SlideShare ist ein Scribd-Unternehmen logo

Finding Security Issues Fast!

Salesforce Engineering
Salesforce Engineering

Talk given by Marat Vyshegorodtsev and Sergey Gorbaty. Enterprise Security team at Salesforce, in January 2017. Discusses a set of open source tools that analyze the Apex/VisualForce code and advise on its quality.

Ingenieurwesen
1 von 32
Finding Security Issues FAST! @ser_gor @MaratVy Sergey Gorbaty, Marat Vyshegorodtsev Lead Security Engineers
Forward-Looking Statements Statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Security Tests in Salesforce The path from Beginner to Hardcore Pass the AppExchange test in a breeze! Open sourcing for everyone Salesforce Learning Curve New tools! Future work Our motivation to automate
The Developer Learning Curve Apex VisualForce Formulas Custom Objects ~9 hours
The Developer Learning Curve Apex VisualForce Formulas Custom Objects ~9 hours Lightning Webservices APIs Mobile ~19 hours
Apex Enterprise Security ~11 hours The Developer Learning Curve Apex VisualForce Formulas Custom Objects ~9 hours Lightning Webservices APIs Mobile ~19 hours
Apex Enterprise Security ~11 hours The Developer Learning Curve Apex VisualForce Formulas Custom Objects ~9 hours Lightning Webservices APIs Mobile ~19 hours
Clearly a bug Security reviewers think in three categories Possibly a bug Clearly not a bug
Clearly a bug Security reviewers think in three categories Possibly a bug Clearly not a bug AppExchange Criteria
Clearly a bug Security reviewers think in three categories Possibly a bug Clearly not a bug Enterprise Security Criteria
Our ultimate motivation No bugs with (almost) no effort Einstein on a plane
How to help ~2 million developers write secure code?
Introducing Salesforce-enabled code quality tools
Let’s find a bug with PMD help! public class HotLeads { public Lead getTopLead() { return [SELECT … ] ; } }
Let’s find a bug: Sharing violation public with sharing class HotLeads { public Lead getTopLead() { return [SELECT … ] ; } }
How we see class sharing definitions public class MyClass public without sharing class MyClass public with sharing class MyClass
Let’s find one more bug public void saveTopLead() { insert new Lead(firstName='Astro'); }
Let’s find one more bug: CRUD and FLS public void saveTopLead() { Boolean canCreate = Schema.sObjectType.Lead.fields.firstName.isCreateable(); if(canCreate){ insert new Lead(firstName='Astro'); } }
How we see CRUD/FLS checks insert new Lead() insert new Lead() // but there are checks for other objects if(<FLSCHECK>){ insert new Lead() }
A typical VisualForce page layout example <apex:page> <script> var userData = {! userData }; </script> </apex:page>
First attempt on fixing it <apex:page> <script> var userData = {! JSENCODE(userData) }; </script> </apex:page>
Second attempt on fixing it <apex:page> <script> var userData = '{! JSENCODE(userData) }'; </script> </apex:page>
Third and final attempt on fixing it <apex:page> <script> var userData = JSON.parse('{! JSENCODE(userData) }'); </script> </apex:page>
Merging into strings Similar to Template Strings in ES6 <apex:page> <script> var greeting = ' {! ' Howdy, ' + $User.Name }!'; </script> </apex:page>
Merging into strings Similar to Template Strings in ES6 <apex:page> <script> var greeting = ' {! ' Howdy, ' + JSENCODE($User.Name) }!'; </script> </apex:page>
The bright future: linting, autofixing, and CI
Already Released Sending new security rules to pmd pmd/pmd
Future Work: Open Source Projects acorn-visualforce — JS parser extension to support VF syntax eslint-plugin-visualforce — Linter rules for merge fields stylelint-visualforce — Linter rules for inline <style> tags in VisualForce pages
Finding Security Issues Fast!

