SlideShare ist ein Scribd-Unternehmen logo

Secure Salesforce: Code Scanning with Checkmarx

Salesforce Developers
Salesforce Developers

Are you a fan of time saving tools? Did you know that Salesforce has teamed up with Checkmarx to offer free security scans of your platform code? Join us to learn how the Checkmarx code scanner will save you time and improve your security by analyzing your code and providing you with a free report. When you leave, you'll know exactly how to submit a scan request, which vulnerabilities will be found, and how to interpret the report.

Technologie
1 von 31
Downloaden Sie, um offline zu lesen
Secure Salesforce: Static Analysis as a Service Best Practices for using our Source Scanner ​ Robert Sussland ​ SMTS Product Security ​ rsussland@salesforce.com ​ 
​ Safe harbor statement under the Private Securities Litigation Reform Act of 1995: ​ This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward- looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. ​ The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. ​ Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements. Safe Harbor
Robert Sussland SMTS Product Security, Salesforce
Agenda •  Service Overview •  Intro to Static Analysis •  Static Analysis as a Service •  Parsing Results •  Pain Points and Solutions •  Demo •  Special Guest •  QA
Service Overview
Static Analysis with Checkmarx Suite
Static Analysis with Checkmarx Suite
Static Analysis with Checkmarx Suite •  Look for data flows from sources to sinks •  Sources: •  URL Parameters •  sObject Values •  User Input (e.g. in a form) •  @AuraEnabled methods •  Sinks •  Unescaped HTML (e.g. aura:unescapedHtml or VF escape=“false”) //XSS •  Database.query() //SOQL injection
Static Analysis with Checkmarx Suite •  If data flows from a source to sink without passing through a sanitizer, then report a vulnerability. •  Sanitizers: •  String.escapeSingleQuote() //SOQL injection •  HTMLENCODE() //VF page •  We don’t have a full string solver, or full information about data types or context:
Static Analysis with Checkmarx Suite •  If data flows from a source to sink without passing through a sanitizer, then report a vulnerability. •  Sanitizers: •  String.escapeSingleQuote() //SOQL injection •  HTMLENCODE() //VF page •  We don’t have a full string solver, or full information about data types or context: //vulnerable qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + taint + “ ‘ “;
Static Analysis with Checkmarx Suite •  If data flows from a source to sink without passing through a sanitizer, then report a vulnerability. •  Sanitizers: •  String.escapeSingleQuote() //SOQL injection •  HTMLENCODE() //VF page •  We don’t have a full string solver, or full information about data types or context: //vulnerable qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + taint + “ ‘ “; //vulnerable qry = “SELECT Name, “ + taint + “FROM Account LIMIT 1”;
Static Analysis with Checkmarx Suite •  False Positives and False Negatives String sanitized = String.escapeSingleQuotes(taint); //safe qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + sanitized + “ ‘ “; Database.query(qry); //vulnerable (FN) qry = “SELECT Name, “ + sanitized + “FROM Account LIMIT 1”; Database.query(qry);
Static Analysis with Checkmarx Suite •  False Negatives <a href=“{!HTMLENCODE(taint)}”>click here</a> //taint=javascript: •  Trade off between False Positives and False negatives •  Should a substring of a tainted string be tainted? •  Should the string replace of a tainted string be tainted? •  Should the concatenation of a tainted and untainted string be tainted? •  How do we know whether to HTMLENCODE, JSENCODE,URLENCODE?
How to Audit a Result Path •  Look at ends of path •  source should be a valid source •  sink should be a valid sink •  Follow from source to sink to verify that •  Escaping is appropriate for output context •  Escaping happens at the right place •  Escaping complies with your developer policies
Static Analysis as a Service •  We make access to Checkmarx static analysis available online for free •  Primary use case is Appexchange, not bespoke development •  Scan approximately 900 million lines of code per year (closing in on 1 billion lines/year) •  Average lines of code per app ~ 37,000 •  Approximately 20,000 apps per year (e.g. average of 54 apps/day) •  During peak usage, we process about 200 apps per day •  Scan time is averages approximately 12.5 lines of code/second, but highly variable •  Dramatic increase in pass rates
Contract with Checkmarx •  Previous contract •  Was for license (1 server) to be used for Appexchange scans •  Strategy was to throttle based on wait times •  Current contract •  Flexible licenses, but limit quantity and types of scans •  Appexchange – 3 free scans per app •  Non-appexchange – 30K lines of code per month
Pain Points and Solutions
Pain points and solutions •  False positives/false negatives •  Recommend to purchase your own scanner to adjust the rules •  Throttling based on code too large •  Limit increased to 750,000 lines of code in the new portal •  Limit will remain 500,000 lines of code for customers that are not parters •  Throttling based on email domain/too many scans submitted •  Removed in new Portal •  No report if no issues found •  New reports
Pain points and solutions •  Issues getting reports •  Many problems with emailing large files •  Addressed in new Portal •  Knowing scan status •  Addressed in new Portal •  Wait too long •  Solution is to add more capacity •  We added 3 servers this year, plan to add 3-6 more servers next year. •  But some scans will still get stuck and need to be resubmitted •  We will still be delayed during monthly patch times (third weekend of each month) •  We will still be delayed during upgrades/service (approx. 4 times per year)
Demo
Special Guest – Igor Matlin, Checkmarx
Integrate into your SDLC and Automate security scans Developers Source repository Fix suggestions Build management Auditor control panel Bug tracking SVN TFS TFS Bamboo Web Service API CLI CxAudit Checkmarx web client TeamMentor Dashboards DAST Integrations
Scan & Fix Your Code Security Flaws detailed remediation advice where to fix (best place to fix) vulnerable line of code IDE integration ? Attack vector IDE Plugins available for
Eclipse Checkmarx© Plugin
For more information about Checkmarx© Enterprise Grade Security Scanner please visit www.checkmarx.com/salesforce
Summary
Summary •  Understand the basics of dataflows to help detect false positives and false negatives •  Sign up for new portal! http://goo.gl/forms/OsZVkwWKR2 •  Look at CX offerings for your enterprise!
Secure Salesforce at Dreamforce 2015 ​  10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of Security on the Salesforce Platform ​  Visit our booth in the DevZone with any security questions ​  Check out the schedule and details at http://bit.ly/DF15Sec ​  Admin-related security questions? ​  Join us for coffee in the Admin Zone Security Cafe
Secure Salesforce – Thursday Afternoon Lightning Components Best Practices ​  Robert Sussland and Sergey Gorbaty ​  4:45pm in Moscone West 2007 ​  Common Secure Coding Mistakes ​  Rachel Black and Alejandro Raigon Munoz ​  5:00pm in Moscone West 2006
Secure Salesforce – Friday ​  Chimera: External Integration Security ​  Tim Bach and Travis Safford ​  10:00am in Moscone West 2009
Thank you

