An Insider's Guide to Security Review (October 13, 2014)
-
Upload
salesforce-partners -
Category
Technology
-
view
343 -
download
2
description
Transcript of An Insider's Guide to Security Review (October 13, 2014)
An Insider’s Guide to Security Review
Sarah Whitlock, salesforce.com Senior Director, Productivity @partnerforce
Alex Eliopoulos, salesforce.com Senior Security Review Operations Analyst @partnerforce
Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Pop Quiz
Why do we require security reviews of ISV apps?
Legal said we have to
Other vendors require it
We make money on it
It accelerates time to market
Vote
“Nothing is more important to our company than the privacy of our customers’ data”
Parker Harris Co-Founder and EVP Technology
Financial Regulatory Existential
• Major retailer’s point of sale (POS) compromised
• 40MM credit cards stolen • 70MM records stolen • Stock fell sharply
• Data breaches at San Diego hotel chain (five locations)
• 43-55k credit cards stolen • Risk of FTC fine
• BitCoin exchange service hacked
• 750,000 BitCoins stolen ($356.2MM)
• Suspended operations
Crimes of opportunity abound
“Estimate: cybercrime costs companies in the US 100 billion dollars per year”
Center for Strategic and International Studies
You must pass Security Review before you can sell your app
• Standards Based • Adversary Focused • Enterprise Level
Ø Mandatory for all ISV apps
Trust is priority #1
60% of all apps fail the first time through Security Review. How do you increase your odds for success?
Tip #1: Have a STRATEGY.
Hope is not a strategy Too often partners think of security as a test to pass at the end
Threat Modeling Process: • Design-time exercise • Analyze your solution’s data flow • Locate security vulnerabilities • Identify ways to exploit
Ø Identify issues before code is written
Think about security from the start
Rate the Threats
Document the Threats
Identify the Threats
Decompose the Application
Create an Architecture Overview
Identify Assets
Basic approach: • Identify potential product vulnerability points at design time
• Put defenses in place to cover all possible input paths
• Institute coding standards to control risk from the start
Ø It’s much harder to find and fix problems once you’ve committed to code
Incorporate security into your development lifecycle
Education
Design
Develop
Test
Release
Tip #2: Take the time to educate your team.
The Partner Community is your launch pad
We have lots of resources to help you succeed
Tip #3: Make sure you understand what we’re testing.
OWASP Top 10 is our guide 1. Injection (SQLi, SOQL, XML, OS etc.) 2. Broken Authentication and Session Management 3. Cross Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross Site Request Forgery (CSRF) 9. Using Known Vulnerable Components (libraries, frameworks, software) 10. Unvalidated Redirects and Forwards
• Client side components (Flash, JavaScript) • Integrations and web services • Automated code scan • Manual code review and black box testing
We look at your end-to-end solution
• Client side components (Flash, JavaScript) • Integrations and web services • Automated testing and manual black box testing • Architecture review and web server testing
• Client and mobile applications • Integrations and web services • Manual hands on testing of the application • Architecture review and web server testing
Your app will come in one of the following patterns.
Either it is built 100% on force.com This is what we call a native app
Custom Objects
Users
Accounts & Contacts
Reporting, Workflow
Or, it includes technology NOT on our platform We call this a composite app
Processing
Users
Data Storage
UI
Custom Objects
Users
Accounts & Contacts
Reporting, Workflow
Ope
n A
PIs
Custom/REST/SOAP
API
Tip #4: In both cases, the scope of the security review is the same.
It’s everything inside the red box Native
Composite
When you’re ready to submit, log into the AppExchange Publishing Console.
Start Review to launch the Security Review Wizard
Scope Credentials Reports
• Complete end-to-end testing environment for all elements of your solution
• Correct credentials to all systems
• Test account, Web App, other
• CodeScanner (Checkmarx) report
• BURP report • False positive documentation
Make sure we have everything we need to test your app
Tip #5: Rule of thumb - provide everything a net new customer will require to use your product.
Force.com Code Scanner Web App Scanner
• Static code analysis • All Apex/Visualforce code
must be scanned with Checkmarx
• Issues other than “Code Quality” must be addressed
• Set of tools for assessing web application security
• Any web application and/or web service component must be scanned with Burp
• Issues “Low” severity and above must be addressed
Provide clean scans from testing tools
Tip #6: Security testing tools are a great help. But, they are no substitute for making security a part of your software development lifecycle.
If you fail, we send you a report of findings
Make sure you interpret the failure report correctly The report is not a comprehensive list of all vulnerabilities • The report of findings is representative of issues found during a point-in-time test • We test breadth not depth • All tests are time bound • We are not experts on your code; we can’t find everything
Tip #7: Use our report as a guide. Search your entire codebase for issues like the ones we found.
Re-submitting is a two-step process.
Step #1: Start Review to launch the Security Review Wizard
Step #2: Log a case in the Partner Community
Make sure you select Security Review topic
Tip #8: Don't forget to log a case in the Partner Community. We can’t see your re-submission until you log a case.
• You can list your application on the AppExchange
• New versions will “auto-pass” when you click “Start Review” and fully submit
When you pass, we send you an email to let you know
Tip #9: All apps are subject to periodic review at any time.
Basic approach: • Identify potential product vulnerability points at design time
• Put defenses in place to cover all possible input paths
• Institute coding standards to control risk from the start
Ø It’s much harder to find and fix problems once you’ve committed to code
So, don’t forget to practice your strategy
Education
Design
Develop
Test
Release
Tip #10: We want you to succeed. We're here to help. Don't be afraid to ask!
Key takeaways
• Have a strategy • Give yourself time to prepare • Take advantage of our resources • Understand the scope of security review • Understand scanning tools, their use, and their limitations
Ø We’re here to help. Don’t be afraid to ask! Ø Visit us in the Partner Zone for Security Review Office Hours
Watch the Video Up & Coming
Secure Coding: Field-level Security, CRUD, and Sharing Monday, October 13 @ 11:00am Secure Coding: Storing Secrets in Your Salesforce Instance Monday, October 13 @ 2:00pm Building Secure Mobile Apps Monday, October 13 @ 5:00pm
Protect Your Data Against Malicious Scripts Tuesday, October 14 @ 11:00am Secure Coding: External App Integration Wednesday, October 15 @ 9:00am Secure Coding: SSL, SOAP, and REST Thursday, October 16 @ 10:30am
Secure Development Sessions at Dreamforce 2014
Check out the new Partner Community
https://partners.salesforce.com/
Connect with Partners in the Partner Zone The Westin Hotel, Market Street 2nd Floor – Metropolitan Ballroom INNOVATE with the leading technology • Demos of new Salesforce technology CONNECT with members of the partner community • Partner Community Theater • Networking areas • Welcome reception and daily lunch service GROW your business with resources • 70+ partner-specific sessions • ‘Ask the Experts’ consultation stations
AppBash 2014 on Wednesday Night!
Q&A Sarah Whitlock, salesforce.com Senior Director, Productivity @partnerforce.com
Alex Eliopoulos, salesforce.com Senior Security Review Operations Analyst @partnerforce.com