Secure Salesforce: Code Scanning with Checkmarx

Secure Salesforce: Static Analysis as a Service Best Practices for using our Source Scanner

 Robert Sussland  SMTS Product Security  [email protected]

 

 Safe harbor statement under the Private Securities Litigation Reform Act of 1995:

 This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.

 The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.

 Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

Safe Harbor

Robert Sussland SMTS Product Security, Salesforce

Agenda

•  Service Overview

•  Intro to Static Analysis

•  Static Analysis as a Service

•  Parsing Results

•  Pain Points and Solutions

•  Demo

•  Special Guest

•  QA

Service Overview

Static Analysis with Checkmarx Suite



•  Look for data flows from sources to sinks

•  Sources:

•  URL Parameters

•  sObject Values

•  User Input (e.g. in a form)

•  @AuraEnabled methods

•  Sinks

•  Unescaped HTML (e.g. aura:unescapedHtml or VF escape=“false”) //XSS

•  Database.query() //SOQL injection


•  If data flows from a source to sink without passing through a sanitizer, then report a vulnerability.

•  Sanitizers:

•  String.escapeSingleQuote() //SOQL injection

•  HTMLENCODE() //VF page

•  We don’t have a full string solver, or full information about data types or context:



•  Sanitizers:




//vulnerable

qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + taint + “ ‘ “;



•  Sanitizers:




//vulnerable

qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + taint + “ ‘ “;

//vulnerable

qry = “SELECT Name, “ + taint + “FROM Account LIMIT 1”;


•  False Positives and False Negatives

String sanitized = String.escapeSingleQuotes(taint);

//safe

qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + sanitized + “ ‘ “;

Database.query(qry);

//vulnerable (FN)

qry = “SELECT Name, “ + sanitized + “FROM Account LIMIT 1”;

Database.query(qry);


•  False Negatives

<a href=“{!HTMLENCODE(taint)}”>click here</a> //taint=javascript:

•  Trade off between False Positives and False negatives

•  Should a substring of a tainted string be tainted?

•  Should the string replace of a tainted string be tainted?

•  Should the concatenation of a tainted and untainted string be tainted?

•  How do we know whether to HTMLENCODE, JSENCODE,URLENCODE?

How to Audit a Result Path

•  Look at ends of path

•  source should be a valid source

•  sink should be a valid sink

•  Follow from source to sink to verify that

•  Escaping is appropriate for output context

•  Escaping happens at the right place

•  Escaping complies with your developer policies

Static Analysis as a Service

•  We make access to Checkmarx static analysis available online for free

•  Primary use case is Appexchange, not bespoke development

•  Scan approximately 900 million lines of code per year (closing in on 1 billion lines/year)

•  Average lines of code per app ~ 37,000

•  Approximately 20,000 apps per year (e.g. average of 54 apps/day)

•  During peak usage, we process about 200 apps per day

•  Scan time is averages approximately 12.5 lines of code/second, but highly variable

•  Dramatic increase in pass rates

Contract with Checkmarx

•  Previous contract

•  Was for license (1 server) to be used for Appexchange scans

•  Strategy was to throttle based on wait times

•  Current contract

•  Flexible licenses, but limit quantity and types of scans

•  Appexchange – 3 free scans per app

•  Non-appexchange – 30K lines of code per month

Pain Points and Solutions

Pain points and solutions

•  False positives/false negatives

•  Recommend to purchase your own scanner to adjust the rules

•  Throttling based on code too large

•  Limit increased to 750,000 lines of code in the new portal

•  Limit will remain 500,000 lines of code for customers that are not parters

•  Throttling based on email domain/too many scans submitted

•  Removed in new Portal

•  No report if no issues found

•  New reports

Pain points and solutions

•  Issues getting reports

•  Many problems with emailing large files

•  Addressed in new Portal

•  Knowing scan status

•  Addressed in new Portal

•  Wait too long

•  Solution is to add more capacity

•  We added 3 servers this year, plan to add 3-6 more servers next year.

•  But some scans will still get stuck and need to be resubmitted

•  We will still be delayed during monthly patch times (third weekend of each month)

•  We will still be delayed during upgrades/service (approx. 4 times per year)

Demo

Special Guest – Igor Matlin, Checkmarx

Integrate into your SDLC and Automate security scans

Developers

Source repository

Fix suggestions

Build management

Auditor control panel

Bug tracking

SVN

TFS

TFS

Bamboo

Web Service API

CLI

CxAudit Checkmarx web client

TeamMentor

Dashboards

DAST

Integrations

Scan & Fix Your Code Security Flaws

detailed remediation

advice

where to fix (best place to fix)

vulnerable line of code

IDE integration

?

Attack vector

IDE Plugins available for

Eclipse Checkmarx© Plugin

For more information about

Checkmarx© Enterprise Grade Security Scanner please visit www.checkmarx.com/salesforce

Summary

Summary

•  Understand the basics of dataflows to help detect false positives and false negatives

•  Sign up for new portal! http://goo.gl/forms/OsZVkwWKR2

•  Look at CX offerings for your enterprise!

Secure Salesforce at Dreamforce 2015

  10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of Security on the Salesforce Platform

  Visit our booth in the DevZone with any security questions

  Check out the schedule and details at http://bit.ly/DF15Sec

  Admin-related security questions?

  Join us for coffee in the Admin Zone Security Cafe

Secure Salesforce – Thursday Afternoon

Lightning Components Best Practices   Robert Sussland and Sergey Gorbaty   4:45pm in Moscone West 2007

  Common Secure Coding Mistakes   Rachel Black and Alejandro Raigon Munoz   5:00pm in Moscone West 2006

Secure Salesforce – Friday

  Chimera: External Integration Security   Tim Bach and Travis Safford   10:00am in Moscone West 2009

Thank you

Technology

Secure Salesforce: Code Scanning with Checkmarx