Empfohlen

Enterprise Architecture Salesforce
Enterprise Architecture SalesforceEnterprise Architecture Salesforce
Enterprise Architecture SalesforcePeter Doolan
 
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...Sam Garforth
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSOAjit Dadresa
 
Dependency Injection with Apex
Dependency Injection with ApexDependency Injection with Apex
Dependency Injection with ApexSalesforce Developers
 
Sumo Logic QuickStart
Sumo Logic QuickStartSumo Logic QuickStart
Sumo Logic QuickStartSumo Logic
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingSalesforce Developers
 
Security and Your Salesforce Org
Security and Your Salesforce OrgSecurity and Your Salesforce Org
Security and Your Salesforce OrgSalesforce Admins
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 

Empfohlen

Enterprise Architecture Salesforce
Enterprise Architecture SalesforceEnterprise Architecture Salesforce
Enterprise Architecture SalesforcePeter Doolan
 
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...Sam Garforth
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSOAjit Dadresa
 
Dependency Injection with Apex
Dependency Injection with ApexDependency Injection with Apex
Dependency Injection with ApexSalesforce Developers
 
Sumo Logic QuickStart
Sumo Logic QuickStartSumo Logic QuickStart
Sumo Logic QuickStartSumo Logic
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingSalesforce Developers
 
