SlideShare a Scribd company logo

ISV App Lab

Download as PPTX, PDF
CodeScience, profile picture
CodeScience

The document outlines a comprehensive guide for Independent Software Vendors (ISVs) developing applications within the Salesforce ecosystem, covering topics such as software development lifecycle, user experience, security reviews, funding opportunities, and best practices for integration. It emphasizes the importance of planning, risk management, and understanding market dynamics while navigating the ISV partner lifecycle. Additionally, it provides insights on responsibilities, technical considerations, and resources available for partners to enhance their app development and marketing efforts.

Technology
1 of 96
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
ISV AppLab Building Your App, and Your Business, From A-Z CodeScience @codescience Salesforce ISV Team @partnerforce
John Richter - Director, Partner Community Robert Sussland - Senior Product Security Engineer, Webapp Security and Cryptography Christopher Auyeung - Sr. Manager, User Experience Mike Witherspoon - CEO Brian Walsh - CSO Eddie Blazer - Director of Architecture Krishna Tatta - Technical Architect Rina Henderson - Lead UX Speakers
• Software Development Lifecycle • Setting Your Business Up for Success • Funding Opportunities for Partners • User Experience • The Lightning Experience • Break • Integration Considerations and Design Patterns • Security Review • Q&A Agenda
ISV App Lab
John Richter Director, Partner Community Salesforce Partner Program @partnerforce
The Salesforce Partner Program World’s #1 Cloud Ecosystem ISVs Consulting Partners Resellers Digital Agencies Partner Community Partner Operations Partner Marketing Partner Development
Branding? First Call Decks? Webinars? Live Events? Pilots? Logos? Roadmap? Surveys? Trial Orgs? Sponsorships? White papers? Leads? New Releases? Orders? Opportunities? Projects? Red Accounts? Customer Stories? Org Extensions?Technical Issues? Design Questions? Sales Collateral?
Seamless. Structured. Secure.
Partner User Groups Briefings Polls & Surveys Instructor-led Blogs Program Guides Media Assets Partner Alerts! Social Media Communications NewsFlash (e-newsletter) Live Events Office Hours Learning Ideas Sessions Online Programs Roadmap Partner Community Releases & Pilots
Partner Community Your one-stop shop for education and engagement http://partners.salesforce.com/ • Partner Program Details • Communications • Training • Deal Registration • Webinars & Recordings • Office Hours • Sales & Enablement Resources • Support
Partner Community in Action Education & Engagement
Official: Partner Community Chatter Group http://p.force.com/official
Questions & Answers Chatter Group http://p.force.com/question
Alerts! for Partners http://p.force.com/alerts
Releases for Partners http://p.force.com/releases
Roadmap for Partners http://p.force.com/roadmap
AppExchange Publishing http://p.force.com/applisting
Support http://p.force.com/case
Trailhead: ISV Basics New onboarding for ISVs http://p.force.com/ISVbasics • Getting Started • ISV Product Lifecycle • Tools & Resources
ISV Partner Lifecycle Key Drivers for Planning Your App, and Your Business
ISV Partner Lifecycle Sign up Partner Community :: App Academy :: Resources & Tools :: Online Training :: Publishing :: Support (Cases) Plan Build Distribute SellMarket ($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details Technical Review (TE) Business Review (PAM) ISVforce Guide Developer Site Support
ISV Partner Lifecycle Sign up Partner Community :: App Academy :: Resources & Tools :: Online Training :: Publishing :: Support (Cases) Environment Hub Developer Orgs Test Orgs Packaging Org Managed Package Plan Build Distribute SellMarket ($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details Security Review ($)Technical Review (TE) Business Review (PAM) ISVforce Guide Developer Site Support
ISV Partner Lifecycle Trialforce Management Org Partner website Sign up Partner Community :: App Academy :: Resources & Tools :: Online Training :: Publishing :: Support (Cases) Environment Hub Developer Orgs Test Orgs Packaging Org Managed Package Plan Build Distribute SellMarket ($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details Security Review ($) Operations Review Final Contract Review Technical Review (TE) Business Review (PAM) ISVforce Guide Developer Site Support
ISV Partner Lifecycle Trialforce Management Org Partner website Sign up Partner Community :: App Academy :: Resources & Tools :: Online Training :: Publishing :: Support (Cases) Environment Hub Developer Orgs Test Orgs Packaging Org Managed Package Partner Business Org • Campaigns • Leads • Analytics • License Mgmt App • Opportunities • Channel Order App FREE TRIALS Plan Build Distribute SellMarket ($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details Security Review ($) Operations Review Final Contract Review AppExchange Marketing Program (AMP) ($) Technical Review (TE) Business Review (PAM) ISVforce Guide Developer Site Support • Cases • Support Console • Other Apps
ISV Partner Lifecycle Trialforce Management Org Partner website Sign up Partner Community :: App Academy :: Resources & Tools :: Online Training :: Publishing :: Support (Cases) Environment Hub Developer Orgs Test Orgs Packaging Org Managed Package Partner Business Org • Campaigns • Leads • Analytics • Cases • Support Console • Other Apps • License Mgmt App • Opportunities • Channel Order App FREE TRIALS Plan Build Distribute SellMarket ($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details Security Review ($) Operations Review Final Contract Review AppExchange Marketing Program (AMP) ($) Sales ReviewTechnical Review (TE) Business Review (PAM) ISVforce Guide Developer Site Support
ISV Partner Lifecycle Trialforce Management Org Partner website Sign up Partner Community :: App Academy :: Resources & Tools :: Online Training :: Publishing :: Support (Cases) Environment Hub Developer Orgs Test Orgs Packaging Org Managed Package Partner Business Org • Campaigns • Leads • Analytics • Cases • Support Console • Other Apps • License Mgmt App • Opportunities • Channel Order App FREE TRIALS Plan Build Distribute SellMarket ($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details Security Review ($) Operations Review Final Contract Review Premier Support ($) AppExchange Marketing Program (AMP) ($) Sales ReviewTechnical Review (TE) Business Review (PAM) ISVforce Guide Developer Site Support
Foundations for AppExchange Success Some tricks and tips we’ve learned along the way Mike Witherspoon CEO mike@codescience.com @spoonscience
So many unknowns are going to affect your product • Know that you’ll be learning the entire time • Identify biggest risks early and confront them • Balance your skills by bringing in people who challenge and think differently than you You know nothing Jon Snow - Ygritte Choose Your Own Adventure
Your Business Organizations take time Culture Matters Invest time in your partnerships(e.g. Salesforce) HR, legal and ops are necessary Your Product What? Only a third? Features can wait until you have an MVP, customer feedback and revenue “I don’t know why, but the best product never wins” - Michelle Witherspoon Sales and Marketing Purchasers buy because they identify with a message or a sales person, period. The AppExchange will not sell your product for you (though it is an efficient marketing spend) Rule of Thirds - Start Small, Stay Small by Rob Walling Where to Focus Your Time and Money
