Embed Size (px)
Citation preview
How to Publish Your App
Aarti Kumar & Shay CaseyAppExchange Partner Enablement
Part 1 – Becoming certified
Part 2 – Building your listing
4 Steps to AppExchange Success
Plan Build Publish Go-To-Market
http://www.appexchange.com/abc
Becoming certified
What is AppExchange Certification?
Application Types
Security Review Process
Testing Details
4
What is AppExchange Certification?
To list your commercial application on the AppExchange, we must certify that your application meets our requirements and best practices around security. This helps:
Customers Have trust in third party solutions that work with salesforce.com
Partners Be successful in selling solutions that span multiple systems to salesforce.com customers
salesforce.com Build a trust-worthy AppExchange ecosystem
AppExchange Certification – What, When, Who?
A review of: Qualitative Security: Policies and practices review Quantitative Security: Penetration testing
When is certification required? From March 15th, 2007 security certification is required for all new
commercial applications Existing commercial applications that were not previously security
certified must do so within this year
Who should be involved? Technical resources – architect, developer, IT resource, operations
resource, information security resource etc
Becoming certified
What is AppExchange Certification?
Application Types
Security Review Process
Testing Details
Application Elements
Native
No code, no external systems
AJAX
AJAX S-control code
only
Excludes S-controls that communicate
with external systems
Software
On premise desktop or
server software
Includes browser plugins delivered as
S-controls
On Demand
Other Host
External service,
unmanaged host
On Demand Cert Host
Ext. service, managed
host(Opsource, Rackspace)
Approved hosting providers using pre-
certified configurations
A given AppExchange application can have multiple components, each of which has its own certification requirements:
Runs entirely on Apex Platform; Certification not
applicable
Depends on services or software outside of Apex; Certification available
Security Review Matrix
Software On Demand (Certified Host)
On Demand
Network
Host
App
Ops
Questionnaire System Tests
Becoming certified
What is AppExchange Certification?
Application Types
Security Review Process
Testing Details
Certification/Re-certification Process
Prepare Test Pass
Execute agreement and
PO for $5K
Complete pre-qualification
questionnaire
Attend Certification
consultation (optional)
Determine relevant
questionnaire and tests for
your app Software, On Demand
(Cert Host), On Demand
Execute dry run tests
Attend interview
Organize resources /
teams for appropriate tests Network vs App, etc
Conduct testing with
salesforce.com
Certification Contact Some tests may be done
by a third party
Receive Certification
badge on listing
Receive Client ID for
deploying to Professional
Edition users
1 2 3
Certification Process
Pass
All Qualitative question areas
• No Medium or High warnings
All Quantitative tests
• No Medium or High warnings
Fail
Repeat specific area of assessment (at additional cost)
Or repeat entire assessment if remediation has broad
impact
Sample Report
Risk Ease of Exploit Business Impact Recommendation
Shared Encryption Key Stored In Compiled Application
The key used to decrypt the Salesforce.com password is compiled into the application. In addition, the same encryption key is used for all customer installations.
Sophisticated.
An attacker would need to gain access to the target application servlet in order to decompile the servlet and compromise the encryption key. Note that existing clients could access their servlet to compromise the encryption key, but would need to gain access to another client’s application servlet to compromise that client’s Salesforce.com credentials
High.
It is possible that Salesforce.com authentication credentials could be compromised.
The encryption key used to decrypt Salesforce.com authentication credentials should be stored in a Java KeyStore (JKS). A JKS would provide defense-in-depth in case the application servlet is compromised. In addition, different encryption keys should be used for each customer installation.
Outdated Apache VersionThe web server appears to be running versions of Apache that is not up to date
Trivial. There is at least one publicly available proof of concept. Please refer to:http://seclists.org/fulldisclosure/2004/Nov/0022.htmlCVE-2004-0942
High. A remote attacker may be able to cause a Denial of Service to the server.Apache version: 2.0.52The tested configuration was not compromised during testing. The server should be upgraded to ensure those future configurations are not vulnerable.
Upgrade to latest version of Apache available from the Apache Foundation
Becoming certified
What is AppExchange Certification?
