SlideShare a Scribd company logo

Secure Salesforce: Secret Storage in Your Salesforce Instance

Salesforce Developers
Salesforce Developers

Preparing to integrate? Join us to better understand how to store sensitive secrets on the Force.com Platform. Learn all the best practices for keeping your passwords, keys, and tokens secure. We will walk you through encrypted fields, protected custom settings, managed packages, and the brand new Named Credentials feature to provide you with all the knowledge you need to store a secret.

Technology
1 of 30
Download to read offline
Secure Salesforce: Storing Secrets In Your Salesforce Instance Kyle Tobener Manager, Enterprise Security @KyleKyle Ian Goldsmith Lead Incident Handler
Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
No Photos Required…. Slides and demos will be made available after the talk!
Primary Topic Today: Secrets •  We will be covering developer-oriented topics on secret storage for the Salesforce Platform •  Specific features to cover include: –  Secrets in named credentials –  Secrets in custom settings –  Proper secret usage •  Useful for anyone in the following areas: –  Salesforce Developers (primarily) –  Salesforce Administrators –  Prospective Partners
What is a secret? Ø Simple Definition: A piece of data that requires higher than normal protection Ø For Our Purposes: A secret will be a piece of data that nobody should see, like a password or encryption key
Who do we secure secrets from? • Attackers • Regular Users • Partners • Administrators (Biggest Challenge) Basically everyone… Why? • Theft of data • Impersonation • Privilege escalation
Secret in Named Credentials
Named Credentials Overview Named credentials are a new feature for secret storage built into the Salesforce platform. What does this mean? Managed protected custom settings offer security benefits, while unmanaged protected custom settings are worse than regular sObjects (because they lack FLS and CRUD settings). 8
Named Credentials – Storage Method 1.  Create a new named credential. 2.  Add the URL + secret to the named credential. 3.  Invoke the named credential in the httpRequest.
Named Credentials – Breakdown Pros • Easy to create • Easy to invoke • Secret is not visible in the UI to anyone. • Secret is not leaked in the debug logs. Cons • Only works for httpRequests and certain authentication schemes. • URL can be updated separately from the secret, potentially leaking secret.
Demo: Secrets in Named Credentials
Secrets in Custom Settings
Custom Settings Overview Custom settings are stripped down sObjects exposed to the application cache, enabling efficient access for developers. Protected versus Public: What is the difference? Protected Custom Settings can only be accessed from the namespace they exist in. •  In a managed package, the namespace is that of the package •  In an unmanaged package, the namespace is the local namespace (so no effect) What does this mean? •  Managed Protected Custom Settings – Extra Security Benefits •  Managed Public / Local Public / Local Protected – No security benefits, worse for secrets than sObjects 13
Managed Protected Custom Settings – Storage Method 1.  Create a managed package 2.  Create a protected custom setting inside the package 3.  Create a Visualforce page inside the package to create/update the secret §  (transient string, should not return secret to the view state) 4.  Access and use the secret inside the managed package
Custom Setting Diagram 15
Managed Protected Custom Setting – Breakdown Pros • Secret only available to Apex code within managed package namespace • Can store encryption key to scale Cons • Requires a managed package! • Methods must be well-coded to prevent secret exposure
Managed Package Architecture 17
Demo: Secrets in Custom Settings
Using Managed Protected Custom Settings Properly
Overview Using Managed Protected Custom Settings Properly Secret storage solutions with managed protected custom settings are developed in Apex and Visualforce, and because of this there are some best practices that must be followed: • Properly encapsulating secret usage in the managed package • Properly handling secret dependencies • Avoiding secret reflection