What is your compelling event? • Customers demanding features? • Marketing event, e.g. Dreamforce or an industry trade show • Security review takes 2 to 8 weeks • You may have to resubmit so leave time • Only required for public listing. You can deploy your private listing to customers. • Financial....watch those investor expectations and your burn rate SaaS industry standard is per user per month. • Rarely can you justify per year, per company or per some other dimension • How much to charge? What is the marketing benefit/value to you if your app is free? What is the sales, construction and support cost of the app? What is a customer willing to pay? Timing and Pricing Time = Money
How big is your market? • That’s a great question and it’s up to you to figure that out Business plan basics • Revenue plan • Hiring plan • Investor or budget pitch • Marketing plan A plan is incorrect the second you finish it Market Sizing and Business Plan
Write down who can fill each role and identify your team’s skill gaps Determine a path to fill those gaps • Hire(and train) • Find a hired gun(solo contractor) • Outsource to a PDO • Onshore of Offshore? • Full team or a subset? • Know your budget(1/3 of your cash) • Is your organization ready for consultants? Roles for an agile development team • Software architect(Salesforce Platform) • Product Owner • Scrum Master • UX Designer • Salesforce Developer(Configuration, Apex, Visualforce, Lightning, etc) • Quality Assurance/Quality Engineer Assess Your Team 17 Roles to Build a Product
Business Model ISVForce Adds on to Salesforce CRM Customers are existing Salesforce users OEM Market outside of Salesforce ecosystem Assumes no CRM objects Revenue Collection Free - best place to start Checkout - Salesforce collects Traditional - Partner collects Partner Tiers Free and Registered <120K annually Silver - 120K to 800K ACV Gold and Platinum - > 800K Know your value to Salesforce What Kind of Partner Are You?
Funding Opportunities for ISVs Many different models are available
52% 25% 21% SaaS SaaS + Service Tech-enabled services Digital Media • 100+ financings across 70+ companies • Almost 80% are SaaS • Revenue Based Financing for tech companies • $50k-$1mm per company • Technology + Capital = Better for Entrepreneurs
Funding paths for ISV’s Revenue$5m Established Ideation Launch & Traction Growth & Scale Breakout Debt Equity Bootstrap / Friends & Family Incubator / Angels VC Backed Non VC Blended
Bank / Debt Revenue-Based Finance Venture Capital Guarantees & Controls Financial Covenants Sometimes Personal Guarantees No Financial Covenants No Personal Guarantees Partner in the Business (Board Seat, Voting Rights) Added Value Low / None Medium High Dilution None / Low None High Payment Flexibility Low: Fixed Payments Medium: Variable Payments High: No Payments Speed 4-8 months 4 weeks Highly variable. Typical 3-9 months of focused effort p37 Funding Option Comparison
• The best of debt and equity – aligned interests with no dilution • Essentially a royalty agreement • Monthly payments = fixed % of revenue • Fits SaaS p38 What is Revenue-based financing? 1 2 3 4 5 6 7 8 9 10 11 12 13 14Period Company revenue Loan payment Example Financing • Up to $1M or 33% of annualized revenue run rate • $500K funding • Payment: 5% of monthly revenue • Repayment: 1.7x principal ($850K) • Maturity: 5 years
Contact Information R. Branden Harper Director – Investment Team bharper@lightercapital.com 310.463.3285 39
What Is UX? It’s rarely just about making things pretty!
UX is Empathy Question: What is Empathy? In a hypothetical narrative, a person sees a fast food restaurant.
A person sees a fast food restaurant as they are driving their car to the mall. UX is Empathy Question: What is Empathy?
A middle aged woman sees her favorite fast food restaurant as she drives her car to the mall to buy a pair of dress shoes for an interview. UX is Empathy Question: What is Empathy?
UX: The “Thinking Parts”
UX: The “Thinking Parts” I want to get my head into your project!
UX: The “Thinking Parts” I want to get my head into your project! Leverage my ignorance.
UX: The “Thinking Parts” I want to get my head into your project! Leverage my ignorance. It’s not just about visual design!
UX: The “Thinking Parts” I want to get my head into your project! Leverage my ignorance. It’s not just about visual design! Tale tell signs of good thinking.
UX: The “Design Parts”
UX: The “Design Parts” Design an experience, including your brand.
UX: The “Design Parts” Design an experience, including your brand. Visualize requirements via proof of concept.
UX: The “Design Parts” Design an experience, including your brand. Visualize requirements via proof of concept. Iteration ...
UX: The “Design Parts” Design an experience, including your brand. Visualize requirements via proof of concept. Iteration … … we didn’t get to the future without iteration!
UX: The “Build Parts” Prototype, prototype, PROTOTYPE!
UX: The “Build Parts” Prototype, prototype, PROTOTYPE! HTML / CSS = less expensive vetting cycle
UX: The “Build Parts” Prototype, prototype, PROTOTYPE! HTML / CSS = inexpensive vetting Parallel universe...
What Does UX Look Like? It differs for everyone, but here’s what’s worked for us...
Personas
Context
User Flows
User Flows (continued, because we like these… a lot)
Information Architecture
Information Architecture with User Flow (yep, still important)
Wireframing
Optimizing UI (SLDS)
Prototyping
The Lightning Experience
Integration Best practices for integration in an ISV App
Any transfer of data from multiple services Examples: • Salesforce SOAP call-out to an ERP systems • Mobile app RESTful call-in to Salesforce to get leads • Salesforce-hosted VF page XHR callout to 3rd party stock ticker • Salesforce-hosted VF page embeds a twitter feed (iframe/”mashup”) What is Integration?
Considerations: • SecurityReview has very strict pass/fail criteria. This alone has the largest influence on integration design because it has the most constraints. • Data at Rest, In-Transit, In-Use • Authentication • CSRF/XSS/SOQL-Injection, CDN Mitigations: • Custom Protected Settings • Encrypted Fields / Platform Encryption • TLS, Two-way SSL auth • SAML, oAuth, CSR, named credentials • CORS, StaticResources • CheckMarx and ZAP/BURP Scan • Can be integrated into build automation Design Considerations Consideration: Security Review
Considerations: • Transaction Context: Trigger, VFPage, Browser, etc • Bulkified • JSON vs XML • Data Width, Frequency, Schedule Mitigations: • WF-OBM, @future, queueable, batch, scheduled • Bulkify everything • Least data • CheckMarx Scanner Design Considerations Consideration: Performance/Scalability
Considerations: • Blocking or non-blocking operation? •Need immediate feedback? •Streaming data Mitigations: • Validate business requirements Design Considerations Consideration: User Experience
Considerations: •Layer Choice: Server or Browser? •Skillsets: back-end, front-end, middle •Solution choice Mitigations: • Clicks not code • Designing with layers and appropriate patterns • Microservices and SOA • Middleware Design Considerations Consideration: Maintenance
