1. Building Secure Applicationsin the CloudJames Dolph, Salesforce.com, Product Security Senior Manager@SecureCloudDev

2. Safe harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include but are not limited to risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10- Q for the most recent fiscal quarter ended July 31, 2012. This documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements. 3. Agenda Philosophy and overview Resources and tips Collaborate and get help Takeaways 4. Philosophy and Overview 5. Nothing is more important to our company than the privacy of our customers data -Parker Harris Executive VP, Technology Salesforce.com 6. In the news1.5 MillionHotel chainBitCoin bankcredit cardmultiple hackednumbers stolen compromises $250K stolen Stock dropped $10.6m in Fraud Suspended operations Visa dropped from FTC fine compliant list 600k+ accounts 7. Security Review Mandatory Enterprise level Application Focused 8. Whats in scope Force.com Native: Apex, Visualforce, Anything in a package. Web Apps: Application or web service hosted on Heroku, other PAAS or hosting provider. PAAS WebClient andApplications Mobile Apps Client and Mobile: Apps installed on customer computers, mobile devices or data center. 9. What we test Automated code scan Manual code review and black box testing Client side components (Flash. JavaScript) Integrations and web services Automated testing and manual black box testing Web Client side components (Flash, JavaScript)Applications Integrations and web services Architecture review and web server testing Manual hands on testing of the application Client and Integrations and web servicesMobile Apps Architecture review and web server testing 10. OWASP Top 10 (2010)1. Injection (SQLi, XML, LDAP etc.)2. Cross Site Scripting (XSS)3. Broken Authentication and Session Management4. Insecure Direct Object References5. Cross Site Request Forgery (CSRF)6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access (e.g. admin pages)9. Insufficient Transport Layer Protection (SSL, Config)10. Unvalidated Redirects and Forwards 11. ISV Security Review Outcomes Approved: Meets our requirements Offering can be listed on the AppExchange Subsequent review is scheduled Provisionally Approved (very rarely issued): Meets our requirements but may have very low risk issues as determined by review team The offering can be temporarily listed on the AppExchange Failure to remedy issues in a timely manner results in removal from the AppExchange Not Approved: Does not meet our requirements New Partners are not permitted to list on AppExchange until all issues are fixed Existing offerings are delisted from the AppExchange if they fail to remediate issues 12. Why do offerings pass or failWhy offerings pass Why offerings dont passEarly testing and prep Lack of testing and prepUnderstandingMisunderstandingrequirements requirementsUnderstanding scopeLimiting scopeUse ISV resourcesNot using ISV resources 13. Security Resources 14. Secure Cloud Developmenthttp://developer.force.com/securitySecure Coding GuidelinesSecure Coding LibrarySecurity Self-AssessmentPartner security office hoursForce.com Security Code ScannerISV program partners receive a free webapplication scanning tool license 15. Native app security tips Business logic issues Client side issues Flash and Silverlight Merge fields in JavaScript blocks or on* methods S-Controls and custom buttons/links Secure callouts / secure JS includesNative Secure storage of data 16. Web app and client app tips Business logic issues Multitenancy access control enforcement CSRF Client side issues Flash and Silverlight issues Secure JS includesCompositeand Client Secure storage of credentials, tokens, and keys 17. Collaborate and get help 18. Collaborate and get help Secure Cloud Development Force.com discussion boards Partner Portal Twitter @SecureCloudDev ISV Office hours Email 19. ISV Office Hourshttp://bit.ly/ISVSecurityOfficeHours 20. Takeaways 21. Takeaways We want you to succeed Preparation is key Take advantage of our resources Give yourself time Were here to help 22. Wrap up 23. DF12 ISV Success SessionsGreat sessions for each phase of the lifecycle Plan Build Distribute Sell SupportISV Kickoff: Getting StartedDistributing & Licensing Your AppHow to Support Your CustomersHow to Architect & Design Your AppAutomate Your App SalesISV PM Product RoadmapDesigning Social Apps (Workshop)Extend Your Commercial Force.com AppExpanding Your Marketing Reach with AppExchangeTeam Development and Release Mgmt Marketing Best Practices in the Social EraBuilding Secure Applications in the Cloud Mastering the Direct Sales ModelSelling Social AppsFollow sessions and join the Partner Success Group on 24. A Few Reminders. . .Why Work With a PDOPartner Success Experts Innovation Theater and Lounge 1:1 Success Clinics Innovation Theater and Lounge Need to relax? Have a massage! Check out the Partner Hub540 Howard StreetSurvey (Session Record) Cloud Crawl (Thursday Night)Follow us on Twitter @partnerforce 25. Partner Hub Speaker DebriefWhy Work With a PDO Partner SuccessClinicsWelcome Desk Speaker DebriefArea