Upload
codescience
View
307
Download
2
Embed Size (px)
Citation preview
New Customers Around Every Corner
The Importance of a Dreamforce AppExchange Launch
Hana Mandapat
Director of Marketing, AppExchange Partner Program
Forward Looking Statement
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Salesforce AppExchange Advantage
With the #1 Ecosystem
3K+ AppExchange Apps
Resources, Events, Partnerships, BrandAccess to Customers Access to Ecosystem100+ Countries, SMB to Enterprise
More Secure Apps
1 Trusted Platform150K+ Salesforce
Customers
Access to TechnologyPlatform, Workflows, APIs
Bob MarshCEO
● Launched sales performance app at at Dreamforce 2012
● Cohesive experience across booth, meeting room and marketing collateral
● Consistent ROI from Dreamforce investment; 6-week payback in 2015
Geoji GeorgeSVP, Strategy & Alliances
● Launched “Order to Cash” work management solution at Dreamforce 2016
● Increased quality leads to drive new deal pipeline throughout the year
● Developed connections with other partners and Salesforce at the event
Manishi Singh
Senior Director, AppExchange Technical Evangelism, Salesforce
“Nothing is more important to our company than the privacy of our customers’ data”
Parker HarrisCo-Founder and CTO
Security Review is a benefit!
Meet the security expectations of enterprise customers
Become a member of a trusted ecosystem of app vendors
Make security a primary concern of your business
It helps you sell to enterprise companies
EducationGetting started with web application security
● Partner Community - Education - Security Review● OWASP
○ Open Web Application Security Project○ OWASP Top Ten
● Trust Academy courses○ e.g. SR101, SECDEV1, SECDEV2
● Security team○ Security Office Hours○ [email protected]
● SR Operations team○ SR Submission office hours
● Fun ways to learn○ Google XSS Game○ bWAPP - an extremely buggy web app
Testing
Adversary Testing
● Not unit/functional/regression testing
● Testers should be playing the role of a hacker/adversary
● Testers should be looking to exploit the application
Their goal should be to extract data they don’t have permission to access
Automated Testing
● Static Code Analysis○ Force.com Code Scanner / CheckMarx
● Web Application Scanners○ ZAP (OWASP Zed Attack Proxy)○ Chimera
● Other○ nMap, nikto, Qualys SSL Labs
Manual Testing
● Code reviews, input/parameter testing● Interactive Sessions with Web Application
Scanners / Network Protocol Analysis tools
Automated tools are no substitute for
manual testing!
Security Review
● Standards based● Adversary focused● Enterprise Level
Your app must pass Security Review before we test it
Mandatory for all ISV Apps!
Security Review Process
Note:The quality of the Security Review submission has significant impact on the amount of time it can take to review an application.
The largest delay in the process occurs in between test cycles when the partner is fixing issues identified during the review.
ISV Partner
Submit for SR via Partner Community
SR Operations
Process submission
Security Team
Waiting in queue
Security Team
Perform tests & validate results
SR Operations
Notify partner of result
What is the scope of the review?It’s everything inside the red box - Anything a new customer would need
Security Review requirementsAppExchange Top 10
Cross Site Scripting (XSS)
CRUD/FLS (Access control)
Information Disclosure
Cross Site Request Forgery (CSRF)
Sharing violation
Sensitive data leakage
Authorization
Broken session management
SSL Configuration
Sensitive Information in Debug
OWASP Top 10
Injection
Broken Authentication and Session Mgmt
Cross Site Scripting (XSS)
Insecure Direct Object References
Security Misconfiguration
Sensitive data exposure
Missing Function Level Access Control
Cross Site Request Forgery (CSRF)
Using Known Vulnerable Components
Unvalidated Redirects and Forwards
Make sure we have everything we need to test your app
Complete end-to-end testing environment for all elements of solution
Correct credentials to all systems
Test account, web app, other
Apex / Visualforce scanner report (Checkmarx)
ZAP or Chimera report
False positive documentation
Submission Requirements
Requirements NativeNative + Lightning Components
Composite Web App/Service
Client Composite Mobile/Client
API Only
Force.com environment
Yes Yes(With components configured for testing)
Yes Yes Yes
External components / credentials
Yese.g. urls, credentials
Yese.g. link to APK
Yese.g. urls, credentials
Managed package
Yes Yes Yes
Force.com code scanner report
Yes Yes Yes
ZAP/Burp/Chimera report
Yes Yes(ZAP/Burp)
Yes
False positive report
If required If required If required If required If required
Documentation Recommended Recommended Recommended Recommended Recommended
Interpreting results
Sorry! Your app failed
Don’t panic!• Product Security Office Hours• The report is focused on breadth, not depth. Test
is time-boxed*• Conduct a comprehensive review - make required
fixes• Re-run reports (Checkmarx, ZAP/Burp/Chimera)• Ensure the test environment has the latest package
version• Schedule a follow-up Security Review
Congratulations! Your app passed
Next steps• Get to work on Trialforce/Templates (if
applicable), TSO/Templates require a Security Review as well
• Complete your AppExchange listing• Market/Sell/Succeed!