Application Types
Security Review Process
Testing Details
Test Detail: Network
Questionnaire Firewall, IDS and NAT configuration
Network access policies & procedures
Log monitoring
System Test Must pass Nessus with no medium or high warnings
Test for open ports, known vulnerabilities, SSL config, etc
Conduct dry run test with Nessus or Qualys
Test Detail: Host
Questionnaire Host configuration
Access & password policies
Patching & maintenance policies
Physical Security
System Test None
Test Detail: App
Questionnaire Software development processes
Common vulnerabilities (buffer overflow, cross site scripting, SQL injection, etc)
App user & password management
Salesforce user & password management
System Test Application Penetration Testing tools
Authentication mechanism (i.e. password length)
Injection attacks (XSS, SQL)
Test Detail: Operations
Questionnaire HR (employee security policies & security training)
Business Continuity
Incident Response
Procedure documentation & change management
System Test None
Building your listing
Get to know the AppExchange Listing
Select the Setup for your Application listing
Build Your Application Listing
Frequently Asked Questions
Get to know the AppExchange ListingTitle
Abstract
TD/ GIN
Thumbnail
Additional Resources
Logo
Building your listing: Agenda
Get to know the AppExchange Listing
Select the Setup for your Application listing
Build Your Application Listing
Frequently Asked Questions
Select the Setup for your Application
Demonstrate your
application using:
Distribute your application
through:
or or
or
Select the Setup for your Application
Demonstrate your
application using:
Distribute your application
through:
or or
or
Demonstrate your Application through:
Fully functional read only version of the application
Allow customers to “kick the tires”
Present data in a dynamic working environment
Appropriate for all Native applications and some
Composite applications
For applications that are too complicated to
demonstrate through a Test Drive
Demonstrates the functionality of the application
Walkthrough of the application- “A day in the life”
Appropriate for some Composite applications and
all Client applications
Demonstrate your Application through:
Demo- Suggested Format
1. Overview- Quick introduction to the demo and a discussion of the value proposition.
2. Step by Step – Show everyday use of the application
Outline the functionality a user will see- show it in action!
How does your application interact with Salesforce.com- do you create data in a custom object? Do you import leads? What are the steps that make this happen?
3. Additional info and conclusion
Additional Considerations in Building a
Market your demo toward Salesforce.com users
Stay away from marketing your company
Screenshots are a must!
Remember: you only have 60 seconds to grab a
customer’s attention.
Select the Setup for your Application
Demonstrate your
application using:
Distribute your application
through:
or or
or
Distribute your Application Through:
Deploy your custom salesforce.com application at
the click of a button
Automatically install various elements ranging from
Custom Tabs to Pre-Made dashboards
Appropriate for all Native and Composite
applications
Distribute your Application Through:
For applications where an immediate installation is not available:
Hardware Appliances
Integration services
Applications that require contact with direct sales or consulting services
The Learn More landing page provides:
Additional information about the application
Sales contact information
Marketing directed towards a salesforce.com customer
The “Get It Now” should be packaged and left private
Distribute your Application Through:
For applications that install directly to the users
desktop or external services that do not use the
salesforce.com interface
Links to a landing page with more information
about the download (not just a direct link to the file)
How do I enable these buttons?
By default only Get It Now and Test Drive are
available for your listing
Other buttons – Demo, Learn More, Download-
need to be enabled by salesforce.com
Email [email protected] for an
evaluation of your application
Building your listing: Agenda
Get to know the AppExchange Listing
Select the Setup for your Application listing
Build Your Application Listing –Tips and Tricks!
Frequently Asked Questions
Use the Listing Form as a Guide
Use the form when writing your copy for the listing.
Log into www.appexchange.com and click on edit
for your listing
You can now see the text limitations for each item
Title and Logo
Title- the name of your product - should not include
“for AppExchange”
Logo- Your 60x60 record cover
Thumbnail and Screenshot
Two separate files
Thumbnail is 160x115
Datasheet and Customization Guide
Datasheet- Two page summary of key information
Customization Guide- For applications that require
additional setup or customization to function
Step by Step walkthrough for System Admins
Adding page layouts for standard salesforce.com
objects and tabs
Any steps that are needed to activate the application
Presentation
Excellent supplement to a Test Drive
Give the business value of your application
Use any format
Building your listing: Agenda
Get to know the AppExchange Listing
Select the Setup for your Application listing
Build Your Application Listing
Frequently Asked Questions
FAQ: I don’t have a listing!
Log into the publisher area of
https://www.salesforce.com/appexchange/publishing.jsp
Native/ Composite application- After you package and
register your first version you will see your listing in the
manage my apps area.
Client Application- you will need to request a listing from
support
Log in to the publisher area of www.appexchange.com
Click Manage My Publisher Profile and create a profile
Click “Request Assistance” and log a case for a new listing
FAQ: My publisher tab is blank!
Your publisher profile needs to match the
username associated with the profile you created.
It will always be in the format of an email address
e.g. [email protected]
Tip: When in doubt – after clicking Assign
Publisher Profile just click My Publisher Profile
FAQ: My Publisher Tab is Blank!