Empfohlen

Operationalizing Big Data as a Service
Operationalizing Big Data as a ServiceOperationalizing Big Data as a Service
Operationalizing Big Data as a ServiceSalesforce Engineering
 
Tailoring the DITA Suit to Fit
Tailoring the DITA Suit to FitTailoring the DITA Suit to Fit
Tailoring the DITA Suit to FitSalesforce Engineering
 
Content Strategy Workshop
Content Strategy WorkshopContent Strategy Workshop
Content Strategy WorkshopSalesforce Engineering
 
Orchestration, the conductor's score
Orchestration, the conductor's scoreOrchestration, the conductor's score
Orchestration, the conductor's scoreSalesforce Engineering
 
Crossbrowser Testing at Salesforce Analytics
Crossbrowser Testing at Salesforce AnalyticsCrossbrowser Testing at Salesforce Analytics
Crossbrowser Testing at Salesforce AnalyticsSalesforce Engineering
 
Dev ops.enterprise.2014 (1)
Dev ops.enterprise.2014 (1)Dev ops.enterprise.2014 (1)
Dev ops.enterprise.2014 (1)Salesforce Engineering
 
Quality Testing and Agile at Salesforce
Quality Testing and Agile at Salesforce Quality Testing and Agile at Salesforce
Quality Testing and Agile at Salesforce Salesforce Engineering
 
Salesforce's Trusted Enterprise Platform and Apache Phoenix
Salesforce's Trusted Enterprise Platform and Apache PhoenixSalesforce's Trusted Enterprise Platform and Apache Phoenix
Salesforce's Trusted Enterprise Platform and Apache PhoenixSalesforce Engineering
 

Empfohlen

Operationalizing Big Data as a Service
Operationalizing Big Data as a ServiceOperationalizing Big Data as a Service
Operationalizing Big Data as a ServiceSalesforce Engineering
 
Tailoring the DITA Suit to Fit
Tailoring the DITA Suit to FitTailoring the DITA Suit to Fit
Tailoring the DITA Suit to FitSalesforce Engineering
 
Content Strategy Workshop
Content Strategy WorkshopContent Strategy Workshop
Content Strategy WorkshopSalesforce Engineering
 
Orchestration, the conductor's score
Orchestration, the conductor's scoreOrchestration, the conductor's score
Orchestration, the conductor's scoreSalesforce Engineering
 
Crossbrowser Testing at Salesforce Analytics
Crossbrowser Testing at Salesforce AnalyticsCrossbrowser Testing at Salesforce Analytics
Crossbrowser Testing at Salesforce AnalyticsSalesforce Engineering
 
Dev ops.enterprise.2014 (1)
Dev ops.enterprise.2014 (1)Dev ops.enterprise.2014 (1)
Dev ops.enterprise.2014 (1)Salesforce Engineering
 
Quality Testing and Agile at Salesforce
Quality Testing and Agile at Salesforce Quality Testing and Agile at Salesforce
Quality Testing and Agile at Salesforce Salesforce Engineering
 
Salesforce's Trusted Enterprise Platform and Apache Phoenix
Salesforce's Trusted Enterprise Platform and Apache PhoenixSalesforce's Trusted Enterprise Platform and Apache Phoenix
Salesforce's Trusted Enterprise Platform and Apache PhoenixSalesforce Engineering
 
Legacy Content: Applying your new content strategy to old information
Legacy Content: Applying your new content strategy to old informationLegacy Content: Applying your new content strategy to old information
Legacy Content: Applying your new content strategy to old informationSalesforce Engineering
 
Scrum at Scale
Scrum at ScaleScrum at Scale
Scrum at ScaleSalesforce Engineering
 
How to Setup Continuous Integration With Git, Jenkins, and Force.com
How to Setup Continuous Integration With Git, Jenkins, and Force.comHow to Setup Continuous Integration With Git, Jenkins, and Force.com
How to Setup Continuous Integration With Git, Jenkins, and Force.comSalesforce Developers
 
How Developers and Quality Engineer Collaborate at Salesforce
How Developers and Quality Engineer Collaborate at SalesforceHow Developers and Quality Engineer Collaborate at Salesforce
How Developers and Quality Engineer Collaborate at SalesforceSalesforce Engineering
 
The Ideal Salesforce Development Lifecycle
The Ideal Salesforce Development LifecycleThe Ideal Salesforce Development Lifecycle
The Ideal Salesforce Development LifecycleJoshua Hoskins
 