Properly Encapsulating Secret Usage What is encapsulation? Keeping functionality inside the managed package. Why encapsulate? Namespace benefits on work INSIDE the managed package. Anything leaving the package loses benefits. Things to consider for encapsulation: •  User interaction - Visualforce page/component inside the managed package. •  Using the secret – Code must be contained within the managed package. •  Invoking secret usage - Done with a global method, secret never returned outside of the managed package.
Properly Handling Secret Dependencies What are secret dependencies? If a secret is tied to another piece of information, a dependency is created. Examples: •  Passwords can be dependent on URLs •  Encryption keys can be dependent on Salts. Secret dependency best practices: •  Secrets and dependencies are controlled from the same place •  If dependant is updated, secret should be updated. This prevents the attacker from gaining additional information. –  Example: If a URL is updated, password should change too!
Avoiding Secret Reflection What is secret reflection? Developers often mistakenly allow a secret to be reflected from the controller (Apex) to the view (Visualforce). Since the view is client-side, the risk of secret exposure increases dramatically! Secret reflection Best Practices •  Beware hidden inputs – hidden inputs often show secret in clear within source •  Use transient keyword – transient keyword prevents secret from being stored in the Visualforce viewstate.
Demo: Proper Secret Usage
Recap Here are the forms of secret storage that we covered: 1.  Named Credentials •  Pro – Simple. No secret reflected in UI or debug logs. •  Con – URL can be changed and secret leaked, only works with httpRequests v  Works well with: Passwords and Oauth tokens that don’t come with admin privileges 2.  Managed Protected Custom Setting (Secret Storage Best Practice) •  Pro – Most secure option. Protects against users with elevated permissions such as Modify all Data •  Con – Requires a managed package. Requires careful attention to code (see below) v  Works well with: Passwords, oAuth Tokens, Encryption Keys 3.  Using Managed Protected Custom Settings Properly •  Properly encapsulating secret usage in the managed package •  Properly handling secret dependencies (update password when updating URL) •  Avoiding secret reflection (beware hidden inputs, use transient keyword)
Additional Resources •  Secure Coding Guidelines - https://developer.salesforce.com/page/Secure_Coding_Storing_Secrets •  Intro to Managed Packages - https://developer.salesforce.com/page/An_Introduction_to_Packaging •  Salesforce StackExchange - http://salesforce.stackexchange.com/questions/tagged/security •  Developer.Salesforce.com Security Forum - https://developer.salesforce.com/forums (full link hidden) •  Security Office Hours (Partners) - http://security.force.com/security/contact/ohours •  Security Implementation Guide - https://developer.salesforce.com/././securityImplGuide/ (full link hidden)
Slides + Demo • Get Slides Here: –  DF Chatter Group – Link Here –  @kylekyle Twitter – https://www.twitter.com/kylekyle • Want to play with our demo code? Want to learn more? –  Force.com Security Essentials: trustacademy.salesforce.com
Secure Salesforce Sessions (TBD) Secure Coding: Field-level Security, CRUD, and Sharing Monday, October 13 @ 11:00 a.m. - 11:40 a.m. Secure Coding: Storing Secrets in Your Salesforce Instance Monday, October 13 @ 2:00 p.m. - 2:40 p.m. Building Secure Mobile Apps Monday, October 13 @ 5:00 p.m. - 5:40 p.m. Protect Your Data Against Malicious Scripts Tuesday, October 14 @ 11:00 a.m. - 11:40 a.m. Secure Coding: External App Integration Wednesday, October 15 @ 9:00 a.m. - 9:40 a.m. Secure Coding: SSL, SOAP, and REST Thursday, October 16 @ 10:30 a.m. - 11:10 a.m. Announcements: Force.com Code Scanner now supports Salesforce1 and JavaScript! Try it here: http://bit.ly/SF1Scanner Chimera Web App Scanner alpha nominations are open. Partners apply at: http://bit.ly/SFChimera Live security office hours are available in the Partner Zone.
Q&A
Secure Salesforce: Secret Storage in Your Salesforce Instance

