SlideShare a Scribd company logo

Salesforce Security Review Tips and Tricks

Download as PPTX, PDF
R
Ryan Flood

1) The document provides tips and tricks for passing Salesforce's security review process for apps on the AppExchange. 2) It discusses the importance of security for maintaining customer trust, and outlines Salesforce's security review process including development best practices, security testing tools, and requirements for submission. 3) Developers are advised to utilize security training modules, documentation, scanning tools, and office hours for assistance in developing securely and preparing for the security review.

Software
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Tips and Tricks to Pass the Salesforce Security Review Process Manishi Singh, Ryan Flood
Ryan Flood rflood@salesforce.com Senior Director, ISV Technical Enablement Manishi Singh msingh@salesforce.com Senior Product Security Engineer
Forward-Looking Statements Statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Website. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Security Review - Importance, Resources, Roles Building security in your app Development phases Tools & Resources After Security Review Agenda
Why is Security Important Trust is our #1 value Salesforce is a cloud computing company Customer Trust is integral to our success • They have to trust us with their data • That’s our job • Secure our products and marketplace • Reinforce and maintain the trust that customers put in our platform 8 industry leading apps, 1 platform
AppExchange is a Trusted Ecosystem Both Salesforce and partners are critical parts of that trust We provide documentation, tools, and guidance to maintain a secure offering Your secure offering will help better sell to and serve our mutual customers Enterprise customers expect security built-in Maintaining a secure lifecycle ensures you always maintain customer trust Trust is our #1 value
How we secure the ecosystem Layers of Protection Platform • In protection for XSS, CSRF, scoped access control, separate domains • Auth, Session Handling, Filtering, TLS, Infrastructure, Patching, Auditing & Logging Process • Security Review • Initial Review • Re-reviews • Spot Checks Content • Secure cloud development • Outreach to partners • Trailhead modules Tools • Code scanner • Chimera web scanner • Monitoring Partners • Partners maintain security consistent with best practices
Who is Who in the SR process ISV Partner Team ISV Partner Account Manager (PAM) - Your primary point of contact ISV Technical Evangelist (TE) - Helps partner prepare for SR Security Review Operations (SR Ops) - Reviews submission, responsible for notifications to partners Product Security Team Product Security Engineer - Provide guidance, review/test applications Other Product Development Outsourcer (PDOs) - Can assist with SR success
The Security Review Process
The Security Review Process Design Develop Testing Release - Review Trailhead modules - Review best practices documentation - Attend Office Hours - Continuous integration tools for ongoing security scanning - Run Force.com Scanner - Run Chimera/ZAP Scanner - Submit for Manual Security Review
The Security Review Process Design Develop Testing Release - Review Trailhead modules - Review best practices documentation - Attend Office Hours
Design Comprehensive, hands-on Trailhead modules for learning secure coding on the platform. Go to sfdc.co/devsecuritytrail Training
Design App Cloud Security Dev Center Landing page for all things AppExchange Security Go to sfdc.co/securitydevcenter Documentation
Design Submission Process Office Hours https://sfdc.co/submissionofficehours Submission Process questions Security Review Technical Office Hours https://sfdc.co/securityofficehours Technical Security questions Available both in US and EU time zones. Office hours
The Security Review Process Design Develop Testing Release - Continuous integration tools for ongoing security scanning
Develop Now Supporting Rulesets for Apex and Visualforce in PMD Maven PMD Plugin Gradle: The PMD Plugin Eclipse Plugin NetBeans Plugin JBuilder Plugin JDeveloper Plugin IntelliJ IDEA Plugin Upcoming Sublime Plugin Atom Plugin Force.com IDE Integration PMD – Source Code Analyzer
Develop Providence is a commit-time analysis tool to find security anti-patterns in your code. https://github.com/salesforce/Providence Integrated with PMD scanner to find Apex and Visualforce issues PMD + Providence