Considerations: •Buy a tool vs custom build •Cost scalability Design Considerations Consideration: Money, duh Mitigations: Engage a PDO!
Integration Patterns 2-Way Token Exchange
Use Case:Salesforce and ISV need asynchronous API access to each other Challenge: Building a secure, authenticated integration • Storing 3rd party credentials = bad! Use revocable tokens authorized by the user or admin that are specific to each client • oAuth is a user-driven process; performing it bi-directionally is challenging Solution: • VF “Setup” page to initialize the oAuth flow to the 3rd party service • Request a refresh token, store in a custom protected hierarchy setting • Upon completion of flow, redirect to a Canvas app • Canvas can utilize a “Lifecycle Handler” ISV-defined Apex Class • Sends 3rd party & Salesforce refresh tokens in one payload to 3rd party 2-way Token Exchange Integration Patterns
2-way Token Exchange Integration Patterns
Integration Patterns Easy Data “Push”
Challenge: Push data changes that happen in Salesforce to your 3rd party system • Do it cheap • Do it fast • Make it perform Solution: • Workflow Outbound Messages • Middleware hosted by 3rd Party or custom SOAP webservice built by 3rd party Data Push Integration Patterns
Data Push Integration Patterns Pros Cons Clicks not code Salesforce-provided WSDL, no REST Built-in queueing/retry Limited Data Payloads Bulkified FIFO Queue, no order/priority Supported/upgraded by Salesforce Asynchronous No limits No authN tokens. Security via trust and “callbacks” Admin configurable
Integration Patterns 2-Way Data Sync
Challenge: Synchronize data to and/or from a 3rd party Solution: • Programmatic callouts via Apex to push and pull changes • @future, Queuable, Batch • Remote Site Setting (can now be packaged) • Custom Protected Hierarchy Settings for endpoints Common Pitfall: most ISVs also have a multi-tenant “pod” architecture. Referenced endpoint needs to be a proxy or router. 2-Way Data Sync Integration Patterns
2-Way Data Sync Integration Patterns Pros Cons Can callout to any WSDL/REST Higher maintenance burden Can utilize any ordering/priority/retry logic Asynchronous limits shared with whole org More complex data payloads Requires programmatic skillset More complex integration scenarios Less configurable by end-users
Security Review Security starts with design
Security Review Nothing is more important to salesforce.com than the privacy of their customer’s data Horizontal attacks require testing all entry points in your solution The more that customers trust AppExchange applications, the more likely they are to install them Team of 10+ Security Experts to review all applications approved or the AppExchange
Apex and Visualforce All code must be evaluated using Checkmarx Anything higher than a informational must be fixed CRUD/FLS often gets flagged JS SOQL Injection
CRUD and FLS CRUD: • Create • Read • Update • Delete FLS • Field Level Security Apex Code must test for these conditions ESAPI library: https://code.google.com/p/force-dot-com- esapi/wiki/GettingStarted
External Web Application This is generally our largest risk factor for AppExchange products • We test early and often • It can take longer for the ISV to fix these issues due to existing development priorities All web applications must be scanned using BURP or Zap • Includes website (authenticated and un-authenticated) • APIs • Webservices • Any third party services as well • All vulnerabilities marked as non informational must be addressed
What to BURP Scan API Endpoints Web Application (Authenticated/Unauthenticated) Website (if sharing same infrastructure) Canvas Apps OAuth / Auth process Web Service calls Client Side JS library (Google maps, etc) DO NOT FORGET TO Scan authentication/login pages Scan API endpoints after authenticating otherwise their code is not exercised!
Top Ten for Web Applications 1. Injection: SQL, OS, LDAP 2. Cross Site Scripting (XSS): improper validation and escaping allows attacker to execute scripts in browser to hijack user sessions or redirect to malicious sites 3. Broken Authentication/User Management: attackers can compromise passwords, keys, and session tokens to assume users’ identities • Username Enumeration is included in this pattern • Password reset always tested • DON’T STORE PASSWORDS IN PLAIN TEXT! 4. Insecure Direct Object Reference: exposing internal configuration and not securing it properly 5. Cross Site Request Forgery (XSRF): Sites that rely upon identity can be spoofed
Top Ten for Web Applications 6. Security Misconfiguration: default security settings for most web software is more open than secure. Modify defaults to lock down to only essentially functionality that is required 7. Insecure Cryptographic Storage: Proper hashing/encryption for sensitive data (SSN, Credit Cards, OAuth Tokens, Passwords, etc) 8. Failure to Restrict URL Access: all pages behind authentication must enforce access control 9. Insufficient Transport Layer Protection: Often due to expired/invalid certificates, improper configuration, or weak algorithms. See Heartbleed Bug! 10. Unvalidated Redirects and Forwards: Attackers can redirect users to phishing and malware sites
Mobile/Desktop Application Guidance Store Oauth tokens in keychain • All OSes provide keychain for storing tokens • Do not provide your own security model/storage Set your device to Proxy internet connection through BURP running on Desktop Capture API calls to external applications Spider/actively scan all endpoints via BURP
Security Review Org, Part I A test org must with your managed package installed and fully configured are required • Do not submit a PDE. This must be a test org for your target customer – generally an EE Test org • Spin up new test orgs via your Environment Hub Create users for each of the profiles you are exposing Documentation on how the application works • Can be a word/pdf document • Can also be a screencast Note that the SR team reviews hundreds of applications: make it as easy as possible for them to test your application! We are all on the same team
Security Review Org, Part II If an external integrations, users on external system must be included If Desktop or Mobile application, the application + users for the application must be included On premise solutions (PBX, ACD, Databases, etc) need to have a full, working environment for the Security Review team • They will not use a VM for the testing • Must configure yourself and make available via VPN connection If your web application shares infrastructure with your public website, that will be included in the test as well
Submission Process Seven page wizard to submit your application Upload security certifications/policies that your organization may have You must include Checkmarx report If you have any callouts or integrations, you must submit BURP report • html output If you have exceptions to the reports, you must submit via the wizard as well • In our experience, exceptions are fewer and farther between Credentials for your test org must be included For paid applications, credit card payment in last step Must complete ISV agreement prior to Security Review Prescreening takes place prior to entering Security Review queue
Thank you