Recommended

Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manishManish Thaduri
 
Apex collection patterns
Apex collection patternsApex collection patterns
Apex collection patternsSathishkumar Periyasamy
 
Salesforce complete overview
Salesforce complete overviewSalesforce complete overview
Salesforce complete overviewNitesh Mishra ☁
 
Apex code (Salesforce)
Apex code (Salesforce)Apex code (Salesforce)
Apex code (Salesforce)Mohammed Safwat Abu Kwaik
 
2020 07-30 elastic agent + ingest management
2020 07-30 elastic agent + ingest management2020 07-30 elastic agent + ingest management
2020 07-30 elastic agent + ingest managementDaliya Spasova
 
Alfresco search services: Now and Then
Alfresco search services: Now and ThenAlfresco search services: Now and Then
Alfresco search services: Now and ThenAngel Borroy López
 
Second-generation managed packages
Second-generation managed packagesSecond-generation managed packages
Second-generation managed packagesBohdan Dovhań
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cNabeel Yoosuf
 

Recommended

Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manishManish Thaduri
 
Apex collection patterns
Apex collection patternsApex collection patterns
Apex collection patternsSathishkumar Periyasamy
 
Salesforce complete overview
Salesforce complete overviewSalesforce complete overview
Salesforce complete overviewNitesh Mishra ☁
 
Apex code (Salesforce)
Apex code (Salesforce)Apex code (Salesforce)
Apex code (Salesforce)Mohammed Safwat Abu Kwaik
 
2020 07-30 elastic agent + ingest management
2020 07-30 elastic agent + ingest management2020 07-30 elastic agent + ingest management
2020 07-30 elastic agent + ingest managementDaliya Spasova
 
Alfresco search services: Now and Then
Alfresco search services: Now and ThenAlfresco search services: Now and Then
Alfresco search services: Now and ThenAngel Borroy López
 
Second-generation managed packages
Second-generation managed packagesSecond-generation managed packages
Second-generation managed packagesBohdan Dovhań
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cNabeel Yoosuf
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database VaultStefan Oehrli
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSalesforce Developers
 
Aruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPassAruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPassPaulo Eduardo Sibalde
 
Getting started with Salesforce security
Getting started with Salesforce securityGetting started with Salesforce security
Getting started with Salesforce securitySalesforce Admins
 
Data model in salesforce
Data model in salesforceData model in salesforce
Data model in salesforceChamil Madusanka
 
Aruba OS 7.3 Command Line Interface Reference Guide
Aruba OS 7.3 Command Line Interface Reference GuideAruba OS 7.3 Command Line Interface Reference Guide
Aruba OS 7.3 Command Line Interface Reference GuideAruba, a Hewlett Packard Enterprise company
 
Cloud foundry: The Platform for Forging Cloud Native Applications
Cloud foundry: The Platform for Forging Cloud Native ApplicationsCloud foundry: The Platform for Forging Cloud Native Applications
Cloud foundry: The Platform for Forging Cloud Native ApplicationsChip Childers
 
Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...
Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...
Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...Edureka!
 
SOQL & SOSL for Admins
SOQL & SOSL for AdminsSOQL & SOSL for Admins
SOQL & SOSL for AdminsObidjon Komiljonov
 
How to create a developer org for salesforce
How to create a developer org for salesforceHow to create a developer org for salesforce
How to create a developer org for salesforceMyGuide By Edcast
 
Understanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoUnderstanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoSalesforce Developers
 
Profiles and permission sets in salesforce
Profiles and permission sets in salesforceProfiles and permission sets in salesforce
Profiles and permission sets in salesforceSunil kumar
 
Lwc presentation
Lwc presentationLwc presentation
Lwc presentationNithesh N
 
Managing Change With A Sensible Sandbox Architecture
Managing Change With A Sensible Sandbox ArchitectureManaging Change With A Sensible Sandbox Architecture
Managing Change With A Sensible Sandbox ArchitectureAlexander Sutherland
 
EMEA Airheads – Aruba controller features used to optimize performance
EMEA Airheads – Aruba controller features used to optimize performanceEMEA Airheads – Aruba controller features used to optimize performance
EMEA Airheads – Aruba controller features used to optimize performanceAruba, a Hewlett Packard Enterprise company
 
Aruba Mobility Controller 7200 Installation Guide
Aruba Mobility Controller 7200 Installation GuideAruba Mobility Controller 7200 Installation Guide
Aruba Mobility Controller 7200 Installation GuideAruba, a Hewlett Packard Enterprise company
 
Adapting to evolving user, security, and business needs with aruba clear pass
Adapting to evolving user, security, and business needs with aruba clear passAdapting to evolving user, security, and business needs with aruba clear pass
Adapting to evolving user, security, and business needs with aruba clear passAruba, a Hewlett Packard Enterprise company
 
Alfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en españolAlfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en españolToni de la Fuente
 
Integrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity ConnectIntegrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity ConnectSalesforce Developers
 
Secure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSalesforce Developers
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Mark Adcock
 

More Related Content

What's hot

Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database VaultStefan Oehrli
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSalesforce Developers
 
Getting started with Salesforce security
Getting started with Salesforce securityGetting started with Salesforce security
Getting started with Salesforce securitySalesforce Admins
 
Cloud foundry: The Platform for Forging Cloud Native Applications
Cloud foundry: The Platform for Forging Cloud Native ApplicationsCloud foundry: The Platform for Forging Cloud Native Applications
Cloud foundry: The Platform for Forging Cloud Native ApplicationsChip Childers
 
Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...
Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...
Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...Edureka!
 