Develop Checkmarx is a source scanner with support for Salesforce technologies Detailed information for better handoff to Checkmarx https://lp.checkmarx.com/salesforce/ Salesforce presets available for free: https://sfdc.co/cxpresets Continuous Integration with Checkmarx
The Security Review Process Design Develop Testing Release - Run Force.com Scanner - Run Chimera/ZAP Scanner
Testing Force.com Source Scanner Static analysis tool to find common security issues in your native code Looks for common issues in Apex, Visualforce and Lightning like XSS, CSRF, CRUD/FLS etc. Manual code review for adherence to Secure Coding Guidelines. Native code
Testing ZAP Scanner - sfdc.co/zapsetup Automated web app scanner to find common web vulnerabilities Chimera Scanner - sfdc.co/ChimeraScanner Fire and forget web application scanner that uses ZAP as an engine Manual Testing Scanners are limited in what they can find Composite apps
Testing Centralized portal to help you track and manage Force.com security scans Schedule scans, download scan reports Search all scans for your org Manage scan credits for your org https://sfdc.co/scan Source scanner portal
The Security Review Process Design Develop Testing Release - Submit for Manual Security Review
Release Trailhead module to prepare for security review. Go to sfdc.co/SecurityReviewPrep
Release Submission Process Office Hours https://sfdc.co/submissionofficehours Submission Process questions Security Review Technical Office Hour https://sfdc.co/securityofficehours Technical Security questions Available both in US and EU time zones. Office hours
Submit for Security Review Requirements Native Native + Lightning Components Composite Web App/Service Client Composite Mobile/Client API Only Force.com environment Yes Yes (With components configured for testing) Yes Yes Yes External components / credentials Yes e.g. urls, credentials Yes e.g. link to APK Yes e.g. urls, credentials Managed package Yes Yes Yes Force.com code scanner report Yes Yes Yes ZAP/Burp/ Chimera report Yes Yes (ZAP/Burp) Yes False positive report If required If required If required If required If required Documentation Recommended Recommended Recommended Recommended Recommended
Common causes of delay Problems with submission • Invalid or expired environment credentials • Missing Web Scans for endpoints in scope • Incorrect package version installed • Missing false positive documents
Sorry! Your App Failed Don’t Panic • Product Security Office Hours • The report is focused on breadth, not depth. Test is time-boxed* • Conduct a comprehensive review - make required fixes • Re-run reports (Checkmarx, ZAP/Burp/Chimera) • Ensure the test environment has the latest package version • Schedule a follow-up Security Review *We can’t include every instance of a vulnerability/issue in the report Interpreting results Congratulations! Your App Passed Next Steps • Get to work on Trialforce/Templates (if applicable), TSO/Templates require a Security Review as well • Complete your AppExchange listing • Market/Sell/Succeed!
Security @ Dreamforce Salesforce Security Booth & Developer Sessions Information Find the “Salesforce Security” booth in Developer Forest Security Sessions @ Dreamforce Monday, November 6 10:15 a.m. | Creating LockerService Ready Lightning Components With Webpack Moscone West, Developer Theater 1:30 p.m. | Common Web Security Vulnerabilities and their Fixes Moscone West, Frontier Theater 2:00 p.m. | Avoiding Common Security Mistakes Moscone West, Frontier Theater Tuesday, November 7 9:15 a.m. | Secure Apps Using the Salesforce Mobile SDK Moscone West, Canyon Theater 1:00 p.m. | Securing Heroku Apps Moscone West, Frontier Theater Wednesday, November 8 9:00 a.m. | Tips and Tricks to Pass the Salesforce Security Review Process Park Central Hotel, Olympic 1:00 p.m. | Security Best Practices for Building Lightning Components Park Central Hotel, Olympic Thursday, November 9 10:30 a.m. | Scaling Security at your Company Moscone West, Frontier Theater 11:00 a.m. | Data Access for Apex, Visualforce, and Lightning Moscone West, Frontier Theater 11:30 a.m. | Lightning Security Within Components Moscone West, Frontier Theater 12:00 p.m. | Lightning Security Across Components Moscone West, Frontier Theater 12:30 p.m. | Getting The Most Out of Security Scans
Salesforce Security Review Tips and Tricks