More Related Content

PPTX
Wrestling Alligators: How Salesforce Partners Can Increase Close Rates & Deli...
CodeScience
 
PPTX
How a PDO Can Help Get You to Market Faster
CodeScience
 
PPTX
AppExchange for Admins: Apps Every Admin Should Know
CodeScience
 
PDF
The Modern Salesforce Development Workflow with Visual Studio Code
Salesforce Developers
 
PPTX
Using Oculus Rift and VR to Visualize Data on Salesforce
CodeScience
 
PPTX
Mapping Your MVP Product Development in 30 min or Less
CodeScience
 
PPTX
ISV Tech Talk: Distributing Lightning Components
CodeScience
 
PPTX
Lightning in a Bottle: Architecting Packages with Lightning Components
CodeScience
 
Wrestling Alligators: How Salesforce Partners Can Increase Close Rates & Deli...
CodeScience
 
How a PDO Can Help Get You to Market Faster
CodeScience
 
AppExchange for Admins: Apps Every Admin Should Know
CodeScience
 
The Modern Salesforce Development Workflow with Visual Studio Code
Salesforce Developers
 
Using Oculus Rift and VR to Visualize Data on Salesforce
CodeScience
 
Mapping Your MVP Product Development in 30 min or Less
CodeScience
 
ISV Tech Talk: Distributing Lightning Components
CodeScience
 
Lightning in a Bottle: Architecting Packages with Lightning Components
CodeScience
 

What's hot (20)

PDF
building an app exchange app
vraopolisetti
 
PDF
Launching an App on AppExchange - Knowing the Unknown
Kashi Ahmed
 
PDF
DF15 Partner Zone (Replay!) Guide
Salesforce Partners
 
PDF
APP Academy: Support Your Customers For Commercial Success (October 15, 2014)
Salesforce Partners
 
PDF
Build Smarter Apps with Einstein Object Detection
Salesforce Developers
 
PDF
Build Apps Fast with Lightning Components from Apttus
Dreamforce
 
PPSX
The Lightning Process Builder and the Growing Role of the Salesforce Admin
Salesforce Admins
 
PDF
#DF17Recap series: Make apps smarter with Einstein
Salesforce Developers
 
PDF
Salesforce University - Guide to Certification Paths
Salesforce Partners
 
PDF
Partner Roadmap Webinar (July 6, 2017)
Salesforce Partners
 
PDF
Afternoon Session: Innovation and platform Architect Day
Salesforce - Sweden, Denmark, Norway
 
PDF
Partner Certification Preparation
Salesforce Partners
 
PDF
Gesture Controlled Interactions with Platform Events and IoT Explorer
Salesforce Developers
 
PDF
How to Launch Your AppExchange App at Dreamforce
CodeScience
 
PPTX
Sandboxes: The Future of App Development by Evan Barnet & Pam Barnet
Salesforce Admins
 
PDF
Replace Your Stale Intranet with a Mobile, Social Employee Community
Dreamforce
 
PDF
Partner Roadmap Webinar (August 3, 2017)
Salesforce Partners
 
PPTX
Process Automation on Lightning Platform Workshop
Salesforce Developers
 
PDF
15th Oct '20 - SF London Marketer (MC) Group -AppExchange Demo Time
Kerry Townsend
 
PPTX
How to Shop Smart on AppExchange by Jenn Romaniszak
Salesforce Admins
 
building an app exchange app
vraopolisetti
 
Launching an App on AppExchange - Knowing the Unknown
Kashi Ahmed
 
DF15 Partner Zone (Replay!) Guide
Salesforce Partners
 
APP Academy: Support Your Customers For Commercial Success (October 15, 2014)
Salesforce Partners
 
Build Smarter Apps with Einstein Object Detection
Salesforce Developers
 
Build Apps Fast with Lightning Components from Apttus
Dreamforce
 
The Lightning Process Builder and the Growing Role of the Salesforce Admin
Salesforce Admins
 
#DF17Recap series: Make apps smarter with Einstein
Salesforce Developers
 
Salesforce University - Guide to Certification Paths
Salesforce Partners
 
Partner Roadmap Webinar (July 6, 2017)
Salesforce Partners
 
Afternoon Session: Innovation and platform Architect Day
Salesforce - Sweden, Denmark, Norway
 
Partner Certification Preparation
Salesforce Partners
 
Gesture Controlled Interactions with Platform Events and IoT Explorer
Salesforce Developers
 
How to Launch Your AppExchange App at Dreamforce
CodeScience
 
Sandboxes: The Future of App Development by Evan Barnet & Pam Barnet
Salesforce Admins
 
Replace Your Stale Intranet with a Mobile, Social Employee Community
Dreamforce
 
Partner Roadmap Webinar (August 3, 2017)
Salesforce Partners
 
Process Automation on Lightning Platform Workshop
Salesforce Developers
 
15th Oct '20 - SF London Marketer (MC) Group -AppExchange Demo Time
Kerry Townsend
 
How to Shop Smart on AppExchange by Jenn Romaniszak
Salesforce Admins
 
Ad

Viewers also liked (19)

PDF
Iuc pwp guruji
Vinay Rajagopal
 
PDF
Startup Funding Options - From Kickstarter to Venture Capital - Dreamforce 20...
Salesforce Partners
 
PPTX
Product Engineering Services Trends Q2
Zinnov
 
PDF
Beyond VC: Capital Raising for ISVs Without Giving Up Equity
Salesforce Partners
 
PDF
ISV Industry Trends
Software Park Thailand
 
PDF
nextlevel for Partners
Salesforce Partners
 
PDF
ISV Tech Talk: Usage Metrics (October 15, 2014)
Salesforce Partners
 
PDF
Operational Overview
Salesforce Partners
 
PDF
Introducing the Salesforce Lightning Design System
Salesforce Developers
 
PDF
Design Patterns: ISV Recipes for Success (Dreamforce 2015)
Salesforce Partners
 
PDF
Social Media 101 for Partners
Salesforce Partners
 
PDF
DF13 - AppExchange Marketing Playbook - Build Your Brand
Salesforce Partners
 
PDF
Partner Business Org
Salesforce Partners
 
PDF
AppExchange Marketing Playbook: Generate Demand
Salesforce Partners
 
PDF
Make Your App Lightning Ready with Winter '17 (December 8, 2016)
Salesforce Partners
 
PDF
Generic Roadmap Slide
Salesforce Partners
 
PDF
AMP FY18 Overview
Salesforce Partners
 
PDF
Salesforce Partner Program
Salesforce Partners
 
PDF
Partner Branding Guidelines
Salesforce Partners
 
Iuc pwp guruji
Vinay Rajagopal
 
Startup Funding Options - From Kickstarter to Venture Capital - Dreamforce 20...
Salesforce Partners
 