How to create a developer org for salesforce
How to create a developer org for salesforceHow to create a developer org for salesforce
How to create a developer org for salesforceMyGuide By Edcast
 
Understanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoUnderstanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoSalesforce Developers
 
Profiles and permission sets in salesforce
Profiles and permission sets in salesforceProfiles and permission sets in salesforce
Profiles and permission sets in salesforceSunil kumar
 
Lwc presentation
Lwc presentationLwc presentation
Lwc presentationNithesh N
 
Managing Change With A Sensible Sandbox Architecture
Managing Change With A Sensible Sandbox ArchitectureManaging Change With A Sensible Sandbox Architecture
Managing Change With A Sensible Sandbox ArchitectureAlexander Sutherland
 
Alfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en españolAlfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en españolToni de la Fuente
 
Integrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity ConnectIntegrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity ConnectSalesforce Developers
 

What's hot (20)

Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security Model
 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database Vault
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App Integrations
 
Aruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPassAruba Networks - Overview ClearPass
Aruba Networks - Overview ClearPass
 
Getting started with Salesforce security
Getting started with Salesforce securityGetting started with Salesforce security
Getting started with Salesforce security
 
Data model in salesforce
Data model in salesforceData model in salesforce
Data model in salesforce
 
Aruba OS 7.3 Command Line Interface Reference Guide
Aruba OS 7.3 Command Line Interface Reference GuideAruba OS 7.3 Command Line Interface Reference Guide
Aruba OS 7.3 Command Line Interface Reference Guide
 
Cloud foundry: The Platform for Forging Cloud Native Applications
Cloud foundry: The Platform for Forging Cloud Native ApplicationsCloud foundry: The Platform for Forging Cloud Native Applications
Cloud foundry: The Platform for Forging Cloud Native Applications
 
Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...
Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...
Salesforce Interview Questions And Answers | Salesforce Tutorial | Salesforce...
 
SOQL & SOSL for Admins
SOQL & SOSL for AdminsSOQL & SOSL for Admins
SOQL & SOSL for Admins
 
How to create a developer org for salesforce
How to create a developer org for salesforceHow to create a developer org for salesforce
How to create a developer org for salesforce
 
Understanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoUnderstanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We Do
 
Profiles and permission sets in salesforce
Profiles and permission sets in salesforceProfiles and permission sets in salesforce
Profiles and permission sets in salesforce
 
Lwc presentation
Lwc presentationLwc presentation
Lwc presentation
 
Managing Change With A Sensible Sandbox Architecture
Managing Change With A Sensible Sandbox ArchitectureManaging Change With A Sensible Sandbox Architecture
Managing Change With A Sensible Sandbox Architecture
 
EMEA Airheads – Aruba controller features used to optimize performance
EMEA Airheads – Aruba controller features used to optimize performanceEMEA Airheads – Aruba controller features used to optimize performance
EMEA Airheads – Aruba controller features used to optimize performance
 
Aruba Mobility Controller 7200 Installation Guide
Aruba Mobility Controller 7200 Installation GuideAruba Mobility Controller 7200 Installation Guide
Aruba Mobility Controller 7200 Installation Guide
 
Adapting to evolving user, security, and business needs with aruba clear pass
Adapting to evolving user, security, and business needs with aruba clear passAdapting to evolving user, security, and business needs with aruba clear pass
Adapting to evolving user, security, and business needs with aruba clear pass
 
Alfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en españolAlfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en español
 
Integrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity ConnectIntegrating Active Directory With Salesforce Using Identity Connect
Integrating Active Directory With Salesforce Using Identity Connect
 

Similar to Secure Salesforce: Secret Storage in Your Salesforce Instance

Secure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSalesforce Developers
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Mark Adcock
 
Salesforce shield & summer 20 release
Salesforce shield & summer 20 releaseSalesforce shield & summer 20 release
Salesforce shield & summer 20 releaseDevendra Sawant
 