More Related Content

PDF
Lightning web components - Episode 1 - An Introduction
Salesforce Developers
 
PDF
Lightning web components - Episode 4 : Security and Testing
Salesforce Developers
 
PPTX
Salesforce shield by manish
Manish Thaduri
 
PDF
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Salesforce Partners
 
PDF
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
Sam Garforth
 
PDF
Generically Call External Classes from Managed Packages
Salesforce Developers
 
PDF
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...
Anna Loughnan Colquhoun
 
PDF
Migrating CPQ to Advanced Calculator and JSQCP
Salesforce Developers
 
Lightning web components - Episode 1 - An Introduction
Salesforce Developers
 
Lightning web components - Episode 4 : Security and Testing
Salesforce Developers
 
Salesforce shield by manish
Manish Thaduri
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Salesforce Partners
 
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
Sam Garforth
 
Generically Call External Classes from Managed Packages
Salesforce Developers
 
First Steps to Salesforce Release Management & DevOps [Salesforce User Group,...
Anna Loughnan Colquhoun
 
Migrating CPQ to Advanced Calculator and JSQCP
Salesforce Developers
 

What's hot (20)

PPTX
Integrating with salesforce
Mark Adcock
 
PDF
Salesforce Release Management - Best Practices and Tools for Deployment
Salesforce Developers
 
PDF
Making External Web Pages Interact With Visualforce
Salesforce Developers
 
PPT
Salesforce Integration
Joshua Hoskins
 
PDF
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Dreamforce
 
PDF
How to Build an AppExchange Strategy
Salesforce Admins
 
PDF
Planning Your Migration to the Lightning Experience
Shell Black
 
PDF
ITIL4 and ServiceNow
ITSM Academy, Inc.
 
PPTX
Salesforce – Proven Platform Development with DevOps & Agile
Sai Jithesh ☁️
 
PDF
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
Paris Salesforce Developer Group
 
PDF
Tour of Heroku + Salesforce Integration Methods
Salesforce Developers
 
PDF
Visualforce & Force.com Canvas: Unlock your Web App inside of Salesforce.com ...
Salesforce Developers
 
PPTX
Salesforce Lightning workshop
Shivanath Devinarayanan
 
PPT
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
Yury Bondarau
 
PPTX
Salesforce Integration Patterns
usolutions
 
PPTX
Salesforce Flows Architecture Best Practices
panayaofficial
 
PDF
DevOps Center_ArchitectGroup
AmeyKulkarni84
 
PDF
Salesforce Winter ’23 Release Highlights
SkyPlanner
 
PDF
Event Monitoring: Use Powerful Insights to Improve Performance and Security
Dreamforce
 
PDF
Dive Deep Into the Force.com Canvas Framework
Salesforce Developers
 
Integrating with salesforce
Mark Adcock
 
Salesforce Release Management - Best Practices and Tools for Deployment
Salesforce Developers
 
Making External Web Pages Interact With Visualforce
Salesforce Developers
 
Salesforce Integration
Joshua Hoskins
 
Salesforce Shield: How to Deliver a New Level of Trust and Security in the Cloud
Dreamforce
 
How to Build an AppExchange Strategy
Salesforce Admins
 
Planning Your Migration to the Lightning Experience
Shell Black
 
ITIL4 and ServiceNow
ITSM Academy, Inc.
 