Product Engineering Services Trends Q2
Zinnov
 
Beyond VC: Capital Raising for ISVs Without Giving Up Equity
Salesforce Partners
 
ISV Industry Trends
Software Park Thailand
 
nextlevel for Partners
Salesforce Partners
 
ISV Tech Talk: Usage Metrics (October 15, 2014)
Salesforce Partners
 
Operational Overview
Salesforce Partners
 
Introducing the Salesforce Lightning Design System
Salesforce Developers
 
Design Patterns: ISV Recipes for Success (Dreamforce 2015)
Salesforce Partners
 
Social Media 101 for Partners
Salesforce Partners
 
DF13 - AppExchange Marketing Playbook - Build Your Brand
Salesforce Partners
 
Partner Business Org
Salesforce Partners
 
AppExchange Marketing Playbook: Generate Demand
Salesforce Partners
 
Make Your App Lightning Ready with Winter '17 (December 8, 2016)
Salesforce Partners
 
Generic Roadmap Slide
Salesforce Partners
 
AMP FY18 Overview
Salesforce Partners
 
Salesforce Partner Program
Salesforce Partners
 
Partner Branding Guidelines
Salesforce Partners
 
Ad

Similar to ISV App Lab (20)

PDF
APP Academy: Getting Started (Virtual Classroom)
Salesforce Partners
 
PDF
App Academy: Getting Started (July 7, 2015)
Salesforce Partners
 
PDF
App Academy: Getting Started (Virtual Classroom) slides
Salesforce Partners
 
PDF
DF13_APP Academy: Getting Started as an ISV Partner
Salesforce Partners
 
PDF
Salesforce Partner Program for ISV Partners
Salesforce Partners
 
PDF
Salesforce Partner Program for ISVs Lifecycle Tutorial
Salesforce Partners
 
PDF
ISV Partner Benefit Series (August 26, 2015)
Salesforce Partners
 
PPT
Building and Distributing a Salesforce App
Ross Belmont
 
PDF
APP Academy: Sales (Virtual Classroom) - slides
Salesforce Partners
 
PDF
9 Secrets to Launch on the AppExchange [Webinar]
CodeScience
 
DOCX
Dreamforce 2013 AppExchange Partner Session Guide
Salesforce Partners
 
PDF
ISV Partner Benefit Series (September 30, 2015)
Salesforce Partners
 
PDF
ISV Partner Benefit Series (August 12, 2015)
Salesforce Partners
 
PDF
DF13_Driving Sales Success as an ISV Partner
Salesforce Partners
 
PDF
Architect and Design Your App for Commercial Success
Salesforce Partners
 
PDF
Distribute Program Overview
Salesforce Partners
 
PPTX
APP Academy: Getting Started (SF) Info Kit
Salesforce Partners
 
PDF
APP Academy: Marketing (Virtual Classroom)
Salesforce Partners
 
PDF
Distribute Your App
Salesforce Partners
 
PDF
Getting Started as an ISV Partner (Dreamforce 2015)
Salesforce Partners
 
APP Academy: Getting Started (Virtual Classroom)
Salesforce Partners
 
App Academy: Getting Started (July 7, 2015)
Salesforce Partners
 
App Academy: Getting Started (Virtual Classroom) slides
Salesforce Partners
 
DF13_APP Academy: Getting Started as an ISV Partner
Salesforce Partners
 
Salesforce Partner Program for ISV Partners
Salesforce Partners
 
Salesforce Partner Program for ISVs Lifecycle Tutorial
Salesforce Partners
 
ISV Partner Benefit Series (August 26, 2015)
Salesforce Partners
 
Building and Distributing a Salesforce App
Ross Belmont
 
APP Academy: Sales (Virtual Classroom) - slides
Salesforce Partners
 
9 Secrets to Launch on the AppExchange [Webinar]
CodeScience
 
Dreamforce 2013 AppExchange Partner Session Guide
Salesforce Partners
 
ISV Partner Benefit Series (September 30, 2015)
Salesforce Partners
 
ISV Partner Benefit Series (August 12, 2015)
Salesforce Partners
 
DF13_Driving Sales Success as an ISV Partner
Salesforce Partners
 
Architect and Design Your App for Commercial Success
Salesforce Partners
 
Distribute Program Overview
Salesforce Partners
 
APP Academy: Getting Started (SF) Info Kit
Salesforce Partners
 
APP Academy: Marketing (Virtual Classroom)
Salesforce Partners
 
Distribute Your App
Salesforce Partners
 
Getting Started as an ISV Partner (Dreamforce 2015)
Salesforce Partners
 

More from CodeScience (20)

PDF
Journey Through the AppExchange: Product-Led Growth with MagicRobot
CodeScience
 
PDF
Journey Through the AppExchange: From SI to ISV with Virsys12
CodeScience
 
PDF
Leveraging Dynamic Interactions on Salesforce Lightning Pages
CodeScience
 
PDF
Strategic Partnerships: The New Key to Innovation
CodeScience
 
PDF
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...
CodeScience
 
PDF
Designing Salesforce Platform Events
CodeScience
 
PDF
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a Time
CodeScience
 
PDF
Journey Through the AppExchange: How Place Technology Created a New Category
CodeScience
 
PDF
Journey to the AppExchange: How to Launch Into a New Ecosystem
CodeScience
 
PDF
10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)
CodeScience
 
PDF
Top 5 Ways to Build Pipeline With AppExchange Chat
CodeScience
 
PDF
Everything You Need to Know About Salesforce LMA & COA
CodeScience
 
PDF
Streamline Page Layouts with Dynamic Forms
CodeScience
 
PDF
Getting to Yes: How to build executive alignment to win big on the AppExchange
CodeScience
 
PDF
Org-dependent Unlocked Packages for ISVs
CodeScience
 
PDF
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...
CodeScience
 
PDF
How FinancialForce Leverages Labs to Accelerate Innovation
CodeScience
 
PPTX
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...
CodeScience
 
PDF
ISV Error Handling With Spring '21 Update
CodeScience
 
PDF
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...
CodeScience
 
Journey Through the AppExchange: Product-Led Growth with MagicRobot
CodeScience
 
Journey Through the AppExchange: From SI to ISV with Virsys12
CodeScience
 
Leveraging Dynamic Interactions on Salesforce Lightning Pages
CodeScience
 
Strategic Partnerships: The New Key to Innovation
CodeScience
 
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...
CodeScience
 
Designing Salesforce Platform Events
CodeScience
 
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a Time
CodeScience
 
Journey Through the AppExchange: How Place Technology Created a New Category
CodeScience
 
Journey to the AppExchange: How to Launch Into a New Ecosystem
CodeScience
 
10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)
CodeScience
 
Top 5 Ways to Build Pipeline With AppExchange Chat
CodeScience
 
Everything You Need to Know About Salesforce LMA & COA
CodeScience
 
Streamline Page Layouts with Dynamic Forms
CodeScience
 
Getting to Yes: How to build executive alignment to win big on the AppExchange
CodeScience
 