Ten Years of DITA: Are We There Yet?
Ten Years of DITA: Are We There Yet?Ten Years of DITA: Are We There Yet?
Ten Years of DITA: Are We There Yet?Salesforce Engineering
 
Agile at Salesforce From theory to practice, how to be agile at scale
Agile at Salesforce From theory to practice, how to be agile at scaleAgile at Salesforce From theory to practice, how to be agile at scale
Agile at Salesforce From theory to practice, how to be agile at scaleSalesforce Engineering
 
Salesforce1 ELEVATE Workshop - Dublin
Salesforce1 ELEVATE Workshop - DublinSalesforce1 ELEVATE Workshop - Dublin
Salesforce1 ELEVATE Workshop - DublinJoshua Hoskins
 
Game changers
Game changersGame changers
Game changersMarek Kirejczyk
 
Release Management: Managing Your Internal Releases
Release Management: Managing Your Internal ReleasesRelease Management: Managing Your Internal Releases
Release Management: Managing Your Internal ReleasesJoshua Hoskins
 
How Open Source Embiggens Salesforce.com
How Open Source Embiggens Salesforce.comHow Open Source Embiggens Salesforce.com
How Open Source Embiggens Salesforce.comSalesforce Engineering
 
From Sandbox To Production: An Introduction to Salesforce Release Management
From Sandbox To Production: An Introduction to Salesforce Release ManagementFrom Sandbox To Production: An Introduction to Salesforce Release Management
From Sandbox To Production: An Introduction to Salesforce Release ManagementSalesforce Developers
 
Salesforce Deployment: From Production Hacker to Agile Guru
Salesforce Deployment: From Production Hacker to Agile GuruSalesforce Deployment: From Production Hacker to Agile Guru
Salesforce Deployment: From Production Hacker to Agile GuruSalesforce Developers
 
Design patterns for salesforce app decomposition
Design patterns for salesforce app decompositionDesign patterns for salesforce app decomposition
Design patterns for salesforce app decompositionSai Jithesh ☁️
 
Streamline Selenium Testing with Page Flow Navigation
Streamline Selenium Testing with Page Flow NavigationStreamline Selenium Testing with Page Flow Navigation
Streamline Selenium Testing with Page Flow NavigationSalesforce Developers
 
TDX19 - Accelerate DevOps with GitLab and Salesforce
TDX19 - Accelerate DevOps with GitLab and SalesforceTDX19 - Accelerate DevOps with GitLab and Salesforce
TDX19 - Accelerate DevOps with GitLab and SalesforceDoug Ayers
 
TDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer ToolsTDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer ToolsDoug Ayers
 
Scaling Continuous Integration for Puppet
Scaling Continuous Integration for PuppetScaling Continuous Integration for Puppet
Scaling Continuous Integration for PuppetSalesforce Engineering
 
Dependency Injection with the Force DI Framework
Dependency Injection with the Force DI FrameworkDependency Injection with the Force DI Framework
Dependency Injection with the Force DI FrameworkDoug Ayers
 
Salesforce API Series: Release Management with the Metadata API webinar
Salesforce API Series: Release Management with the Metadata API webinarSalesforce API Series: Release Management with the Metadata API webinar
Salesforce API Series: Release Management with the Metadata API webinarSalesforce Developers
 
Introduction to Apex Triggers
Introduction to Apex TriggersIntroduction to Apex Triggers
Introduction to Apex TriggersSalesforce Developers
 
CCT London 2013 Theatre Intro to Apex
CCT London 2013 Theatre Intro to ApexCCT London 2013 Theatre Intro to Apex
CCT London 2013 Theatre Intro to ApexPeter Chittum
 

Weitere ähnliche Inhalte

Was ist angesagt?

