Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

49
Insider's Guide to the AppExchange Security Review Sarah T. Whitlock Senior Director, Partner Operations [email protected] Jon Cline VP, Business Development [email protected]

Transcript of Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Page 1: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Insider's Guide to the AppExchange Security Review

 Sarah T. Whitlock  Senior Director, Partner Operations  [email protected]

 Jon Cline  VP, Business Development  [email protected]

Page 2: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

 Safe harbor statement under the Private Securities Litigation Reform Act of 1995:

 This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.

 The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.

 Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

Safe Harbor

Page 3: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Pop Quiz

Why do we require security reviews of ISV apps?

Legal said we have to

Other vendors require it

We make money on it

It accelerates time to market

Vote

Page 4: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

“Nothing is more important to our company than the privacy of our customers’ data”

Parker Harris Co-Founder and EVP Technology

Page 5: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

“Estimate: cybercrime costs companies in the US 100 billion dollars per year”

Center for Strategic and International Studies

Page 6: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

You must pass Security Review before you can sell your app

•  Standards Based

•  Adversary Focused

•  Enterprise Level

Ø Mandatory for all ISV apps

Page 7: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

50% of all apps fail the first time through Security Review. How do you increase your odds for success?

Page 8: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Tip #1: Security Review is a benefit, not a punishment. We want you to succeed.

Page 9: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Security Review helps you sell to the enterprise

 Make security an on-going part of your development process

 Become a member of a trusted ecosystem of app vendors

 Meet the security expectations of enterprise customers

Page 10: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Tip #2: Have a STRATEGY.

Page 11: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Too often partners think of security as a test to pass at the end Hope is not a strategy

Page 12: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Think about security from the start Threat Modeling Process:  Design-time exercise

 Analyze your solution’s data flow

 Locate security vulnerabilities

 Identify ways to exploit

Ø Identify issues before code is written

Rate the Threats

Document the Threats

Identify the Threats

Decompose the Application

Create an Architecture Overview

Identify Assets

Page 13: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Incorporate security into your development lifecycle Basic approach:  Identify potential product vulnerability points at design time

 Put defenses in place to cover all possible input paths

 Institute coding standards to control risk from the start

Ø It’s much harder to find and fix problems once you’ve committed to code

Education

Design

Develop

Test

Release

Page 14: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Tip #3: Take the time to educate your team.

Page 15: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

The Partner Community is your launch pad

Page 16: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

We have lots of resources to help you succeed  p.force.com/Security

Page 17: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

trustacademy.salesforce.com Including Trust Academy for hands-on learning

Use your Partner Community credentials to get access.

3 courses available now:

1.  Force.com Security Essentials

2.  Security Auditing Tools

3.  AppExchange Security Review

p.force.com/Security for more info

Page 18: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

And, experts (PDOs) to help you through the process

PDOs are

Specialists in developing apps for the AppExchange

Experts in ISV technologies like managed packages, push upgrades, publishing etc.

Experienced with the security review process

Key benefits

AppExchange apps developed by PDOs are higher quality and scale better

PDO developed apps clear security review quickly and in fewer attempts (often 1)

 Product Development Outsourcers (PDOs)

Page 19: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Tip #4: Make sure you understand what we’re testing.

Page 20: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

OWASP Top 10 is our guide 1.  Injection (SQLi, SOQL, XML, OS etc.)

2.  Broken Authentication and Session Management

3.  Cross Site Scripting (XSS)

4.  Insecure Direct Object References

5.  Security Misconfiguration

6.  Sensitive Data Exposure

7.  Missing Function Level Access Control

8.  Cross Site Request Forgery (CSRF)

9.  Using Known Vulnerable Components (libraries, frameworks, software)

10.  Unvalidated Redirects and Forwards

Page 21: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

We look at your end-to-end solution  Client side components (Flash, JavaScript)  Integrations and web services  Automated code scan  Manual code review and black box testing

  Client side components (Flash, JavaScript)   Integrations and web services   Automated testing and manual black box testing   Architecture review and web server testing

Client and mobile applications Integrations and web services Manual hands on testing of the application Architecture review and web server testing

Page 22: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Your app will come in one of the following patterns.

Page 23: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

This is what we call a native app Either it is built 100% on force.com

Custom Objects

Users

Accounts & Contacts

Reporting, Workflow

Page 24: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

We call this a composite app Or, it includes technology NOT on our platform

Processing

Users

Data Storage

UI

Custom Objects

Users

Accounts & Contacts

Reporting, Workflow

Ope

n A

PIs

Custom/REST/SOAP

API

Page 25: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Tip #5: In both cases, the scope of the security review is the same.