Org-dependent Unlocked Packages for ISVs
CodeScience
 
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...
CodeScience
 
How FinancialForce Leverages Labs to Accelerate Innovation
CodeScience
 
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...
CodeScience
 
ISV Error Handling With Spring '21 Update
CodeScience
 
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...
CodeScience
 

Recently uploaded (20)

PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Encapsulation theory and applications.pdf
gurumoop
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
A Presentation on Artificial Intelligence
memembruh336
 
Approach and Philosophy of On baking technology
30anthuong17
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 

ISV App Lab

  • 1. ISV AppLab Building Your App, and Your Business, From A-Z CodeScience @codescience Salesforce ISV Team @partnerforce
  • 2. John Richter - Director, Partner Community Robert Sussland - Senior Product Security Engineer, Webapp Security and Cryptography Christopher Auyeung - Sr. Manager, User Experience Mike Witherspoon - CEO Brian Walsh - CSO Eddie Blazer - Director of Architecture Krishna Tatta - Technical Architect Rina Henderson - Lead UX Speakers
  • 3. • Software Development Lifecycle • Setting Your Business Up for Success • Funding Opportunities for Partners • User Experience • The Lightning Experience • Break • Integration Considerations and Design Patterns • Security Review • Q&A Agenda
  • 5. John Richter Director, Partner Community Salesforce Partner Program @partnerforce
  • 6. The Salesforce Partner Program World’s #1 Cloud Ecosystem ISVs Consulting Partners Resellers Digital Agencies Partner Community Partner Operations Partner Marketing Partner Development
  • 7. Branding? First Call Decks? Webinars? Live Events? Pilots? Logos? Roadmap? Surveys? Trial Orgs? Sponsorships? White papers? Leads? New Releases? Orders? Opportunities? Projects? Red Accounts? Customer Stories? Org Extensions?Technical Issues? Design Questions? Sales Collateral?
  • 9. Partner User Groups Briefings Polls & Surveys Instructor-led Blogs Program Guides Media Assets Partner Alerts! Social Media Communications NewsFlash (e-newsletter) Live Events Office Hours Learning Ideas Sessions Online Programs Roadmap Partner Community Releases & Pilots
  • 10. Partner Community Your one-stop shop for education and engagement http://partners.salesforce.com/ • Partner Program Details • Communications • Training • Deal Registration • Webinars & Recordings • Office Hours • Sales & Enablement Resources • Support
  • 11. Partner Community in Action Education & Engagement
  • 12. Official: Partner Community Chatter Group http://p.force.com/official
  • 13. Questions & Answers Chatter Group http://p.force.com/question
  • 19. Trailhead: ISV Basics New onboarding for ISVs http://p.force.com/ISVbasics • Getting Started • ISV Product Lifecycle • Tools & Resources
  • 20. ISV Partner Lifecycle Key Drivers for Planning Your App, and Your Business
  • 21. ISV Partner Lifecycle Sign up Partner Community :: App Academy :: Resources & Tools :: Online Training :: Publishing :: Support (Cases) Plan Build Distribute SellMarket ($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details Technical Review (TE) Business Review (PAM) ISVforce Guide Developer Site Support
  • 22. ISV Partner Lifecycle Sign up Partner Community :: App Academy :: Resources & Tools :: Online Training :: Publishing :: Support (Cases) Environment Hub Developer Orgs Test Orgs Packaging Org Managed Package Plan Build Distribute SellMarket ($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details Security Review ($)Technical Review (TE) Business Review (PAM) ISVforce Guide Developer Site Support
  • 23. ISV Partner Lifecycle Trialforce Management Org Partner website Sign up Partner Community :: App Academy :: Resources & Tools :: Online Training :: Publishing :: Support (Cases) Environment Hub Developer Orgs Test Orgs Packaging Org Managed Package Plan Build Distribute SellMarket ($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details Security Review ($) Operations Review Final Contract Review Technical Review (TE) Business Review (PAM) ISVforce Guide Developer Site Support
  • 24. ISV Partner Lifecycle Trialforce Management Org Partner website Sign up Partner Community :: App Academy :: Resources & Tools :: Online Training :: Publishing :: Support (Cases) Environment Hub Developer Orgs Test Orgs Packaging Org Managed Package Partner Business Org • Campaigns • Leads • Analytics • License Mgmt App • Opportunities • Channel Order App FREE TRIALS Plan Build Distribute SellMarket ($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details Security Review ($) Operations Review Final Contract Review AppExchange Marketing Program (AMP) ($) Technical Review (TE) Business Review (PAM) ISVforce Guide Developer Site Support • Cases • Support Console • Other Apps
  • 25. ISV Partner Lifecycle Trialforce Management Org Partner website Sign up Partner Community :: App Academy :: Resources & Tools :: Online Training :: Publishing :: Support (Cases) Environment Hub Developer Orgs Test Orgs Packaging Org Managed Package Partner Business Org • Campaigns • Leads • Analytics • Cases • Support Console • Other Apps • License Mgmt App • Opportunities • Channel Order App FREE TRIALS Plan Build Distribute SellMarket ($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details Security Review ($) Operations Review Final Contract Review AppExchange Marketing Program (AMP) ($) Sales ReviewTechnical Review (TE) Business Review (PAM) ISVforce Guide Developer Site Support
  • 26. ISV Partner Lifecycle Trialforce Management Org Partner website Sign up Partner Community :: App Academy :: Resources & Tools :: Online Training :: Publishing :: Support (Cases) Environment Hub Developer Orgs Test Orgs Packaging Org Managed Package Partner Business Org • Campaigns • Leads • Analytics • Cases • Support Console • Other Apps • License Mgmt App • Opportunities • Channel Order App FREE TRIALS Plan Build Distribute SellMarket ($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details Security Review ($) Operations Review Final Contract Review Premier Support ($) AppExchange Marketing Program (AMP) ($) Sales ReviewTechnical Review (TE) Business Review (PAM) ISVforce Guide Developer Site Support
  • 27. Foundations for AppExchange Success Some tricks and tips we’ve learned along the way Mike Witherspoon CEO mike@codescience.com @spoonscience
  • 28. So many unknowns are going to affect your product • Know that you’ll be learning the entire time • Identify biggest risks early and confront them • Balance your skills by bringing in people who challenge and think differently than you You know nothing Jon Snow - Ygritte Choose Your Own Adventure
  • 29. Your Business Organizations take time Culture Matters Invest time in your partnerships(e.g. Salesforce) HR, legal and ops are necessary Your Product What? Only a third? Features can wait until you have an MVP, customer feedback and revenue “I don’t know why, but the best product never wins” - Michelle Witherspoon Sales and Marketing Purchasers buy because they identify with a message or a sales person, period. The AppExchange will not sell your product for you (though it is an efficient marketing spend) Rule of Thirds - Start Small, Stay Small by Rob Walling Where to Focus Your Time and Money
