Insider's Guide to the AppExchange Security Review
Sarah T. Whitlock Senior Director, Partner Operations [email protected]
Jon Cline VP, Business Development [email protected]
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Safe Harbor
Pop Quiz
Why do we require security reviews of ISV apps?
Legal said we have to
Other vendors require it
We make money on it
It accelerates time to market
Vote
“Nothing is more important to our company than the privacy of our customers’ data”
Parker Harris Co-Founder and EVP Technology
“Estimate: cybercrime costs companies in the US 100 billion dollars per year”
Center for Strategic and International Studies
You must pass Security Review before you can sell your app
• Standards Based
• Adversary Focused
• Enterprise Level
Ø Mandatory for all ISV apps
50% of all apps fail the first time through Security Review. How do you increase your odds for success?
Tip #1: Security Review is a benefit, not a punishment. We want you to succeed.
Security Review helps you sell to the enterprise
Make security an on-going part of your development process
Become a member of a trusted ecosystem of app vendors
Meet the security expectations of enterprise customers
Tip #2: Have a STRATEGY.
Too often partners think of security as a test to pass at the end Hope is not a strategy
Think about security from the start Threat Modeling Process: Design-time exercise
Analyze your solution’s data flow
Locate security vulnerabilities
Identify ways to exploit
Ø Identify issues before code is written
Rate the Threats
Document the Threats
Identify the Threats
Decompose the Application
Create an Architecture Overview
Identify Assets
Incorporate security into your development lifecycle Basic approach: Identify potential product vulnerability points at design time
Put defenses in place to cover all possible input paths
Institute coding standards to control risk from the start
Ø It’s much harder to find and fix problems once you’ve committed to code
Education
Design
Develop
Test
Release
Tip #3: Take the time to educate your team.
The Partner Community is your launch pad
We have lots of resources to help you succeed p.force.com/Security
trustacademy.salesforce.com Including Trust Academy for hands-on learning
Use your Partner Community credentials to get access.
3 courses available now:
1. Force.com Security Essentials
2. Security Auditing Tools
3. AppExchange Security Review
p.force.com/Security for more info
And, experts (PDOs) to help you through the process
PDOs are
Specialists in developing apps for the AppExchange
Experts in ISV technologies like managed packages, push upgrades, publishing etc.
Experienced with the security review process
Key benefits
AppExchange apps developed by PDOs are higher quality and scale better
PDO developed apps clear security review quickly and in fewer attempts (often 1)
Product Development Outsourcers (PDOs)
Tip #4: Make sure you understand what we’re testing.
OWASP Top 10 is our guide 1. Injection (SQLi, SOQL, XML, OS etc.)
2. Broken Authentication and Session Management
3. Cross Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross Site Request Forgery (CSRF)
9. Using Known Vulnerable Components (libraries, frameworks, software)
10. Unvalidated Redirects and Forwards
We look at your end-to-end solution Client side components (Flash, JavaScript) Integrations and web services Automated code scan Manual code review and black box testing
Client side components (Flash, JavaScript) Integrations and web services Automated testing and manual black box testing Architecture review and web server testing
Client and mobile applications Integrations and web services Manual hands on testing of the application Architecture review and web server testing
Your app will come in one of the following patterns.
This is what we call a native app Either it is built 100% on force.com
Custom Objects
Users
Accounts & Contacts
Reporting, Workflow
We call this a composite app Or, it includes technology NOT on our platform
Processing
Users
Data Storage
UI
Custom Objects
Users
Accounts & Contacts
Reporting, Workflow
Ope
n A
PIs
Custom/REST/SOAP
API
Tip #5: In both cases, the scope of the security review is the same.
It’s everything inside the red box Native
Composite
When you’re ready to submit, log into the Publishing Console.
