Building Secure Apps in the Cloud - Dreamforce - 9/20
•
0 likes•787 views
This document provides an overview of building secure applications in the cloud. It discusses Salesforce's philosophy of putting customer privacy and security first. It also covers Salesforce's security review process for applications, common vulnerabilities tested for like injection flaws and cross-site scripting, and resources available to help partners develop securely like guidelines, code scanning tools, and office hours support.
Report
Share
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (16)
Similar to Building Secure Apps in the Cloud - Dreamforce - 9/20
Similar to Building Secure Apps in the Cloud - Dreamforce - 9/20 (20)
More from Salesforce Partners
More from Salesforce Partners (20)
Recently uploaded
Recently uploaded (20)
Building Secure Apps in the Cloud - Dreamforce - 9/20
- 1. Building Secure Applications in the Cloud James Dolph, Salesforce.com, Product Security Senior Manager @SecureCloudDev
- 2. Safe harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10- Q for the most recent fiscal quarter ended July 31, 2012. This documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
- 3. Agenda • Philosophy and overview • Resources and tips • Collaborate and get help • Takeaways
- 5. Nothing is more important to our company than the privacy of our customer's data -Parker Harris Executive VP, Technology Salesforce.com
- 6. In the news 1.5 Million Hotel chain BitCoin bank credit card multiple hacked numbers stolen compromises • $250K stolen • Stock dropped • $10.6m in Fraud • Suspended operations • Visa dropped from • FTC fine compliant list • 600k+ accounts
- 7. Security Review • Mandatory • Enterprise level • Application Focused
- 8. What’s in scope Force.com Native: Apex, Visualforce, Anything in a package. Web Apps: Application or web service hosted on Heroku, other PAAS or hosting provider. PAAS Web Client and Applications Mobile Apps Client and Mobile: Apps installed on customer computers, mobile devices or data center.
- 9. What we test • Automated code scan • Manual code review and black box testing • Client side components (Flash. JavaScript) • Integrations and web services • Automated testing and manual black box testing Web • Client side components (Flash, JavaScript) Applications • Integrations and web services • Architecture review and web server testing • Manual hands on testing of the application Client and • Integrations and web services Mobile Apps • Architecture review and web server testing
- 10. OWASP Top 10 (2010) 1. Injection (SQLi, XML, LDAP etc.) 2. Cross Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access (e.g. admin pages) 9. Insufficient Transport Layer Protection (SSL, Config) 10. Unvalidated Redirects and Forwards
- 11. ISV Security Review Outcomes Approved: • Meets our requirements • Offering can be listed on the AppExchange • Subsequent review is scheduled Provisionally Approved (very rarely issued): • Meets our requirements but may have very low risk issues as determined by review team • The offering can be temporarily listed on the AppExchange • Failure to remedy issues in a timely manner results in removal from the AppExchange Not Approved: • Does not meet our requirements • New Partners are not permitted to list on AppExchange until all issues are fixed • Existing offerings are delisted from the AppExchange if they fail to remediate issues
- 12. Why do offerings pass or fail Why offerings pass Why offerings don’t pass • Early testing and prep • Lack of testing and prep • Understanding • Misunderstanding requirements requirements • Understanding scope • Limiting scope • Use ISV resources • Not using ISV resources
- 14. Secure Cloud Development http://developer.force.com/security • Secure Coding Guidelines • Secure Coding Library • Security Self-Assessment • Partner security office hours • Force.com Security Code Scanner • ISV program partners receive a free web application scanning tool license
- 15. Native app security tips • Business logic issues • Client side issues • Flash and Silverlight • Merge fields in JavaScript blocks or on* methods • S-Controls and custom buttons/links • Secure callouts / secure JS includes Native • Secure storage of data
- 16. Web app and client app tips • Business logic issues • Multitenancy access control enforcement • CSRF • Client side issues • Flash and Silverlight issues • Secure JS includes Composite and Client • Secure storage of credentials, tokens, and keys
- 17. Collaborate and get help
- 18. Collaborate and get help • Secure Cloud Development • Force.com discussion boards • Partner Portal • Twitter @SecureCloudDev • ISV Office hours • Email
- 19. ISV Office Hours http://bit.ly/ISVSecurityOfficeHours
- 20. Takeaways
- 21. Takeaways • We want you to succeed • Preparation is key • Take advantage of our resources • Give yourself time • We’re here to help
- 22. Wrap up
- 23. DF12 ISV Success Sessions Great sessions for each phase of the lifecycle Plan Build Distribute Sell Support ISV Kickoff: Getting Started Distributing & Licensing Your App How to Support Your Customers How to Architect & Design Your App Automate Your App Sales ISV PM Product Roadmap Designing Social Apps (Workshop) Extend Your Commercial Force.com App Expanding Your Marketing Reach with AppExchange Team Development and Release Mgmt Marketing Best Practices in the Social Era Building Secure Applications in the Cloud Mastering the Direct Sales Model Selling Social Apps Follow sessions and join the Partner Success Group on
- 24. A Few Reminders. . . Why Work With a PDO Partner Success Experts Innovation Theater and Lounge 1:1 Success Clinics Innovation Theater and Lounge Need to relax? Have a massage! Check out the Partner Hub 540 Howard Street Survey (Session Record) Cloud Crawl (Thursday Night) Follow us on Twitter @partnerforce
- 25. Partner Hub – Speaker Debrief Why Work With a PDO Partner Success Clinics Welcome Desk Speaker Debrief Area