  • 30. What is your compelling event? • Customers demanding features? • Marketing event, e.g. Dreamforce or an industry trade show • Security review takes 2 to 8 weeks • You may have to resubmit so leave time • Only required for public listing. You can deploy your private listing to customers. • Financial....watch those investor expectations and your burn rate SaaS industry standard is per user per month. • Rarely can you justify per year, per company or per some other dimension • How much to charge? What is the marketing benefit/value to you if your app is free? What is the sales, construction and support cost of the app? What is a customer willing to pay? Timing and Pricing Time = Money
  • 31. How big is your market? • That’s a great question and it’s up to you to figure that out Business plan basics • Revenue plan • Hiring plan • Investor or budget pitch • Marketing plan A plan is incorrect the second you finish it Market Sizing and Business Plan
  • 32. Write down who can fill each role and identify your team’s skill gaps Determine a path to fill those gaps • Hire(and train) • Find a hired gun(solo contractor) • Outsource to a PDO • Onshore of Offshore? • Full team or a subset? • Know your budget(1/3 of your cash) • Is your organization ready for consultants? Roles for an agile development team • Software architect(Salesforce Platform) • Product Owner • Scrum Master • UX Designer • Salesforce Developer(Configuration, Apex, Visualforce, Lightning, etc) • Quality Assurance/Quality Engineer Assess Your Team 17 Roles to Build a Product
  • 33. Business Model ISVForce Adds on to Salesforce CRM Customers are existing Salesforce users OEM Market outside of Salesforce ecosystem Assumes no CRM objects Revenue Collection Free - best place to start Checkout - Salesforce collects Traditional - Partner collects Partner Tiers Free and Registered <120K annually Silver - 120K to 800K ACV Gold and Platinum - > 800K Know your value to Salesforce What Kind of Partner Are You?
  • 34. Funding Opportunities for ISVs Many different models are available
  • 35. 52% 25% 21% SaaS SaaS + Service Tech-enabled services Digital Media • 100+ financings across 70+ companies • Almost 80% are SaaS • Revenue Based Financing for tech companies • $50k-$1mm per company • Technology + Capital = Better for Entrepreneurs
  • 36. Funding paths for ISV’s Revenue$5m Established Ideation Launch & Traction Growth & Scale Breakout Debt Equity Bootstrap / Friends & Family Incubator / Angels VC Backed Non VC Blended
  • 37. Bank / Debt Revenue-Based Finance Venture Capital Guarantees & Controls Financial Covenants Sometimes Personal Guarantees No Financial Covenants No Personal Guarantees Partner in the Business (Board Seat, Voting Rights) Added Value Low / None Medium High Dilution None / Low None High Payment Flexibility Low: Fixed Payments Medium: Variable Payments High: No Payments Speed 4-8 months 4 weeks Highly variable. Typical 3-9 months of focused effort p37 Funding Option Comparison
  • 38. • The best of debt and equity – aligned interests with no dilution • Essentially a royalty agreement • Monthly payments = fixed % of revenue • Fits SaaS p38 What is Revenue-based financing? 1 2 3 4 5 6 7 8 9 10 11 12 13 14Period Company revenue Loan payment Example Financing • Up to $1M or 33% of annualized revenue run rate • $500K funding • Payment: 5% of monthly revenue • Repayment: 1.7x principal ($850K) • Maturity: 5 years
  • 39. Contact Information R. Branden Harper Director – Investment Team bharper@lightercapital.com 310.463.3285 39
  • 40. What Is UX? It’s rarely just about making things pretty!
  • 41. UX is Empathy Question: What is Empathy? In a hypothetical narrative, a person sees a fast food restaurant.
  • 42. A person sees a fast food restaurant as they are driving their car to the mall. UX is Empathy Question: What is Empathy?
  • 43. A middle aged woman sees her favorite fast food restaurant as she drives her car to the mall to buy a pair of dress shoes for an interview. UX is Empathy Question: What is Empathy?
  • 45. UX: The “Thinking Parts” I want to get my head into your project!
  • 46. UX: The “Thinking Parts” I want to get my head into your project! Leverage my ignorance.
  • 47. UX: The “Thinking Parts” I want to get my head into your project! Leverage my ignorance. It’s not just about visual design!
  • 48. UX: The “Thinking Parts” I want to get my head into your project! Leverage my ignorance. It’s not just about visual design! Tale tell signs of good thinking.
  • 49. UX: The “Design Parts”
  • 50. UX: The “Design Parts” Design an experience, including your brand.
  • 51. UX: The “Design Parts” Design an experience, including your brand. Visualize requirements via proof of concept.
  • 52. UX: The “Design Parts” Design an experience, including your brand. Visualize requirements via proof of concept. Iteration ...
  • 53. UX: The “Design Parts” Design an experience, including your brand. Visualize requirements via proof of concept. Iteration … … we didn’t get to the future without iteration!
  • 54. UX: The “Build Parts” Prototype, prototype, PROTOTYPE!
  • 55. UX: The “Build Parts” Prototype, prototype, PROTOTYPE! HTML / CSS = less expensive vetting cycle
  • 56. UX: The “Build Parts” Prototype, prototype, PROTOTYPE! HTML / CSS = inexpensive vetting Parallel universe...
  • 57. What Does UX Look Like? It differs for everyone, but here’s what’s worked for us...
  • 61. User Flows (continued, because we like these… a lot)
  • 63. Information Architecture with User Flow (yep, still important)
  • 68. Integration Best practices for integration in an ISV App
  • 69. Any transfer of data from multiple services Examples: • Salesforce SOAP call-out to an ERP systems • Mobile app RESTful call-in to Salesforce to get leads • Salesforce-hosted VF page XHR callout to 3rd party stock ticker • Salesforce-hosted VF page embeds a twitter feed (iframe/”mashup”) What is Integration?
  • 70. Considerations: • SecurityReview has very strict pass/fail criteria. This alone has the largest influence on integration design because it has the most constraints. • Data at Rest, In-Transit, In-Use • Authentication • CSRF/XSS/SOQL-Injection, CDN Mitigations: • Custom Protected Settings • Encrypted Fields / Platform Encryption • TLS, Two-way SSL auth • SAML, oAuth, CSR, named credentials • CORS, StaticResources • CheckMarx and ZAP/BURP Scan • Can be integrated into build automation Design Considerations Consideration: Security Review
  • 71. Considerations: • Transaction Context: Trigger, VFPage, Browser, etc • Bulkified • JSON vs XML • Data Width, Frequency, Schedule Mitigations: • WF-OBM, @future, queueable, batch, scheduled • Bulkify everything • Least data • CheckMarx Scanner Design Considerations Consideration: Performance/Scalability
  • 72. Considerations: • Blocking or non-blocking operation? •Need immediate feedback? •Streaming data Mitigations: • Validate business requirements Design Considerations Consideration: User Experience
  • 73. Considerations: •Layer Choice: Server or Browser? •Skillsets: back-end, front-end, middle •Solution choice Mitigations: • Clicks not code • Designing with layers and appropriate patterns • Microservices and SOA • Middleware Design Considerations Consideration: Maintenance
