction to Lightning Web ComponentsAn Introduction to Lightning Web Components
An Introduction to Lightning Web Components
Mikkel Flindt Heisterberg
 
Salesforce apex hours : Introduction to external services
Salesforce apex hours : Introduction to external servicesSalesforce apex hours : Introduction to external services
Salesforce apex hours : Introduction to external services
Amit Chaudhary
 
Episode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in SalesforceEpisode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in Salesforce
Jitendra Zaa
 
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Salesforce Developers
 
Best Practices for RESTful Web Services
Best Practices for RESTful Web ServicesBest Practices for RESTful Web Services
Best Practices for RESTful Web Services
Salesforce Developers
 
Manage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance FrameworkManage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance Framework
Salesforce Developers
 
Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce Integration
Joshua Hoskins
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Salesforce Partners
 
Introducing the Salesforce platform
Introducing the Salesforce platformIntroducing the Salesforce platform
Introducing the Salesforce platform
John Stevenson
 
ApExchange Security Review and Compliance
ApExchange Security Review and ComplianceApExchange Security Review and Compliance
ApExchange Security Review and Compliance
CEPTES Software Inc
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 

More Related Content

What's hot

Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security Model
Salesforce Developers
 
Best Practices for Team Development in a Single Org
Best Practices for Team Development in a Single OrgBest Practices for Team Development in a Single Org
Best Practices for Team Development in a Single Org
Salesforce Developers
 
Salesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetupSalesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetup
MuleSoft Meetup
 
Single Sign-On and User Provisioning with Salesforce Identity
Single Sign-On and User Provisioning with Salesforce IdentitySingle Sign-On and User Provisioning with Salesforce Identity
Single Sign-On and User Provisioning with Salesforce Identity
Salesforce Developers
 
McAfee
McAfeeMcAfee
McAfee
Виталий Власенко
 
Build Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App BuilderBuild Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App Builder
Salesforce Developers
 
Building a Zero Trust Architecture
Building a Zero Trust ArchitectureBuilding a Zero Trust Architecture
Building a Zero Trust Architecture
scoopnewsgroup
 
Dreamforce 2009: Behind-the-Scenes at Salesforce.com: Delivering 3 Major Rele...
Dreamforce 2009: Behind-the-Scenes at Salesforce.com: Delivering 3 Major Rele...Dreamforce 2009: Behind-the-Scenes at Salesforce.com: Delivering 3 Major Rele...
Dreamforce 2009: Behind-the-Scenes at Salesforce.com: Delivering 3 Major Rele...
Steve Greene
 
Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...
Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...
Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...
Salesforce Developers
 
Dive Deep Into the Force.com Canvas Framework
Dive Deep Into the Force.com Canvas FrameworkDive Deep Into the Force.com Canvas Framework
Dive Deep Into the Force.com Canvas Framework
Salesforce Developers
 
Introduction to Apex Triggers
Introduction to Apex TriggersIntroduction to Apex Triggers
Introduction to Apex Triggers
Salesforce Developers
 
An Introduction to Lightning Web Components
An Introduction to Lightning Web ComponentsAn Introduction to Lightning Web Components
An Introduction to Lightning Web Components
Mikkel Flindt Heisterberg
 
Salesforce apex hours : Introduction to external services
Salesforce apex hours : Introduction to external servicesSalesforce apex hours : Introduction to external services
Salesforce apex hours : Introduction to external services
Amit Chaudhary
 
Episode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in SalesforceEpisode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in Salesforce
Jitendra Zaa
 
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Salesforce Developers
 
Best Practices for RESTful Web Services
Best Practices for RESTful Web ServicesBest Practices for RESTful Web Services
Best Practices for RESTful Web Services
Salesforce Developers
 
Manage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance FrameworkManage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance Framework
Salesforce Developers
 
Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce Integration
Joshua Hoskins
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Salesforce Partners
 
Introducing the Salesforce platform
Introducing the Salesforce platformIntroducing the Salesforce platform
Introducing the Salesforce platform
John Stevenson
 

What's hot (20)

Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security Model
 
Best Practices for Team Development in a Single Org
Best Practices for Team Development in a Single OrgBest Practices for Team Development in a Single Org
Best Practices for Team Development in a Single Org
 
Salesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetupSalesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetup
 
Single Sign-On and User Provisioning with Salesforce Identity
Single Sign-On and User Provisioning with Salesforce IdentitySingle Sign-On and User Provisioning with Salesforce Identity
Single Sign-On and User Provisioning with Salesforce Identity
 
McAfee
McAfeeMcAfee
McAfee
 
Build Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App BuilderBuild Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App Builder
 
Building a Zero Trust Architecture
Building a Zero Trust ArchitectureBuilding a Zero Trust Architecture
Building a Zero Trust Architecture
 
Dreamforce 2009: Behind-the-Scenes at Salesforce.com: Delivering 3 Major Rele...
Dreamforce 2009: Behind-the-Scenes at Salesforce.com: Delivering 3 Major Rele...Dreamforce 2009: Behind-the-Scenes at Salesforce.com: Delivering 3 Major Rele...
Dreamforce 2009: Behind-the-Scenes at Salesforce.com: Delivering 3 Major Rele...
 
Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...
Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...
Intro to Force.com Canvas: Running External Apps within the Salesforce UI Web...
 
Dive Deep Into the Force.com Canvas Framework
Dive Deep Into the Force.com Canvas FrameworkDive Deep Into the Force.com Canvas Framework
Dive Deep Into the Force.com Canvas Framework
 
Introduction to Apex Triggers
Introduction to Apex TriggersIntroduction to Apex Triggers
Introduction to Apex Triggers
 
An Introduction to Lightning Web Components
An Introduction to Lightning Web ComponentsAn Introduction to Lightning Web Components
An Introduction to Lightning Web Components
 
Salesforce apex hours : Introduction to external services
Salesforce apex hours : Introduction to external servicesSalesforce apex hours : Introduction to external services
Salesforce apex hours : Introduction to external services
 
Episode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in SalesforceEpisode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in Salesforce
 
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
 
Best Practices for RESTful Web Services
Best Practices for RESTful Web ServicesBest Practices for RESTful Web Services
Best Practices for RESTful Web Services
 
Manage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance FrameworkManage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance Framework
 
Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce Integration
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
 
Introducing the Salesforce platform
Introducing the Salesforce platformIntroducing the Salesforce platform
Introducing the Salesforce platform
 

Similar to Secure Salesforce: External Integration Security with Chimera

ApExchange Security Review and Compliance
ApExchange Security Review and ComplianceApExchange Security Review and Compliance
ApExchange Security Review and Compliance
CEPTES Software Inc
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
Salesforce Partners
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
HCLSoftware
 
Prancer Enterprise announces today the release of the Zero Trust Security Val...
Prancer Enterprise announces today the release of the Zero Trust Security Val...Prancer Enterprise announces today the release of the Zero Trust Security Val...
Prancer Enterprise announces today the release of the Zero Trust Security Val...
Prancer Io
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
SmartBear
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
Ashish Patel
 
How automation can help boost security
How automation can help boost securityHow automation can help boost security
How automation can help boost security
TestingXperts
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
Denim Group
 
Security Validation
Security ValidationSecurity Validation
Security Validation
Prancer Io
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
Checkmarx
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Security Validation as Code.pdf
Security Validation as Code.pdfSecurity Validation as Code.pdf
Security Validation as Code.pdf
Prancer Io
 

Similar to Secure Salesforce: External Integration Security with Chimera (20)

ApExchange Security Review and Compliance
ApExchange Security Review and ComplianceApExchange Security Review and Compliance
ApExchange Security Review and Compliance
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Prancer Enterprise announces today the release of the Zero Trust Security Val...
Prancer Enterprise announces today the release of the Zero Trust Security Val...Prancer Enterprise announces today the release of the Zero Trust Security Val...
Prancer Enterprise announces today the release of the Zero Trust Security Val...
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
How automation can help boost security
How automation can help boost securityHow automation can help boost security
How automation can help boost security
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Security Validation
Security ValidationSecurity Validation
Security Validation
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Security Validation as Code.pdf
Security Validation as Code.pdfSecurity Validation as Code.pdf
Security Validation as Code.pdf
 

More from Salesforce Developers

Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Salesforce Developers
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base Components
Salesforce Developers
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer Highlights
Salesforce Developers
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX India
Salesforce Developers
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local Development
Salesforce Developers
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web Components
Salesforce Developers
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web Components
Salesforce Developers
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer Highlights
Salesforce Developers
 
Live coding with LWC
Live coding with LWCLive coding with LWC
Live coding with LWC
Salesforce Developers
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and Testing
Salesforce Developers
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura Interoperability
Salesforce Developers
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce data
Salesforce Developers
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An Introduction
Salesforce Developers
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCP
Salesforce Developers
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in Salesforce
Salesforce Developers
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data Capture
Salesforce Developers
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DX
Salesforce Developers
 
Get Into Lightning Flow Development
Get Into Lightning Flow DevelopmentGet Into Lightning Flow Development
Get Into Lightning Flow Development
Salesforce Developers
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS Connect
Salesforce Developers
 
Introduction to MuleSoft
Introduction to MuleSoftIntroduction to MuleSoft
Introduction to MuleSoft
Salesforce Developers
 

More from Salesforce Developers (20)

Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component Performance
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base Components
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer Highlights
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX India
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local Development
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web Components
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web Components
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer Highlights
 
Live coding with LWC
Live coding with LWCLive coding with LWC
Live coding with LWC
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and Testing
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura Interoperability
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce data
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An Introduction
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCP
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in Salesforce
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data Capture
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DX
 