Best Practices for Team Development in a Single Org
Best Practices for Team Development in a Single OrgBest Practices for Team Development in a Single Org
Best Practices for Team Development in a Single OrgSalesforce Developers
 
Salesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer StrategySalesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer StrategyPeter Chittum
 
Secure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / SharingSecure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / SharingSalesforce Developers
 
How to Become a Security-Minded Admin
How to Become a Security-Minded AdminHow to Become a Security-Minded Admin
How to Become a Security-Minded AdminSalesforce Admins
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKMartin Vigo
 
Df14 Maintaining your orgs setup for optimal efficiency for dist
Df14 Maintaining your orgs setup for optimal efficiency for distDf14 Maintaining your orgs setup for optimal efficiency for dist
Df14 Maintaining your orgs setup for optimal efficiency for distjayvinarora
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSalesforce Developers
 
Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...
Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...
Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...Salesforce Developers
 
Secure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part ISecure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part ISalesforce Developers
 
Platform Shield encryption - Trailblazer Admin Community Kochi
Platform Shield encryption - Trailblazer Admin Community KochiPlatform Shield encryption - Trailblazer Admin Community Kochi
Platform Shield encryption - Trailblazer Admin Community KochiAnil Somasundaran
 
Designing custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.comDesigning custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.comSteven Herod
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingSalesforce Developers
 
Manage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance FrameworkManage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance FrameworkSalesforce Developers
 
Implement Data Governance Around Packaged Apps in Force.com
Implement Data Governance Around Packaged Apps in Force.comImplement Data Governance Around Packaged Apps in Force.com
Implement Data Governance Around Packaged Apps in Force.comSalesforce Developers
 
Designing Custom REST and SOAP Interfaces on Force.com
Designing Custom REST and SOAP Interfaces on Force.comDesigning Custom REST and SOAP Interfaces on Force.com
Designing Custom REST and SOAP Interfaces on Force.comSalesforce Developers
 

Similar to Secure Salesforce: Secret Storage in Your Salesforce Instance (20)

Secure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best Practices
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3
 
Salesforce shield & summer 20 release
Salesforce shield & summer 20 releaseSalesforce shield & summer 20 release
Salesforce shield & summer 20 release
 
Best Practices for Team Development in a Single Org
Best Practices for Team Development in a Single OrgBest Practices for Team Development in a Single Org
Best Practices for Team Development in a Single Org
 
Salesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer StrategySalesforce Platform Encryption Developer Strategy
Salesforce Platform Encryption Developer Strategy
 
Secure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / SharingSecure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / Sharing
 
How to Become a Security-Minded Admin
How to Become a Security-Minded AdminHow to Become a Security-Minded Admin
How to Become a Security-Minded Admin
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDK
 
Df14 Maintaining your orgs setup for optimal efficiency for dist
Df14 Maintaining your orgs setup for optimal efficiency for distDf14 Maintaining your orgs setup for optimal efficiency for dist
Df14 Maintaining your orgs setup for optimal efficiency for dist
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDK
 
Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...
Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...
Webinar: From Sandbox to Production: Demystifying Force.com Release Managemen...
 
Secure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part ISecure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part I
 
API Design for Your Packaged App
API Design for Your Packaged AppAPI Design for Your Packaged App
API Design for Your Packaged App
 
API Design for Your Packaged App
API Design for Your Packaged AppAPI Design for Your Packaged App
API Design for Your Packaged App
 
Platform Shield encryption - Trailblazer Admin Community Kochi
Platform Shield encryption - Trailblazer Admin Community KochiPlatform Shield encryption - Trailblazer Admin Community Kochi
Platform Shield encryption - Trailblazer Admin Community Kochi
 
Designing custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.comDesigning custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.com
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and Testing
 
Manage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance FrameworkManage Development in Your Org with Salesforce Governance Framework
Manage Development in Your Org with Salesforce Governance Framework
 
Implement Data Governance Around Packaged Apps in Force.com
Implement Data Governance Around Packaged Apps in Force.comImplement Data Governance Around Packaged Apps in Force.com
Implement Data Governance Around Packaged Apps in Force.com
 
Designing Custom REST and SOAP Interfaces on Force.com
Designing Custom REST and SOAP Interfaces on Force.comDesigning Custom REST and SOAP Interfaces on Force.com
Designing Custom REST and SOAP Interfaces on Force.com
 