*We can’t include every instance of a vulnerability/issue in the report
Resources
Public facing
• Partner Community: p.force.com/security
• ISV Security Review Trailhead
• Security Review Submission Process Office Hours
Get to Market Faster with a Certified PDOSalesforce app development experts to help
Architecture Design
Integration and App Development
Performance Optimization
Security Review Consultation
35+ PDOs available across the globe
Brian Walsh
CEO, CodeScience
● Founding partner in the Salesforce Product Development Outsourcing (PDO) Program since 2008
● PDO Program provides app development services to ISVs for Salesforce AppExchange
● Partnered with many clients in various industries to assist in building 100+ apps on the AppExchange
● Certified as PDO Master in 2017
● Clients range from 3 person start-ups to a Fortune 3 company
Security review submission cutoffAUGUST 25, 2017
Design considerations● Pick the cloud you want to build
○ App Cloud, Sales Cloud, Service Cloud, Marketing Cloud, Health Cloud, Financial Services
Cloud
● Consider your license model○ Connector, Checkout, ISVforce, OEM
● Clicks over code
● Lightning first
● Think of your Salesforce Administrator as a critical persona○ How you install and configure is the first experience in your application
Tips and tricks● You can still develop your application after submission
○ Must be demonstrable of functionality and integrations○ You should branch your code as you may have to make changes for resubmission
● PDEs are free○ Use a continuous integration pattern that will enable each dev to have their own org
● Your managed package should be clean○ Only package functionality, data models, and code that you actually need○ Only use functionality that is actually required (ex: Chatter, Leads, Opportunities)
● Provide the SecRev team tons of instruction○ Youtube videos on how to use your app are great!
● Gather feedback early and often○ Use a PDE!○ Install a package in a sandbox
What to do for Dreamforce1. Configure your AppExchange listing
2. Setup Trialforce
3. Have a success story!a. Gather feedback early from prospects via PDEs or installing in their sandboxes
4. Show don’t tella. Demo the app for prospects
PDOs can assist● Certified at building products
● Understand the commercial process
● Can spin up a team quickly
● Can assist in initial customer implementations
● https://appexchange.salesforce.com/consulting
CodeScience Difference● Only PDO with Master designation
● AppExchange Accelerator○ Collection of code and process for AppExchange products○ InstallScience is an installation wizard that can be easily configured○ BuildScience for managing continuous integration○ CRUD/FLS and Lightning frameworks
● We guarantee our code will pass Security Review● Have an App already?
○ Extension packages○ SDKs○ New features for Dreamforce
Contact CodeScience
www.codescience.com/[email protected]
Lauren Clark
Senior Partner Marketing ManagerSalesforce
Why Sponsor Dreamforce?As a Dreamforce sponsor, we look forward to helping you…
grow your business evangelize customer success
accelerate results
Dreamforce Demographics
1 –Attendee Type missing percentage is for booth staff and labor
Check out our Resources.
For a deeper dive into Dreamforce 2017 packages and a la carte offerings, download our Dreamforce 2017 prospectus
Join our weekly office hours; an open forum to ask questions
Get in Touch.
Email [email protected] to connect with the Sponsorship Team
How do I learn more?
Contact your Partner Account Manager Today!Email questions to: [email protected]
Thank Y u