Security and Your Salesforce Org
Security and Your Salesforce OrgSecurity and Your Salesforce Org
Security and Your Salesforce OrgSalesforce Admins
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Flow in Salesforce
Flow in SalesforceFlow in Salesforce
Flow in Salesforcevikas singh
 
Partner Community User Guide for Consulting Partners
Partner Community User Guide for Consulting PartnersPartner Community User Guide for Consulting Partners
Partner Community User Guide for Consulting PartnersSalesforce Partners
 
Lwc presentation
Lwc presentationLwc presentation
Lwc presentationNithesh N
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Denim Group
 
Release & Change management in salesforce
Release & Change management in salesforceRelease & Change management in salesforce
Release & Change management in salesforceKalyan Lanka ☁
 
Commerce Cloud 101
Commerce Cloud 101Commerce Cloud 101
Commerce Cloud 101Gaurav Kheterpal
 
Decluttering your Salesfroce org
Decluttering your Salesfroce orgDecluttering your Salesfroce org
Decluttering your Salesfroce orgRoy Gilad
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 
Understanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoUnderstanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoSalesforce Developers
 
SSO introduction
SSO introductionSSO introduction
SSO introductionAidy Tificate
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On ConsiderationsVenkat Gattamaneni
 
Salesforce Cross-Cloud Architecture
Salesforce Cross-Cloud ArchitectureSalesforce Cross-Cloud Architecture
Salesforce Cross-Cloud ArchitectureThierry TROUIN ☁
 
Introduction to lightning web component
Introduction to lightning web component Introduction to lightning web component
Introduction to lightning web component Sudipta Deb ☁
 
Introduction to Visualforce
Introduction to VisualforceIntroduction to Visualforce
Introduction to VisualforceSalesforce Developers
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 
Choosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudChoosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudArek Rafflewski
 
Planning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperiencePlanning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperienceShell Black
 
Data model in salesforce
Data model in salesforceData model in salesforce
Data model in salesforceChamil Madusanka
 
Salesforce Release Management and Continuous Integration with AutoRABIT
Salesforce Release Management and Continuous Integration with AutoRABITSalesforce Release Management and Continuous Integration with AutoRABIT
Salesforce Release Management and Continuous Integration with AutoRABITAutoRABIT
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 
Secure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSalesforce Developers
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksRyan Flood
 

Weitere ähnliche Inhalte

Was ist angesagt?

Flow in Salesforce
Flow in SalesforceFlow in Salesforce
Flow in Salesforcevikas singh
 
Partner Community User Guide for Consulting Partners
Partner Community User Guide for Consulting PartnersPartner Community User Guide for Consulting Partners
Partner Community User Guide for Consulting PartnersSalesforce Partners
 
Lwc presentation
Lwc presentationLwc presentation
Lwc presentationNithesh N
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Denim Group
 
Release & Change management in salesforce
Release & Change management in salesforceRelease & Change management in salesforce
Release & Change management in salesforceKalyan Lanka ☁
 
Decluttering your Salesfroce org
Decluttering your Salesfroce orgDecluttering your Salesfroce org
Decluttering your Salesfroce orgRoy Gilad
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 
Understanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoUnderstanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoSalesforce Developers
 
Salesforce Cross-Cloud Architecture
Salesforce Cross-Cloud ArchitectureSalesforce Cross-Cloud Architecture
Salesforce Cross-Cloud ArchitectureThierry TROUIN ☁
 
Introduction to lightning web component
Introduction to lightning web component Introduction to lightning web component
Introduction to lightning web component Sudipta Deb ☁
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 
Choosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudChoosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudArek Rafflewski
 
Planning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperiencePlanning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperienceShell Black
 
Salesforce Release Management and Continuous Integration with AutoRABIT
Salesforce Release Management and Continuous Integration with AutoRABITSalesforce Release Management and Continuous Integration with AutoRABIT
Salesforce Release Management and Continuous Integration with AutoRABITAutoRABIT
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 

Was ist angesagt? (20)