More from Salesforce Developers

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSalesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceSalesforce Developers
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base ComponentsSalesforce Developers
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsSalesforce Developers
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaSalesforce Developers
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentSalesforce Developers
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsSalesforce Developers
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsSalesforce Developers
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsSalesforce Developers
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilitySalesforce Developers
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataSalesforce Developers
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionSalesforce Developers
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPSalesforce Developers
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceSalesforce Developers
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureSalesforce Developers
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DXSalesforce Developers
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectSalesforce Developers
 

More from Salesforce Developers (20)

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component Performance
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base Components
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer Highlights
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX India
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local Development
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web Components
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web Components
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer Highlights
 
Live coding with LWC
Live coding with LWCLive coding with LWC
Live coding with LWC
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura Interoperability
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce data
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An Introduction
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCP
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in Salesforce
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data Capture
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DX
 
Get Into Lightning Flow Development
Get Into Lightning Flow DevelopmentGet Into Lightning Flow Development
Get Into Lightning Flow Development
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS Connect
 
Introduction to MuleSoft
Introduction to MuleSoftIntroduction to MuleSoft
Introduction to MuleSoft
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Secure Salesforce: Secret Storage in Your Salesforce Instance

  • 1. Secure Salesforce: Storing Secrets In Your Salesforce Instance Kyle Tobener Manager, Enterprise Security @KyleKyle Ian Goldsmith Lead Incident Handler
  • 2. Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  • 3. No Photos Required…. Slides and demos will be made available after the talk!
  • 4. Primary Topic Today: Secrets •  We will be covering developer-oriented topics on secret storage for the Salesforce Platform •  Specific features to cover include: –  Secrets in named credentials –  Secrets in custom settings –  Proper secret usage •  Useful for anyone in the following areas: –  Salesforce Developers (primarily) –  Salesforce Administrators –  Prospective Partners
  • 5. What is a secret? Ø Simple Definition: A piece of data that requires higher than normal protection Ø For Our Purposes: A secret will be a piece of data that nobody should see, like a password or encryption key
  • 6. Who do we secure secrets from? • Attackers • Regular Users • Partners • Administrators (Biggest Challenge) Basically everyone… Why? • Theft of data • Impersonation • Privilege escalation
  • 7. Secret in Named Credentials
  • 8. Named Credentials Overview Named credentials are a new feature for secret storage built into the Salesforce platform. What does this mean? Managed protected custom settings offer security benefits, while unmanaged protected custom settings are worse than regular sObjects (because they lack FLS and CRUD settings). 8
  • 9. Named Credentials – Storage Method 1.  Create a new named credential. 2.  Add the URL + secret to the named credential. 3.  Invoke the named credential in the httpRequest.
  • 10. Named Credentials – Breakdown Pros • Easy to create • Easy to invoke • Secret is not visible in the UI to anyone. • Secret is not leaked in the debug logs. Cons • Only works for httpRequests and certain authentication schemes. • URL can be updated separately from the secret, potentially leaking secret.
  • 11. Demo: Secrets in Named Credentials
  • 12. Secrets in Custom Settings
  • 13. Custom Settings Overview Custom settings are stripped down sObjects exposed to the application cache, enabling efficient access for developers. Protected versus Public: What is the difference? Protected Custom Settings can only be accessed from the namespace they exist in. •  In a managed package, the namespace is that of the package •  In an unmanaged package, the namespace is the local namespace (so no effect) What does this mean? •  Managed Protected Custom Settings – Extra Security Benefits •  Managed Public / Local Public / Local Protected – No security benefits, worse for secrets than sObjects 13
