An Insider’s Guide to Security Review

Sarah Whitlock, salesforce.com Senior Director, Productivity @partnerforce

Alex Eliopoulos, salesforce.com Senior Security Review Operations Analyst @partnerforce

Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

Pop Quiz

Why do we require security reviews of ISV apps?

Legal said we have to

Other vendors require it

We make money on it

It accelerates time to market

Vote

“Nothing is more important to our company than the privacy of our customers’ data”

Parker Harris Co-Founder and EVP Technology

Financial Regulatory Existential

•  Major retailer’s point of sale (POS) compromised

•  40MM credit cards stolen •  70MM records stolen •  Stock fell sharply

•  Data breaches at San Diego hotel chain (five locations)

•  43-55k credit cards stolen •  Risk of FTC fine

•  BitCoin exchange service hacked

•  750,000 BitCoins stolen ($356.2MM)

•  Suspended operations

Crimes of opportunity abound

“Estimate: cybercrime costs companies in the US 100 billion dollars per year”

Center for Strategic and International Studies

You must pass Security Review before you can sell your app

•  Standards Based •  Adversary Focused •  Enterprise Level

Ø  Mandatory for all ISV apps

Trust is priority #1  

60% of all apps fail the first time through Security Review. How do you increase your odds for success?

Tip #1: Have a STRATEGY.

Hope is not a strategy Too often partners think of security as a test to pass at the end

Threat Modeling Process: • Design-time exercise • Analyze your solution’s data flow • Locate security vulnerabilities •  Identify ways to exploit

Ø Identify issues before code is written

Think about security from the start

Rate the Threats

Document the Threats

Identify the Threats

Decompose the Application

Create an Architecture Overview

Identify Assets

Basic approach: •  Identify potential product vulnerability points at design time

• Put defenses in place to cover all possible input paths

•  Institute coding standards to control risk from the start

Ø It’s much harder to find and fix problems once you’ve committed to code

Incorporate security into your development lifecycle

Education

Design

Develop

Test

Release

Tip #2: Take the time to educate your team.

The Partner Community is your launch pad

We have lots of resources to help you succeed

Tip #3: Make sure you understand what we’re testing.

OWASP Top 10 is our guide 1.  Injection (SQLi, SOQL, XML, OS etc.) 2.  Broken Authentication and Session Management 3.  Cross Site Scripting (XSS) 4.  Insecure Direct Object References 5.  Security Misconfiguration 6.  Sensitive Data Exposure 7.  Missing Function Level Access Control 8.  Cross Site Request Forgery (CSRF) 9.  Using Known Vulnerable Components (libraries, frameworks, software) 10.  Unvalidated Redirects and Forwards

•  Client side components (Flash, JavaScript) •  Integrations and web services •  Automated code scan •  Manual code review and black box testing

We look at your end-to-end solution

•  Client side components (Flash, JavaScript) •  Integrations and web services •  Automated testing and manual black box testing •  Architecture review and web server testing

•  Client and mobile applications •  Integrations and web services •  Manual hands on testing of the application •  Architecture review and web server testing

Your app will come in one of the following patterns.

Either it is built 100% on force.com This is what we call a native app

Custom Objects

Users

Accounts & Contacts

Reporting, Workflow

Or, it includes technology NOT on our platform We call this a composite app

Processing

Users

Data Storage

UI

Custom Objects

Users

Accounts & Contacts

Reporting, Workflow

Ope

n A

PIs

Custom/REST/SOAP

API

Tip #4: In both cases, the scope of the security review is the same.

It’s everything inside the red box Native

Composite

When you’re ready to submit, log into the AppExchange Publishing Console.

Start Review to launch the Security Review Wizard

Scope Credentials Reports

•  Complete end-to-end testing environment for all elements of your solution

•  Correct credentials to all systems

•  Test account, Web App, other

•  CodeScanner (Checkmarx) report

•  BURP report •  False positive documentation

Make sure we have everything we need to test your app

Tip #5: Rule of thumb - provide everything a net new customer will require to use your product.

Force.com Code Scanner Web App Scanner

•  Static code analysis •  All Apex/Visualforce code

must be scanned with Checkmarx

•  Issues other than “Code Quality” must be addressed

•  Set of tools for assessing web application security

•  Any web application and/or web service component must be scanned with Burp

•  Issues “Low” severity and above must be addressed

Provide clean scans from testing tools

Tip #6: Security testing tools are a great help. But, they are no substitute for making security a part of your software development lifecycle.

If you fail, we send you a report of findings

Make sure you interpret the failure report correctly The report is not a comprehensive list of all vulnerabilities • The report of findings is representative of issues found during a point-in-time test • We test breadth not depth • All tests are time bound • We are not experts on your code; we can’t find everything

Tip #7: Use our report as a guide. Search your entire codebase for issues like the ones we found.

Re-submitting is a two-step process.

Step #1: Start Review to launch the Security Review Wizard

Step #2: Log a case in the Partner Community

Make sure you select Security Review topic

Tip #8: Don't forget to log a case in the Partner Community. We can’t see your re-submission until you log a case.

• You can list your application on the AppExchange

• New versions will “auto-pass” when you click “Start Review” and fully submit

When you pass, we send you an email to let you know

Tip #9: All apps are subject to periodic review at any time.

Basic approach: •  Identify potential product vulnerability points at design time

• Put defenses in place to cover all possible input paths

•  Institute coding standards to control risk from the start

Ø It’s much harder to find and fix problems once you’ve committed to code

So, don’t forget to practice your strategy

Education

Design

Develop

Test

Release

Tip #10: We want you to succeed. We're here to help. Don't be afraid to ask!

Key takeaways

•  Have a strategy •  Give yourself time to prepare •  Take advantage of our resources •  Understand the scope of security review •  Understand scanning tools, their use, and their limitations

Ø  We’re here to help. Don’t be afraid to ask! Ø  Visit us in the Partner Zone for Security Review Office Hours

Watch the Video Up & Coming

Secure Coding: Field-level Security, CRUD, and Sharing Monday, October 13 @ 11:00am Secure Coding: Storing Secrets in Your Salesforce Instance Monday, October 13 @ 2:00pm Building Secure Mobile Apps Monday, October 13 @ 5:00pm

Protect Your Data Against Malicious Scripts Tuesday, October 14 @ 11:00am Secure Coding: External App Integration Wednesday, October 15 @ 9:00am Secure Coding: SSL, SOAP, and REST Thursday, October 16 @ 10:30am

Secure Development Sessions at Dreamforce 2014

Check out the new Partner Community

https://partners.salesforce.com/

Connect with Partners in the Partner Zone The Westin Hotel, Market Street 2nd Floor – Metropolitan Ballroom INNOVATE with the leading technology •  Demos of new Salesforce technology CONNECT with members of the partner community •  Partner Community Theater •  Networking areas •  Welcome reception and daily lunch service GROW your business with resources •  70+ partner-specific sessions •  ‘Ask the Experts’ consultation stations

AppBash 2014 on Wednesday Night!

Q&A Sarah Whitlock, salesforce.com Senior Director, Productivity @partnerforce.com

Alex Eliopoulos, salesforce.com Senior Security Review Operations Analyst @partnerforce.com