Flow in Salesforce
Flow in SalesforceFlow in Salesforce
Flow in Salesforce
 
Partner Community User Guide for Consulting Partners
Partner Community User Guide for Consulting PartnersPartner Community User Guide for Consulting Partners
Partner Community User Guide for Consulting Partners
 
Lwc presentation
Lwc presentationLwc presentation
Lwc presentation
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
 
Release & Change management in salesforce
Release & Change management in salesforceRelease & Change management in salesforce
Release & Change management in salesforce
 
Commerce Cloud 101
Commerce Cloud 101Commerce Cloud 101
Commerce Cloud 101
 
Decluttering your Salesfroce org
Decluttering your Salesfroce orgDecluttering your Salesfroce org
Decluttering your Salesfroce org
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
 
Understanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoUnderstanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We Do
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
 
Salesforce Cross-Cloud Architecture
Salesforce Cross-Cloud ArchitectureSalesforce Cross-Cloud Architecture
Salesforce Cross-Cloud Architecture
 
Introduction to lightning web component
Introduction to lightning web component Introduction to lightning web component
Introduction to lightning web component
 
Introduction to Visualforce
Introduction to VisualforceIntroduction to Visualforce
Introduction to Visualforce
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
 
Choosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudChoosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing Cloud
 
Planning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperiencePlanning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning Experience
 
Data model in salesforce
Data model in salesforceData model in salesforce
Data model in salesforce
 
Salesforce Release Management and Continuous Integration with AutoRABIT
Salesforce Release Management and Continuous Integration with AutoRABITSalesforce Release Management and Continuous Integration with AutoRABIT
Salesforce Release Management and Continuous Integration with AutoRABIT
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security Model
 

Ähnlich wie Secure Salesforce: Code Scanning with Checkmarx

Secure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSalesforce Developers
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksRyan Flood
 
Designing custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.comDesigning custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.comSteven Herod
 
Salesforce Multitenant Architecture: How We Do the Magic We Do
Salesforce Multitenant Architecture: How We Do the Magic We DoSalesforce Multitenant Architecture: How We Do the Magic We Do
Salesforce Multitenant Architecture: How We Do the Magic We DoSalesforce Developers
 
Designing Custom REST and SOAP Interfaces on Force.com
Designing Custom REST and SOAP Interfaces on Force.comDesigning Custom REST and SOAP Interfaces on Force.com
Designing Custom REST and SOAP Interfaces on Force.comSalesforce Developers
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)Salesforce Partners
 
DevOps in Salesforce AppCloud
DevOps in Salesforce AppCloudDevOps in Salesforce AppCloud
DevOps in Salesforce AppCloudrsg00usa
 
Secure Salesforce: Common Secure Coding Mistakes
Secure Salesforce: Common Secure Coding MistakesSecure Salesforce: Common Secure Coding Mistakes
Secure Salesforce: Common Secure Coding MistakesSalesforce Developers
 
Building Apps Faster with Lightning and Winter '17
Building Apps Faster with Lightning and Winter '17Building Apps Faster with Lightning and Winter '17
Building Apps Faster with Lightning and Winter '17Mark Adcock
 
Building apps faster with lightning and winter '17
Building apps faster with lightning and winter '17Building apps faster with lightning and winter '17
Building apps faster with lightning and winter '17Salesforce Developers
 
Design Patterns Every ISV Needs to Know (October 15, 2014)
Design Patterns Every ISV Needs to Know (October 15, 2014)Design Patterns Every ISV Needs to Know (October 15, 2014)
Design Patterns Every ISV Needs to Know (October 15, 2014)Salesforce Partners
 
ApexUnit: Open source test framework for apex
ApexUnit: Open source test framework for apexApexUnit: Open source test framework for apex
ApexUnit: Open source test framework for apexVamshidhar Gandham
 
Developing Offline Mobile Apps with Salesforce Mobile SDK SmartStore
Developing Offline Mobile Apps with Salesforce Mobile SDK SmartStoreDeveloping Offline Mobile Apps with Salesforce Mobile SDK SmartStore
Developing Offline Mobile Apps with Salesforce Mobile SDK SmartStoreTom Gersic
 