Salesforce – Proven Platform Development with DevOps & Agile
Sai Jithesh ☁️
 
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
Paris Salesforce Developer Group
 
Tour of Heroku + Salesforce Integration Methods
Salesforce Developers
 
Visualforce & Force.com Canvas: Unlock your Web App inside of Salesforce.com ...
Salesforce Developers
 
Salesforce Lightning workshop
Shivanath Devinarayanan
 
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
Yury Bondarau
 
Salesforce Integration Patterns
usolutions
 
Salesforce Flows Architecture Best Practices
panayaofficial
 
DevOps Center_ArchitectGroup
AmeyKulkarni84
 
Salesforce Winter ’23 Release Highlights
SkyPlanner
 
Event Monitoring: Use Powerful Insights to Improve Performance and Security
Dreamforce
 
Dive Deep Into the Force.com Canvas Framework
Salesforce Developers
 
Ad

Similar to Salesforce Security Review Tips and Tricks (20)

PDF
How to Launch Your AppExchange App at Dreamforce
CodeScience
 
PDF
An Insider's Guide to Security Review (October 13, 2014)
Salesforce Partners
 
PDF
Building Secure Apps in the Cloud - Dreamforce - 9/20
Salesforce Partners
 
PPT
Building and Distributing a Salesforce App
Ross Belmont
 
PDF
10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)
CodeScience
 
PDF
Force.com Friday: Intro to Force.com Slides
Salesforce Developers
 
PPTX
Salesforce App Cloud First Call Deck
Salesforce Partners
 
PPTX
CCT London 2013 Theatre Intro to Apex
Peter Chittum
 
PPTX
ApExchange Security Review and Compliance
CEPTES Software Inc
 
PDF
Force.com Friday: Intro to Force.com
Salesforce Developers
 
PPTX
Finding Security Issues Fast!
Salesforce Engineering
 
PPTX
Detroit ELEVATE Track 1
Joshua Birk
 
PDF
Elevate workshop track1
Salesforce Developers
 
PDF
Introduction to Force.com
Salesforce Developers
 
PDF
Code Talk #3
Salesforce Developers
 
PDF
AppExchange for Developers: Monetize your App in the Cloud Webinar
Salesforce Developers
 
PDF
Introduction to the Salesforce Security Model
Salesforce Developers
 
PPTX
Salesforce certification a developer journey
Christopher Lewis
 
PDF
Secure Salesforce: Hardened Apps with the Mobile SDK
Martin Vigo
 
PPTX
Trailhead live - Overview of Salesforce App Cloud
John Stevenson
 
How to Launch Your AppExchange App at Dreamforce
CodeScience
 
An Insider's Guide to Security Review (October 13, 2014)
Salesforce Partners
 
Building Secure Apps in the Cloud - Dreamforce - 9/20
Salesforce Partners
 
Building and Distributing a Salesforce App
Ross Belmont
 
10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)
CodeScience
 
Force.com Friday: Intro to Force.com Slides
Salesforce Developers
 
Salesforce App Cloud First Call Deck
Salesforce Partners
 
CCT London 2013 Theatre Intro to Apex
Peter Chittum
 
ApExchange Security Review and Compliance
CEPTES Software Inc
 
Force.com Friday: Intro to Force.com
Salesforce Developers
 
Finding Security Issues Fast!
Salesforce Engineering
 
Detroit ELEVATE Track 1
Joshua Birk
 
Elevate workshop track1
Salesforce Developers
 
Introduction to Force.com
Salesforce Developers
 
Code Talk #3
Salesforce Developers
 
AppExchange for Developers: Monetize your App in the Cloud Webinar
Salesforce Developers
 
Introduction to the Salesforce Security Model
Salesforce Developers
 
Salesforce certification a developer journey
Christopher Lewis
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Martin Vigo
 
Trailhead live - Overview of Salesforce App Cloud
John Stevenson
 
Ad

Recently uploaded (20)

PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Introduction to Artificial Intelligence
lohedi9363
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 