Start (or Edit) Review to launch the Security Review Wizard
Scope Credentials Reports
Make sure we have everything we need to test your app
Complete end-to-end testing environment for all elements of your solution
Correct credentials to all systems
Test account, Web App, other
CodeScanner (Checkmarx) report
ZAP or BURP report
False positive documentation
Tip #6: Rule of thumb - provide everything a net new customer will require to use your product.
Force.com Code Scanner Web App Scanner
Provide clean scans from testing tools
Static code analysis
All Apex/Visualforce code must be scanned with Checkmarx
Issues other than “Code Quality” must be addressed
Set of tools for assessing web application security
Any web application and/or web service component must be scanned
Issues “Low” severity and above must be addressed
Tip #7: Security testing tools are a great help. But, they are no substitute for making security a part of your software development lifecycle.
If you fail, we send you a report of findings
The report of findings is representative of issues found during a point-in-time test
We test breadth not depth
All tests are time bound
We are not experts on your code; we can’t find everything
The report is not a comprehensive list of all vulnerabilities Make sure you interpret the failure report correctly
Tip #8: Use our report as a guide. Search your entire codebase for issues like the ones we found. Update your process to prevent future defects.
When you pass, we send you an email to let you know
You can list your application on the AppExchange
New versions will “auto-pass” when you click “Start Review” and fully submit
Tip #9: All apps are subject to periodic review at any time.
So, don’t forget to practice your strategy Basic approach: Identify potential product vulnerability points at design time
Put defenses in place to cover all possible input paths
Institute coding standards to control risk from the start
Ø It’s much harder to find and fix problems once you’ve committed to code
Education
Design
Develop
Test
Release
Tip #10: We want you to succeed. We're here to help. Don't be afraid to ask!
Have a strategy
Give yourself time to prepare
Take advantage of our resources
Understand the scope of security review
Understand scanning tools, their use, and their limitations
Remember: We’re here to help. Don’t be afraid to ask!
Key takeaways
trustacademy.salesforce.com Be sure to enroll in Trust Academy
Use your Partner Community credentials to get access.
3 courses available now:
1. Force.com Security Essentials
2. Security Auditing Tools
3. AppExchange Security Review
p.force.com/Security for more info
Secure Salesforce at Dreamforce 2015
10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of Security on the Salesforce Platform
Check out the schedule and details at http://bit.ly/DF15Sec
Visit the Security booth in the DevZone with any security questions
Admin-related security questions?
Join us for coffee in the Admin Zone Security Café
Share Your Feedback, and Win a GoPro!
3 Earn a GoPro prize entry for each completed survey
Tap the bell to take a survey 2Enroll in a session 1
Partner Community Your one-stop shop for education and engagement
http://partners.salesforce.com/
• Partner Program Details
• Communications
• Training
• Leads, Opportunities, & Projects
• AppExchange Publishing
• Webinars & Recordings
• Office Hours
• Sales & Marketing Resources
• Technical Support
Looking for the Partner Session Replays and Slides? See the Partner Community Calendar – September 15-18, 2015
http://p.force.com/calendar
New ISV Module on Trailhead Earn your badge!
https://trailhead.salesforce.com/module/isvforce_basics
Get into the Zone: The Partner Zone!
:: Partner Community Theater :: Live feeds of the major Keynotes :: Free lunch served daily! :: Concierge :: Tech Expert Bar :: Partner Program Staff :: Charging stations :: Featured Partner Services :: Coffee Bar :: Prize Giveaways Daily partner networking events – 3:00pm - 5:00pm • Tuesday, Sept 15 – Luau Theme • Wednesday, Sept 16 – Global Theme • Thursday, Sept 17 – Fiesta Theme
Celebrate Success at the AppBash AppBash “I left my Cloud in San Francisco”
When: Wednesday, September 16
Where: City View at the Metreon
Who: Partners and Customers
Access: Full Conference or Booth Pass plus ID required
Time: 7:00pm – partners & alliances employees
9:00pm – customers and employees welcome
Thank you