Design Patterns: ISV Recipes for Success (Dreamforce 2015)
Design Patterns: ISV Recipes for Success (Dreamforce 2015)Design Patterns: ISV Recipes for Success (Dreamforce 2015)
Design Patterns: ISV Recipes for Success (Dreamforce 2015)Salesforce Partners
 
Real-Time Data Feeds Using the Streaming API
Real-Time Data Feeds Using the Streaming APIReal-Time Data Feeds Using the Streaming API
Real-Time Data Feeds Using the Streaming APISalesforce Developers
 
Salesforce shield &amp; summer 20 release
Salesforce shield &amp; summer 20 releaseSalesforce shield &amp; summer 20 release
Salesforce shield &amp; summer 20 releaseDevendra Sawant
 
Blurring the Boundaries Between Salesforce Orgs
Blurring the Boundaries Between Salesforce OrgsBlurring the Boundaries Between Salesforce Orgs
Blurring the Boundaries Between Salesforce OrgsSalesforce Developers
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Mark Adcock
 

Ähnlich wie Secure Salesforce: Code Scanning with Checkmarx (20)

Secure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best Practices
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and Tricks
 
Designing custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.comDesigning custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.com
 
Salesforce Multitenant Architecture: How We Do the Magic We Do
Salesforce Multitenant Architecture: How We Do the Magic We DoSalesforce Multitenant Architecture: How We Do the Magic We Do
Salesforce Multitenant Architecture: How We Do the Magic We Do
 
Designing Custom REST and SOAP Interfaces on Force.com
Designing Custom REST and SOAP Interfaces on Force.comDesigning Custom REST and SOAP Interfaces on Force.com
Designing Custom REST and SOAP Interfaces on Force.com
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
 
DevOps in Salesforce AppCloud
DevOps in Salesforce AppCloudDevOps in Salesforce AppCloud
DevOps in Salesforce AppCloud
 
Coding in the App Cloud
Coding in the App CloudCoding in the App Cloud
Coding in the App Cloud
 
Secure Salesforce: Common Secure Coding Mistakes
Secure Salesforce: Common Secure Coding MistakesSecure Salesforce: Common Secure Coding Mistakes
Secure Salesforce: Common Secure Coding Mistakes
 
Building Apps Faster with Lightning and Winter '17
Building Apps Faster with Lightning and Winter '17Building Apps Faster with Lightning and Winter '17
Building Apps Faster with Lightning and Winter '17
 
Building apps faster with lightning and winter '17
Building apps faster with lightning and winter '17Building apps faster with lightning and winter '17
Building apps faster with lightning and winter '17
 
Design Patterns Every ISV Needs to Know (October 15, 2014)
Design Patterns Every ISV Needs to Know (October 15, 2014)Design Patterns Every ISV Needs to Know (October 15, 2014)
Design Patterns Every ISV Needs to Know (October 15, 2014)
 
ApexUnit: Open source test framework for apex
ApexUnit: Open source test framework for apexApexUnit: Open source test framework for apex
ApexUnit: Open source test framework for apex
 
Developing Offline Mobile Apps with Salesforce Mobile SDK SmartStore
Developing Offline Mobile Apps with Salesforce Mobile SDK SmartStoreDeveloping Offline Mobile Apps with Salesforce Mobile SDK SmartStore
Developing Offline Mobile Apps with Salesforce Mobile SDK SmartStore
 
Design Patterns: ISV Recipes for Success (Dreamforce 2015)
Design Patterns: ISV Recipes for Success (Dreamforce 2015)Design Patterns: ISV Recipes for Success (Dreamforce 2015)
Design Patterns: ISV Recipes for Success (Dreamforce 2015)
 
Real-Time Data Feeds Using the Streaming API
Real-Time Data Feeds Using the Streaming APIReal-Time Data Feeds Using the Streaming API
Real-Time Data Feeds Using the Streaming API
 
Salesforce shield &amp; summer 20 release
Salesforce shield &amp; summer 20 releaseSalesforce shield &amp; summer 20 release
Salesforce shield &amp; summer 20 release
 
Using the Google SOAP API
Using the Google SOAP APIUsing the Google SOAP API
Using the Google SOAP API
 