Salesforce Security Review Tips and Tricks

  • 1. Tips and Tricks to Pass the Salesforce Security Review Process Manishi Singh, Ryan Flood
  • 2. Ryan Flood rflood@salesforce.com Senior Director, ISV Technical Enablement Manishi Singh msingh@salesforce.com Senior Product Security Engineer
  • 3. Forward-Looking Statements Statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Website. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  • 4. Security Review - Importance, Resources, Roles Building security in your app Development phases Tools & Resources After Security Review Agenda
  • 5. Why is Security Important Trust is our #1 value Salesforce is a cloud computing company Customer Trust is integral to our success • They have to trust us with their data • That’s our job • Secure our products and marketplace • Reinforce and maintain the trust that customers put in our platform 8 industry leading apps, 1 platform
  • 6. AppExchange is a Trusted Ecosystem Both Salesforce and partners are critical parts of that trust We provide documentation, tools, and guidance to maintain a secure offering Your secure offering will help better sell to and serve our mutual customers Enterprise customers expect security built-in Maintaining a secure lifecycle ensures you always maintain customer trust Trust is our #1 value
  • 7. How we secure the ecosystem Layers of Protection Platform • In protection for XSS, CSRF, scoped access control, separate domains • Auth, Session Handling, Filtering, TLS, Infrastructure, Patching, Auditing & Logging Process • Security Review • Initial Review • Re-reviews • Spot Checks Content • Secure cloud development • Outreach to partners • Trailhead modules Tools • Code scanner • Chimera web scanner • Monitoring Partners • Partners maintain security consistent with best practices
  • 8. Who is Who in the SR process ISV Partner Team ISV Partner Account Manager (PAM) - Your primary point of contact ISV Technical Evangelist (TE) - Helps partner prepare for SR Security Review Operations (SR Ops) - Reviews submission, responsible for notifications to partners Product Security Team Product Security Engineer - Provide guidance, review/test applications Other Product Development Outsourcer (PDOs) - Can assist with SR success
  • 10. The Security Review Process Design Develop Testing Release - Review Trailhead modules - Review best practices documentation - Attend Office Hours - Continuous integration tools for ongoing security scanning - Run Force.com Scanner - Run Chimera/ZAP Scanner - Submit for Manual Security Review
  • 11. The Security Review Process Design Develop Testing Release - Review Trailhead modules - Review best practices documentation - Attend Office Hours
  • 12. Design Comprehensive, hands-on Trailhead modules for learning secure coding on the platform. Go to sfdc.co/devsecuritytrail Training
  • 13. Design App Cloud Security Dev Center Landing page for all things AppExchange Security Go to sfdc.co/securitydevcenter Documentation
  • 14. Design Submission Process Office Hours https://sfdc.co/submissionofficehours Submission Process questions Security Review Technical Office Hours https://sfdc.co/securityofficehours Technical Security questions Available both in US and EU time zones. Office hours
  • 15. The Security Review Process Design Develop Testing Release - Continuous integration tools for ongoing security scanning
  • 16. Develop Now Supporting Rulesets for Apex and Visualforce in PMD Maven PMD Plugin Gradle: The PMD Plugin Eclipse Plugin NetBeans Plugin JBuilder Plugin JDeveloper Plugin IntelliJ IDEA Plugin Upcoming Sublime Plugin Atom Plugin Force.com IDE Integration PMD – Source Code Analyzer
  • 17. Develop Providence is a commit-time analysis tool to find security anti-patterns in your code. https://github.com/salesforce/Providence Integrated with PMD scanner to find Apex and Visualforce issues PMD + Providence
  • 18. Develop Checkmarx is a source scanner with support for Salesforce technologies Detailed information for better handoff to Checkmarx https://lp.checkmarx.com/salesforce/ Salesforce presets available for free: https://sfdc.co/cxpresets Continuous Integration with Checkmarx