Get Into Lightning Flow Development
Get Into Lightning Flow DevelopmentGet Into Lightning Flow Development
Get Into Lightning Flow Development
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS Connect
 
Introduction to MuleSoft
Introduction to MuleSoftIntroduction to MuleSoft
Introduction to MuleSoft
 

Recently uploaded

HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
GDSC PJATK
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
 
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStrDeep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
saastr
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 

Recently uploaded (20)

HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
 
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStrDeep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 

Secure Salesforce: External Integration Security with Chimera

  • 1. Secure Salesforce Chimera External Integration Security ​ Tim Bach ​ Product Security Engineer ​ Salesforce ​ Travis Safford ​ Product Security Engineer ​ Salesforce
  • 5. Overview ​  What is the AppExchange Security Review process? ​  Why does external application security matter? ​  Goals for Chimera ​  What can Chimera do for you? ​  Demo! ​  Chimera technical overview ​  What’s coming next [week / month / quarter / year]? ​  Q&A
  • 7. The AppExchange 1-slide primer ​  The Salesforce App Marketplace ​  Independent Software Vendors (ISV’s) build and list apps for customers to install & expand the platform’s capabilities ​  Apps may be platform-only or interface with external web systems, mobile apps, and desktop software ​  Currently, 2,800+ apps available for free or for purchase ​  Apps may have scoped or total access to users and/or data within the Salesforce org they are installed in or authenticated against ​  Apps listed on the AppExchange must undergo a rigorous Security Review by the Product Security team and regular re- reviews
  • 8. AppExchange Security Review ​  Managed by the Salesforce Product Security team ​  Comprehensive security audit and penetration test of the application ​  Partner/ISV provides automated code and application security scans – repeat this process until automated scanners find nothing or only false positives ​  Partners are provided with ZAP (previously Burp Suite), which they must install and configure before using to run a web application security test against their application ​  Product Security reviews scan results and application code ​  In the case of external systems/software connecting to the platform, full penetration test
  • 10. External Threats Why is Security Review Important?
  • 11. ZAP What is it? How do partners use it?
  • 13. Chimera What and why? ​ Chimera (mythology): ​  …a monstrous fire-breathing hybrid creature composed of the parts… ​ Chimera (genetics): …a single organism composed of genetically distinct cells… ​ Chimera (Salesforce): A web security scanner composed of parts of the best open-source scanning, analysis, and fingerprinting tools available today. Consolidated and analyzed by purpose-built code and powered on the Heroku platform for massive scalability. “ ”
  • 14. Chimera ​  A fully featured, cloud-based security scanner ​  Fire-and-forget scanning – just give it a target ​  Made up of multiple industry-standard security tools ​  Free for all AppExchange ISV’s for the life of their AppExchange offering
  • 15. Chimera Goals ​  Give partners and ISV’s better tools that make it easier to become secure ​  Reduce confusion and delay in the Security Review process ​  Use our resources to make security easier for our AppExchange partners ​  Drive down the number of tests it takes a partner to pass Security Review and allow them to get to market faster on the AppExchange ​  Promote the security of the AppExchange ecosystem
  • 16. Let’s start a scan…
  • 17. What are we scanning with? ​  A variety of open-source tools as well as some internally developed ones ​  ZAP – general web application security scanner ​  Nikto – web application vulnerability scanner ​  SSLyze – SSL vulnerability scanner ​  nmap – port scanner ​  Plus: SSL fingerprinting, web application fingerprinting
  • 18. Background Magic ​  Chimera isn’t just running scans and sending you raw results files ​  After all scans complete on your target, Chimera correlates all results into a single report ​  Report includes remediation steps for you to resolve issues between scans ​  Chimera will remove duplicate issues as much as possible to provide you with an accurate and actionable report ​  Thanks to Heroku, Chimera scales based on activity ​  Even around the Dreamforce AppExchange spike, you won’t be waiting long
  • 19. Chimera Technology ​  Chimera’s scanners are entirely Heroku-based ​  Architecture allows for massive scaling ​  Portal to submit scans and receive results is Force platform-based, allowing for integration with existing Partner portal and AppExchange accounts ​  Chimera core code + internal components are written in mostly Python
  • 20. Get Started! ​  Chimera will be live on October 1st, 2015 ​  Links will be live on DeveloperForce - Security
  • 22. We’re not done yet! ​  Chimera will become the primary means of preparing for Security Review ​  We want to go one step further towards promoting partner security ​  As Chimera becomes more stable, we’ll start to experiment with automatic, periodic scans of live offerings to ensure continuous security for partners and customers ​  Threat intelligence and proactive vulnerability notification will become possible for our partners at no cost or burden to them – ensuring partner success on the platform
  • 23. Demo Scan Complete ​  Let’s take a look at that scan that we kicked off earlier…