  • 14. Managed Protected Custom Settings – Storage Method 1.  Create a managed package 2.  Create a protected custom setting inside the package 3.  Create a Visualforce page inside the package to create/update the secret §  (transient string, should not return secret to the view state) 4.  Access and use the secret inside the managed package
  • 16. Managed Protected Custom Setting – Breakdown Pros • Secret only available to Apex code within managed package namespace • Can store encryption key to scale Cons • Requires a managed package! • Methods must be well-coded to prevent secret exposure
  • 18. Demo: Secrets in Custom Settings
  • 19. Using Managed Protected Custom Settings Properly
  • 20. Overview Using Managed Protected Custom Settings Properly Secret storage solutions with managed protected custom settings are developed in Apex and Visualforce, and because of this there are some best practices that must be followed: • Properly encapsulating secret usage in the managed package • Properly handling secret dependencies • Avoiding secret reflection
  • 21. Properly Encapsulating Secret Usage What is encapsulation? Keeping functionality inside the managed package. Why encapsulate? Namespace benefits on work INSIDE the managed package. Anything leaving the package loses benefits. Things to consider for encapsulation: •  User interaction - Visualforce page/component inside the managed package. •  Using the secret – Code must be contained within the managed package. •  Invoking secret usage - Done with a global method, secret never returned outside of the managed package.
  • 22. Properly Handling Secret Dependencies What are secret dependencies? If a secret is tied to another piece of information, a dependency is created. Examples: •  Passwords can be dependent on URLs •  Encryption keys can be dependent on Salts. Secret dependency best practices: •  Secrets and dependencies are controlled from the same place •  If dependant is updated, secret should be updated. This prevents the attacker from gaining additional information. –  Example: If a URL is updated, password should change too!
  • 23. Avoiding Secret Reflection What is secret reflection? Developers often mistakenly allow a secret to be reflected from the controller (Apex) to the view (Visualforce). Since the view is client-side, the risk of secret exposure increases dramatically! Secret reflection Best Practices •  Beware hidden inputs – hidden inputs often show secret in clear within source •  Use transient keyword – transient keyword prevents secret from being stored in the Visualforce viewstate.
  • 25. Recap Here are the forms of secret storage that we covered: 1.  Named Credentials •  Pro – Simple. No secret reflected in UI or debug logs. •  Con – URL can be changed and secret leaked, only works with httpRequests v  Works well with: Passwords and Oauth tokens that don’t come with admin privileges 2.  Managed Protected Custom Setting (Secret Storage Best Practice) •  Pro – Most secure option. Protects against users with elevated permissions such as Modify all Data •  Con – Requires a managed package. Requires careful attention to code (see below) v  Works well with: Passwords, oAuth Tokens, Encryption Keys 3.  Using Managed Protected Custom Settings Properly •  Properly encapsulating secret usage in the managed package •  Properly handling secret dependencies (update password when updating URL) •  Avoiding secret reflection (beware hidden inputs, use transient keyword)
  • 26. Additional Resources •  Secure Coding Guidelines - https://developer.salesforce.com/page/Secure_Coding_Storing_Secrets •  Intro to Managed Packages - https://developer.salesforce.com/page/An_Introduction_to_Packaging •  Salesforce StackExchange - http://salesforce.stackexchange.com/questions/tagged/security •  Developer.Salesforce.com Security Forum - https://developer.salesforce.com/forums (full link hidden) •  Security Office Hours (Partners) - http://security.force.com/security/contact/ohours •  Security Implementation Guide - https://developer.salesforce.com/././securityImplGuide/ (full link hidden)
  • 27. Slides + Demo • Get Slides Here: –  DF Chatter Group – Link Here –  @kylekyle Twitter – https://www.twitter.com/kylekyle • Want to play with our demo code? Want to learn more? –  Force.com Security Essentials: trustacademy.salesforce.com
  • 28. Secure Salesforce Sessions (TBD) Secure Coding: Field-level Security, CRUD, and Sharing Monday, October 13 @ 11:00 a.m. - 11:40 a.m. Secure Coding: Storing Secrets in Your Salesforce Instance Monday, October 13 @ 2:00 p.m. - 2:40 p.m. Building Secure Mobile Apps Monday, October 13 @ 5:00 p.m. - 5:40 p.m. Protect Your Data Against Malicious Scripts Tuesday, October 14 @ 11:00 a.m. - 11:40 a.m. Secure Coding: External App Integration Wednesday, October 15 @ 9:00 a.m. - 9:40 a.m. Secure Coding: SSL, SOAP, and REST Thursday, October 16 @ 10:30 a.m. - 11:10 a.m. Announcements: Force.com Code Scanner now supports Salesforce1 and JavaScript! Try it here: http://bit.ly/SF1Scanner Chimera Web App Scanner alpha nominations are open. Partners apply at: http://bit.ly/SFChimera Live security office hours are available in the Partner Zone.
  • 29. Q&A