Blurring the Boundaries Between Salesforce Orgs
Blurring the Boundaries Between Salesforce OrgsBlurring the Boundaries Between Salesforce Orgs
Blurring the Boundaries Between Salesforce Orgs
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3
 

Mehr von Salesforce Developers

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSalesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceSalesforce Developers
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base ComponentsSalesforce Developers
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsSalesforce Developers
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaSalesforce Developers
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentSalesforce Developers
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsSalesforce Developers
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsSalesforce Developers
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsSalesforce Developers
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilitySalesforce Developers
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataSalesforce Developers
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionSalesforce Developers
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPSalesforce Developers
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceSalesforce Developers
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureSalesforce Developers
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DXSalesforce Developers
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectSalesforce Developers
 

Mehr von Salesforce Developers (20)

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component Performance
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base Components
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer Highlights
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX India
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local Development
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web Components
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web Components
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer Highlights
 
Live coding with LWC
Live coding with LWCLive coding with LWC
Live coding with LWC
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura Interoperability
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce data
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An Introduction
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCP
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in Salesforce
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data Capture
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DX
 
Get Into Lightning Flow Development
Get Into Lightning Flow DevelopmentGet Into Lightning Flow Development
Get Into Lightning Flow Development
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS Connect
 
Introduction to MuleSoft
Introduction to MuleSoftIntroduction to MuleSoft
Introduction to MuleSoft
 