Legacy Content: Applying your new content strategy to old information
Legacy Content: Applying your new content strategy to old informationLegacy Content: Applying your new content strategy to old information
Legacy Content: Applying your new content strategy to old informationSalesforce Engineering
 
How to Setup Continuous Integration With Git, Jenkins, and Force.com
How to Setup Continuous Integration With Git, Jenkins, and Force.comHow to Setup Continuous Integration With Git, Jenkins, and Force.com
How to Setup Continuous Integration With Git, Jenkins, and Force.comSalesforce Developers
 
How Developers and Quality Engineer Collaborate at Salesforce
How Developers and Quality Engineer Collaborate at SalesforceHow Developers and Quality Engineer Collaborate at Salesforce
How Developers and Quality Engineer Collaborate at SalesforceSalesforce Engineering
 
The Ideal Salesforce Development Lifecycle
The Ideal Salesforce Development LifecycleThe Ideal Salesforce Development Lifecycle
The Ideal Salesforce Development LifecycleJoshua Hoskins
 
Agile at Salesforce From theory to practice, how to be agile at scale
Agile at Salesforce From theory to practice, how to be agile at scaleAgile at Salesforce From theory to practice, how to be agile at scale
Agile at Salesforce From theory to practice, how to be agile at scaleSalesforce Engineering
 
Salesforce1 ELEVATE Workshop - Dublin
Salesforce1 ELEVATE Workshop - DublinSalesforce1 ELEVATE Workshop - Dublin
Salesforce1 ELEVATE Workshop - DublinJoshua Hoskins
 
Release Management: Managing Your Internal Releases
Release Management: Managing Your Internal ReleasesRelease Management: Managing Your Internal Releases
Release Management: Managing Your Internal ReleasesJoshua Hoskins
 
How Open Source Embiggens Salesforce.com
How Open Source Embiggens Salesforce.comHow Open Source Embiggens Salesforce.com
How Open Source Embiggens Salesforce.comSalesforce Engineering
 
From Sandbox To Production: An Introduction to Salesforce Release Management
From Sandbox To Production: An Introduction to Salesforce Release ManagementFrom Sandbox To Production: An Introduction to Salesforce Release Management
From Sandbox To Production: An Introduction to Salesforce Release ManagementSalesforce Developers
 
Salesforce Deployment: From Production Hacker to Agile Guru
Salesforce Deployment: From Production Hacker to Agile GuruSalesforce Deployment: From Production Hacker to Agile Guru
Salesforce Deployment: From Production Hacker to Agile GuruSalesforce Developers
 
Design patterns for salesforce app decomposition
Design patterns for salesforce app decompositionDesign patterns for salesforce app decomposition
Design patterns for salesforce app decompositionSai Jithesh ☁️
 
Streamline Selenium Testing with Page Flow Navigation
Streamline Selenium Testing with Page Flow NavigationStreamline Selenium Testing with Page Flow Navigation
Streamline Selenium Testing with Page Flow NavigationSalesforce Developers
 
TDX19 - Accelerate DevOps with GitLab and Salesforce
TDX19 - Accelerate DevOps with GitLab and SalesforceTDX19 - Accelerate DevOps with GitLab and Salesforce
TDX19 - Accelerate DevOps with GitLab and SalesforceDoug Ayers
 
TDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer ToolsTDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer ToolsDoug Ayers
 
Scaling Continuous Integration for Puppet
Scaling Continuous Integration for PuppetScaling Continuous Integration for Puppet
Scaling Continuous Integration for PuppetSalesforce Engineering
 
Dependency Injection with the Force DI Framework
Dependency Injection with the Force DI FrameworkDependency Injection with the Force DI Framework
Dependency Injection with the Force DI FrameworkDoug Ayers
 
Salesforce API Series: Release Management with the Metadata API webinar
Salesforce API Series: Release Management with the Metadata API webinarSalesforce API Series: Release Management with the Metadata API webinar
Salesforce API Series: Release Management with the Metadata API webinarSalesforce Developers
 

Was ist angesagt? (20)

Legacy Content: Applying your new content strategy to old information
Legacy Content: Applying your new content strategy to old informationLegacy Content: Applying your new content strategy to old information
Legacy Content: Applying your new content strategy to old information
 
Scrum at Scale
Scrum at ScaleScrum at Scale
Scrum at Scale
 
How to Setup Continuous Integration With Git, Jenkins, and Force.com
How to Setup Continuous Integration With Git, Jenkins, and Force.comHow to Setup Continuous Integration With Git, Jenkins, and Force.com
How to Setup Continuous Integration With Git, Jenkins, and Force.com
 
How Developers and Quality Engineer Collaborate at Salesforce
How Developers and Quality Engineer Collaborate at SalesforceHow Developers and Quality Engineer Collaborate at Salesforce
How Developers and Quality Engineer Collaborate at Salesforce
 
The Ideal Salesforce Development Lifecycle
The Ideal Salesforce Development LifecycleThe Ideal Salesforce Development Lifecycle
The Ideal Salesforce Development Lifecycle
 
Ten Years of DITA: Are We There Yet?
Ten Years of DITA: Are We There Yet?Ten Years of DITA: Are We There Yet?
Ten Years of DITA: Are We There Yet?
 