  • 19. The Security Review Process Design Develop Testing Release - Run Force.com Scanner - Run Chimera/ZAP Scanner
  • 20. Testing Force.com Source Scanner Static analysis tool to find common security issues in your native code Looks for common issues in Apex, Visualforce and Lightning like XSS, CSRF, CRUD/FLS etc. Manual code review for adherence to Secure Coding Guidelines. Native code
  • 21. Testing ZAP Scanner - sfdc.co/zapsetup Automated web app scanner to find common web vulnerabilities Chimera Scanner - sfdc.co/ChimeraScanner Fire and forget web application scanner that uses ZAP as an engine Manual Testing Scanners are limited in what they can find Composite apps
  • 22. Testing Centralized portal to help you track and manage Force.com security scans Schedule scans, download scan reports Search all scans for your org Manage scan credits for your org https://sfdc.co/scan Source scanner portal
  • 23. The Security Review Process Design Develop Testing Release - Submit for Manual Security Review
  • 24. Release Trailhead module to prepare for security review. Go to sfdc.co/SecurityReviewPrep
  • 25. Release Submission Process Office Hours https://sfdc.co/submissionofficehours Submission Process questions Security Review Technical Office Hour https://sfdc.co/securityofficehours Technical Security questions Available both in US and EU time zones. Office hours
  • 26. Submit for Security Review Requirements Native Native + Lightning Components Composite Web App/Service Client Composite Mobile/Client API Only Force.com environment Yes Yes (With components configured for testing) Yes Yes Yes External components / credentials Yes e.g. urls, credentials Yes e.g. link to APK Yes e.g. urls, credentials Managed package Yes Yes Yes Force.com code scanner report Yes Yes Yes ZAP/Burp/ Chimera report Yes Yes (ZAP/Burp) Yes False positive report If required If required If required If required If required Documentation Recommended Recommended Recommended Recommended Recommended
  • 27. Common causes of delay Problems with submission • Invalid or expired environment credentials • Missing Web Scans for endpoints in scope • Incorrect package version installed • Missing false positive documents
  • 28. Sorry! Your App Failed Don’t Panic • Product Security Office Hours • The report is focused on breadth, not depth. Test is time-boxed* • Conduct a comprehensive review - make required fixes • Re-run reports (Checkmarx, ZAP/Burp/Chimera) • Ensure the test environment has the latest package version • Schedule a follow-up Security Review *We can’t include every instance of a vulnerability/issue in the report Interpreting results Congratulations! Your App Passed Next Steps • Get to work on Trialforce/Templates (if applicable), TSO/Templates require a Security Review as well • Complete your AppExchange listing • Market/Sell/Succeed!
  • 29. Security @ Dreamforce Salesforce Security Booth & Developer Sessions Information Find the “Salesforce Security” booth in Developer Forest Security Sessions @ Dreamforce Monday, November 6 10:15 a.m. | Creating LockerService Ready Lightning Components With Webpack Moscone West, Developer Theater 1:30 p.m. | Common Web Security Vulnerabilities and their Fixes Moscone West, Frontier Theater 2:00 p.m. | Avoiding Common Security Mistakes Moscone West, Frontier Theater Tuesday, November 7 9:15 a.m. | Secure Apps Using the Salesforce Mobile SDK Moscone West, Canyon Theater 1:00 p.m. | Securing Heroku Apps Moscone West, Frontier Theater Wednesday, November 8 9:00 a.m. | Tips and Tricks to Pass the Salesforce Security Review Process Park Central Hotel, Olympic 1:00 p.m. | Security Best Practices for Building Lightning Components Park Central Hotel, Olympic Thursday, November 9 10:30 a.m. | Scaling Security at your Company Moscone West, Frontier Theater 11:00 a.m. | Data Access for Apex, Visualforce, and Lightning Moscone West, Frontier Theater 11:30 a.m. | Lightning Security Within Components Moscone West, Frontier Theater 12:00 p.m. | Lightning Security Across Components Moscone West, Frontier Theater 12:30 p.m. | Getting The Most Out of Security Scans