Kürzlich hochgeladen

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 

Kürzlich hochgeladen (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 

Secure Salesforce: Code Scanning with Checkmarx

  • 1. Secure Salesforce: Static Analysis as a Service Best Practices for using our Source Scanner ​ Robert Sussland ​ SMTS Product Security ​ rsussland@salesforce.com ​ 
  • 2. ​ Safe harbor statement under the Private Securities Litigation Reform Act of 1995: ​ This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward- looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. ​ The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. ​ Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements. Safe Harbor
  • 3. Robert Sussland SMTS Product Security, Salesforce
  • 4. Agenda •  Service Overview •  Intro to Static Analysis •  Static Analysis as a Service •  Parsing Results •  Pain Points and Solutions •  Demo •  Special Guest •  QA
  • 6. Static Analysis with Checkmarx Suite
  • 7. Static Analysis with Checkmarx Suite
  • 8. Static Analysis with Checkmarx Suite •  Look for data flows from sources to sinks •  Sources: •  URL Parameters •  sObject Values •  User Input (e.g. in a form) •  @AuraEnabled methods •  Sinks •  Unescaped HTML (e.g. aura:unescapedHtml or VF escape=“false”) //XSS •  Database.query() //SOQL injection
  • 9. Static Analysis with Checkmarx Suite •  If data flows from a source to sink without passing through a sanitizer, then report a vulnerability. •  Sanitizers: •  String.escapeSingleQuote() //SOQL injection •  HTMLENCODE() //VF page •  We don’t have a full string solver, or full information about data types or context:
  • 10. Static Analysis with Checkmarx Suite •  If data flows from a source to sink without passing through a sanitizer, then report a vulnerability. •  Sanitizers: •  String.escapeSingleQuote() //SOQL injection •  HTMLENCODE() //VF page •  We don’t have a full string solver, or full information about data types or context: //vulnerable qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + taint + “ ‘ “;
  • 11. Static Analysis with Checkmarx Suite •  If data flows from a source to sink without passing through a sanitizer, then report a vulnerability. •  Sanitizers: •  String.escapeSingleQuote() //SOQL injection •  HTMLENCODE() //VF page •  We don’t have a full string solver, or full information about data types or context: //vulnerable qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + taint + “ ‘ “; //vulnerable qry = “SELECT Name, “ + taint + “FROM Account LIMIT 1”;
  • 12. Static Analysis with Checkmarx Suite •  False Positives and False Negatives String sanitized = String.escapeSingleQuotes(taint); //safe qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + sanitized + “ ‘ “; Database.query(qry); //vulnerable (FN) qry = “SELECT Name, “ + sanitized + “FROM Account LIMIT 1”; Database.query(qry);
  • 13. Static Analysis with Checkmarx Suite •  False Negatives <a href=“{!HTMLENCODE(taint)}”>click here</a> //taint=javascript: •  Trade off between False Positives and False negatives •  Should a substring of a tainted string be tainted? •  Should the string replace of a tainted string be tainted? •  Should the concatenation of a tainted and untainted string be tainted? •  How do we know whether to HTMLENCODE, JSENCODE,URLENCODE?
  • 14. How to Audit a Result Path •  Look at ends of path •  source should be a valid source •  sink should be a valid sink •  Follow from source to sink to verify that •  Escaping is appropriate for output context •  Escaping happens at the right place •  Escaping complies with your developer policies
  • 15. Static Analysis as a Service •  We make access to Checkmarx static analysis available online for free •  Primary use case is Appexchange, not bespoke development •  Scan approximately 900 million lines of code per year (closing in on 1 billion lines/year) •  Average lines of code per app ~ 37,000 •  Approximately 20,000 apps per year (e.g. average of 54 apps/day) •  During peak usage, we process about 200 apps per day •  Scan time is averages approximately 12.5 lines of code/second, but highly variable •  Dramatic increase in pass rates
  • 16. Contract with Checkmarx •  Previous contract •  Was for license (1 server) to be used for Appexchange scans •  Strategy was to throttle based on wait times •  Current contract •  Flexible licenses, but limit quantity and types of scans •  Appexchange – 3 free scans per app •  Non-appexchange – 30K lines of code per month
  • 17. Pain Points and Solutions
  • 18. Pain points and solutions •  False positives/false negatives •  Recommend to purchase your own scanner to adjust the rules •  Throttling based on code too large •  Limit increased to 750,000 lines of code in the new portal •  Limit will remain 500,000 lines of code for customers that are not parters •  Throttling based on email domain/too many scans submitted •  Removed in new Portal •  No report if no issues found •  New reports
  • 19. Pain points and solutions •  Issues getting reports •  Many problems with emailing large files •  Addressed in new Portal •  Knowing scan status •  Addressed in new Portal •  Wait too long •  Solution is to add more capacity •  We added 3 servers this year, plan to add 3-6 more servers next year. •  But some scans will still get stuck and need to be resubmitted •  We will still be delayed during monthly patch times (third weekend of each month) •  We will still be delayed during upgrades/service (approx. 4 times per year)
  • 20. Demo
  • 21. Special Guest – Igor Matlin, Checkmarx
  • 22. Integrate into your SDLC and Automate security scans Developers Source repository Fix suggestions Build management Auditor control panel Bug tracking SVN TFS TFS Bamboo Web Service API CLI CxAudit Checkmarx web client TeamMentor Dashboards DAST Integrations
  • 23. Scan & Fix Your Code Security Flaws detailed remediation advice where to fix (best place to fix) vulnerable line of code IDE integration ? Attack vector IDE Plugins available for
  • 25. For more information about Checkmarx© Enterprise Grade Security Scanner please visit www.checkmarx.com/salesforce
  • 27. Summary •  Understand the basics of dataflows to help detect false positives and false negatives •  Sign up for new portal! http://goo.gl/forms/OsZVkwWKR2 •  Look at CX offerings for your enterprise!
  • 28. Secure Salesforce at Dreamforce 2015 ​  10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of Security on the Salesforce Platform ​  Visit our booth in the DevZone with any security questions ​  Check out the schedule and details at http://bit.ly/DF15Sec ​  Admin-related security questions? ​  Join us for coffee in the Admin Zone Security Cafe
  • 29. Secure Salesforce – Thursday Afternoon Lightning Components Best Practices ​  Robert Sussland and Sergey Gorbaty ​  4:45pm in Moscone West 2007 ​  Common Secure Coding Mistakes ​  Rachel Black and Alejandro Raigon Munoz ​  5:00pm in Moscone West 2006
  • 30. Secure Salesforce – Friday ​  Chimera: External Integration Security ​  Tim Bach and Travis Safford ​  10:00am in Moscone West 2009