Page 26: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

It’s everything inside the red box Native

Composite

Page 27: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

When you’re ready to submit, log into the Publishing Console.

Page 28: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Start (or Edit) Review to launch the Security Review Wizard

Page 29: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Scope Credentials Reports

Make sure we have everything we need to test your app

 Complete end-to-end testing environment for all elements of your solution

 Correct credentials to all systems

 Test account, Web App, other

 CodeScanner (Checkmarx) report

 ZAP or BURP report

 False positive documentation

Page 30: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Tip #6: Rule of thumb - provide everything a net new customer will require to use your product.

Page 31: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Force.com Code Scanner Web App Scanner

Provide clean scans from testing tools

 Static code analysis

 All Apex/Visualforce code must be scanned with Checkmarx

 Issues other than “Code Quality” must be addressed

 Set of tools for assessing web application security

 Any web application and/or web service component must be scanned

 Issues “Low” severity and above must be addressed

Page 32: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Tip #7: Security testing tools are a great help. But, they are no substitute for making security a part of your software development lifecycle.

Page 33: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

If you fail, we send you a report of findings

Page 34: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

 The report of findings is representative of issues found during a point-in-time test

 We test breadth not depth

 All tests are time bound

 We are not experts on your code; we can’t find everything

The report is not a comprehensive list of all vulnerabilities Make sure you interpret the failure report correctly

Page 35: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Tip #8: Use our report as a guide. Search your entire codebase for issues like the ones we found. Update your process to prevent future defects.

Page 36: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

When you pass, we send you an email to let you know

 You can list your application on the AppExchange

 New versions will “auto-pass” when you click “Start Review” and fully submit

Page 37: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Tip #9: All apps are subject to periodic review at any time.

Page 38: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

So, don’t forget to practice your strategy Basic approach:  Identify potential product vulnerability points at design time

 Put defenses in place to cover all possible input paths

 Institute coding standards to control risk from the start

Ø It’s much harder to find and fix problems once you’ve committed to code

Education

Design

Develop

Test

Release

Page 39: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Tip #10: We want you to succeed. We're here to help. Don't be afraid to ask!

Page 40: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

 Have a strategy

 Give yourself time to prepare

 Take advantage of our resources

 Understand the scope of security review

 Understand scanning tools, their use, and their limitations

  Remember: We’re here to help. Don’t be afraid to ask!

Key takeaways

Page 41: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

trustacademy.salesforce.com Be sure to enroll in Trust Academy

Use your Partner Community credentials to get access.

3 courses available now:

1.  Force.com Security Essentials

2.  Security Auditing Tools

3.  AppExchange Security Review

p.force.com/Security for more info

Page 42: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Secure Salesforce at Dreamforce 2015

  10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of Security on the Salesforce Platform

Check out the schedule and details at http://bit.ly/DF15Sec

  Visit the Security booth in the DevZone with any security questions

  Admin-related security questions?

  Join us for coffee in the Admin Zone Security Café

Page 43: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Share Your Feedback, and Win a GoPro!

3 Earn a GoPro prize entry for each completed survey

Tap the bell to take a survey 2Enroll in a session 1

Page 44: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Partner Community  Your one-stop shop for education and engagement

http://partners.salesforce.com/

•  Partner Program Details

•  Communications

•  Training

•  Leads, Opportunities, & Projects

•  AppExchange Publishing

•  Webinars & Recordings

•  Office Hours

•  Sales & Marketing Resources

•  Technical Support

Page 45: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Looking for the Partner Session Replays and Slides?  See the Partner Community Calendar – September 15-18, 2015

http://p.force.com/calendar

Page 46: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

New ISV Module on Trailhead  Earn your badge!

https://trailhead.salesforce.com/module/isvforce_basics

Page 47: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Get into the Zone: The Partner Zone!

:: Partner Community Theater :: Live feeds of the major Keynotes :: Free lunch served daily! :: Concierge :: Tech Expert Bar :: Partner Program Staff :: Charging stations :: Featured Partner Services :: Coffee Bar :: Prize Giveaways Daily partner networking events – 3:00pm - 5:00pm •  Tuesday, Sept 15 – Luau Theme •  Wednesday, Sept 16 – Global Theme •  Thursday, Sept 17 – Fiesta Theme

Page 48: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Celebrate Success at the AppBash  AppBash “I left my Cloud in San Francisco”

 When: Wednesday, September 16

 Where: City View at the Metreon

 Who: Partners and Customers

 Access: Full Conference or Booth Pass plus ID required

 Time: 7:00pm – partners & alliances employees

 9:00pm – customers and employees welcome

Page 49: Insider's Guide to the AppExchange Security Review (Dreamforce 2015)

Thank you