Agile at Salesforce From theory to practice, how to be agile at scale
Agile at Salesforce From theory to practice, how to be agile at scaleAgile at Salesforce From theory to practice, how to be agile at scale
Agile at Salesforce From theory to practice, how to be agile at scale
 
Salesforce1 ELEVATE Workshop - Dublin
Salesforce1 ELEVATE Workshop - DublinSalesforce1 ELEVATE Workshop - Dublin
Salesforce1 ELEVATE Workshop - Dublin
 
Game changers
Game changersGame changers
Game changers
 
Release Management: Managing Your Internal Releases
Release Management: Managing Your Internal ReleasesRelease Management: Managing Your Internal Releases
Release Management: Managing Your Internal Releases
 
How Open Source Embiggens Salesforce.com
How Open Source Embiggens Salesforce.comHow Open Source Embiggens Salesforce.com
How Open Source Embiggens Salesforce.com
 
From Sandbox To Production: An Introduction to Salesforce Release Management
From Sandbox To Production: An Introduction to Salesforce Release ManagementFrom Sandbox To Production: An Introduction to Salesforce Release Management
From Sandbox To Production: An Introduction to Salesforce Release Management
 
Salesforce Deployment: From Production Hacker to Agile Guru
Salesforce Deployment: From Production Hacker to Agile GuruSalesforce Deployment: From Production Hacker to Agile Guru
Salesforce Deployment: From Production Hacker to Agile Guru
 
Design patterns for salesforce app decomposition
Design patterns for salesforce app decompositionDesign patterns for salesforce app decomposition
Design patterns for salesforce app decomposition
 
Streamline Selenium Testing with Page Flow Navigation
Streamline Selenium Testing with Page Flow NavigationStreamline Selenium Testing with Page Flow Navigation
Streamline Selenium Testing with Page Flow Navigation
 
TDX19 - Accelerate DevOps with GitLab and Salesforce
TDX19 - Accelerate DevOps with GitLab and SalesforceTDX19 - Accelerate DevOps with GitLab and Salesforce
TDX19 - Accelerate DevOps with GitLab and Salesforce
 
TDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer ToolsTDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer Tools
 
Scaling Continuous Integration for Puppet
Scaling Continuous Integration for PuppetScaling Continuous Integration for Puppet
Scaling Continuous Integration for Puppet
 
Dependency Injection with the Force DI Framework
Dependency Injection with the Force DI FrameworkDependency Injection with the Force DI Framework
Dependency Injection with the Force DI Framework
 
Salesforce API Series: Release Management with the Metadata API webinar
Salesforce API Series: Release Management with the Metadata API webinarSalesforce API Series: Release Management with the Metadata API webinar
Salesforce API Series: Release Management with the Metadata API webinar
 

Ähnlich wie Finding Security Issues Fast!

CCT London 2013 Theatre Intro to Apex
CCT London 2013 Theatre Intro to ApexCCT London 2013 Theatre Intro to Apex
CCT London 2013 Theatre Intro to ApexPeter Chittum
 
The Power of Salesforce APIs World Tour Edition
The Power of Salesforce APIs World Tour EditionThe Power of Salesforce APIs World Tour Edition
The Power of Salesforce APIs World Tour EditionPeter Chittum
 
Integrating with salesforce
Integrating with salesforceIntegrating with salesforce
Integrating with salesforceMark Adcock
 
Building Visualforce Custom Events Handlers
Building Visualforce Custom Events HandlersBuilding Visualforce Custom Events Handlers
Building Visualforce Custom Events HandlersSalesforce Developers
 