  • 74. Considerations: •Buy a tool vs custom build •Cost scalability Design Considerations Consideration: Money, duh Mitigations: Engage a PDO!
  • 76. Use Case:Salesforce and ISV need asynchronous API access to each other Challenge: Building a secure, authenticated integration • Storing 3rd party credentials = bad! Use revocable tokens authorized by the user or admin that are specific to each client • oAuth is a user-driven process; performing it bi-directionally is challenging Solution: • VF “Setup” page to initialize the oAuth flow to the 3rd party service • Request a refresh token, store in a custom protected hierarchy setting • Upon completion of flow, redirect to a Canvas app • Canvas can utilize a “Lifecycle Handler” ISV-defined Apex Class • Sends 3rd party & Salesforce refresh tokens in one payload to 3rd party 2-way Token Exchange Integration Patterns
  • 79. Challenge: Push data changes that happen in Salesforce to your 3rd party system • Do it cheap • Do it fast • Make it perform Solution: • Workflow Outbound Messages • Middleware hosted by 3rd Party or custom SOAP webservice built by 3rd party Data Push Integration Patterns
  • 80. Data Push Integration Patterns Pros Cons Clicks not code Salesforce-provided WSDL, no REST Built-in queueing/retry Limited Data Payloads Bulkified FIFO Queue, no order/priority Supported/upgraded by Salesforce Asynchronous No limits No authN tokens. Security via trust and “callbacks” Admin configurable
  • 82. Challenge: Synchronize data to and/or from a 3rd party Solution: • Programmatic callouts via Apex to push and pull changes • @future, Queuable, Batch • Remote Site Setting (can now be packaged) • Custom Protected Hierarchy Settings for endpoints Common Pitfall: most ISVs also have a multi-tenant “pod” architecture. Referenced endpoint needs to be a proxy or router. 2-Way Data Sync Integration Patterns
  • 83. 2-Way Data Sync Integration Patterns Pros Cons Can callout to any WSDL/REST Higher maintenance burden Can utilize any ordering/priority/retry logic Asynchronous limits shared with whole org More complex data payloads Requires programmatic skillset More complex integration scenarios Less configurable by end-users
  • 85. Security Review Nothing is more important to salesforce.com than the privacy of their customer’s data Horizontal attacks require testing all entry points in your solution The more that customers trust AppExchange applications, the more likely they are to install them Team of 10+ Security Experts to review all applications approved or the AppExchange
  • 86. Apex and Visualforce All code must be evaluated using Checkmarx Anything higher than a informational must be fixed CRUD/FLS often gets flagged JS SOQL Injection
  • 87. CRUD and FLS CRUD: • Create • Read • Update • Delete FLS • Field Level Security Apex Code must test for these conditions ESAPI library: https://code.google.com/p/force-dot-com- esapi/wiki/GettingStarted
  • 88. External Web Application This is generally our largest risk factor for AppExchange products • We test early and often • It can take longer for the ISV to fix these issues due to existing development priorities All web applications must be scanned using BURP or Zap • Includes website (authenticated and un-authenticated) • APIs • Webservices • Any third party services as well • All vulnerabilities marked as non informational must be addressed
  • 89. What to BURP Scan API Endpoints Web Application (Authenticated/Unauthenticated) Website (if sharing same infrastructure) Canvas Apps OAuth / Auth process Web Service calls Client Side JS library (Google maps, etc) DO NOT FORGET TO Scan authentication/login pages Scan API endpoints after authenticating otherwise their code is not exercised!
  • 90. Top Ten for Web Applications 1. Injection: SQL, OS, LDAP 2. Cross Site Scripting (XSS): improper validation and escaping allows attacker to execute scripts in browser to hijack user sessions or redirect to malicious sites 3. Broken Authentication/User Management: attackers can compromise passwords, keys, and session tokens to assume users’ identities • Username Enumeration is included in this pattern • Password reset always tested • DON’T STORE PASSWORDS IN PLAIN TEXT! 4. Insecure Direct Object Reference: exposing internal configuration and not securing it properly 5. Cross Site Request Forgery (XSRF): Sites that rely upon identity can be spoofed
  • 91. Top Ten for Web Applications 6. Security Misconfiguration: default security settings for most web software is more open than secure. Modify defaults to lock down to only essentially functionality that is required 7. Insecure Cryptographic Storage: Proper hashing/encryption for sensitive data (SSN, Credit Cards, OAuth Tokens, Passwords, etc) 8. Failure to Restrict URL Access: all pages behind authentication must enforce access control 9. Insufficient Transport Layer Protection: Often due to expired/invalid certificates, improper configuration, or weak algorithms. See Heartbleed Bug! 10. Unvalidated Redirects and Forwards: Attackers can redirect users to phishing and malware sites
  • 92. Mobile/Desktop Application Guidance Store Oauth tokens in keychain • All OSes provide keychain for storing tokens • Do not provide your own security model/storage Set your device to Proxy internet connection through BURP running on Desktop Capture API calls to external applications Spider/actively scan all endpoints via BURP
  • 93. Security Review Org, Part I A test org must with your managed package installed and fully configured are required • Do not submit a PDE. This must be a test org for your target customer – generally an EE Test org • Spin up new test orgs via your Environment Hub Create users for each of the profiles you are exposing Documentation on how the application works • Can be a word/pdf document • Can also be a screencast Note that the SR team reviews hundreds of applications: make it as easy as possible for them to test your application! We are all on the same team
  • 94. Security Review Org, Part II If an external integrations, users on external system must be included If Desktop or Mobile application, the application + users for the application must be included On premise solutions (PBX, ACD, Databases, etc) need to have a full, working environment for the Security Review team • They will not use a VM for the testing • Must configure yourself and make available via VPN connection If your web application shares infrastructure with your public website, that will be included in the test as well
  • 95. Submission Process Seven page wizard to submit your application Upload security certifications/policies that your organization may have You must include Checkmarx report If you have any callouts or integrations, you must submit BURP report • html output If you have exceptions to the reports, you must submit via the wizard as well • In our experience, exceptions are fewer and farther between Credentials for your test org must be included For paid applications, credit card payment in last step Must complete ISV agreement prior to Security Review Prescreening takes place prior to entering Security Review queue