Live Coding with Salesforce Developers: Adding CI to Your Salesforce Project
Live Coding with Salesforce Developers: Adding CI to Your Salesforce ProjectLive Coding with Salesforce Developers: Adding CI to Your Salesforce Project
Live Coding with Salesforce Developers: Adding CI to Your Salesforce ProjectDeveloper Force
 
S1 Tour Paris Developpeurs
S1 Tour Paris DeveloppeursS1 Tour Paris Developpeurs
S1 Tour Paris DeveloppeursPeter Chittum
 
Build Together And Deliver Continuously With Salesforce DX
Build Together And Deliver Continuously With Salesforce DXBuild Together And Deliver Continuously With Salesforce DX
Build Together And Deliver Continuously With Salesforce DXLynette Lim
 
SalesforceDX Demo by Manish
SalesforceDX Demo by ManishSalesforceDX Demo by Manish
SalesforceDX Demo by ManishManish Thaduri
 
Learn to Leverage the Power of SOQL
Learn to Leverage the Power of SOQLLearn to Leverage the Power of SOQL
Learn to Leverage the Power of SOQLSalesforce Admins
 
#DF17Recap series: Integrate apps easier with the Salesforce platform
#DF17Recap series: Integrate apps easier with the Salesforce platform#DF17Recap series: Integrate apps easier with the Salesforce platform
#DF17Recap series: Integrate apps easier with the Salesforce platformSalesforce Developers
 
Dreamforce 2014 - Salesforce Python SDK for REST/SOAP APIs
Dreamforce 2014 - Salesforce Python SDK for REST/SOAP APIsDreamforce 2014 - Salesforce Python SDK for REST/SOAP APIs
Dreamforce 2014 - Salesforce Python SDK for REST/SOAP APIsHormoz Tarevern
 
Detroit ELEVATE Track 1
Detroit ELEVATE Track 1Detroit ELEVATE Track 1
Detroit ELEVATE Track 1Joshua Birk
 
Create Lightning from Salesforce Lightning & IoT
Create Lightning from Salesforce Lightning & IoTCreate Lightning from Salesforce Lightning & IoT
Create Lightning from Salesforce Lightning & IoTNetStronghold
 
Force.com Friday: Intro to Force.com Slides
Force.com Friday: Intro to Force.com SlidesForce.com Friday: Intro to Force.com Slides
Force.com Friday: Intro to Force.com SlidesSalesforce Developers
 
Create Lightning with Lightning & IoT
Create Lightning with Lightning & IoTCreate Lightning with Lightning & IoT
Create Lightning with Lightning & IoTSalesforce Developers
 
TrailheaDX Global Gathering London 2018
TrailheaDX Global Gathering London 2018TrailheaDX Global Gathering London 2018
TrailheaDX Global Gathering London 2018Keir Bowden
 

Ähnlich wie Finding Security Issues Fast! (20)

Introduction to Apex Triggers
Introduction to Apex TriggersIntroduction to Apex Triggers
Introduction to Apex Triggers
 
CCT London 2013 Theatre Intro to Apex
CCT London 2013 Theatre Intro to ApexCCT London 2013 Theatre Intro to Apex
CCT London 2013 Theatre Intro to Apex
 
The Power of Salesforce APIs World Tour Edition
The Power of Salesforce APIs World Tour EditionThe Power of Salesforce APIs World Tour Edition
The Power of Salesforce APIs World Tour Edition
 
Introduction to Apex Triggers
Introduction to Apex TriggersIntroduction to Apex Triggers
Introduction to Apex Triggers
 
Integrating with salesforce
Integrating with salesforceIntegrating with salesforce
Integrating with salesforce
 
Force.com Friday : Intro to Apex
Force.com Friday : Intro to Apex Force.com Friday : Intro to Apex
Force.com Friday : Intro to Apex
 
Building Visualforce Custom Events Handlers
Building Visualforce Custom Events HandlersBuilding Visualforce Custom Events Handlers
Building Visualforce Custom Events Handlers
 
iOS Unit Testing Like a Boss
iOS Unit Testing Like a BossiOS Unit Testing Like a Boss
iOS Unit Testing Like a Boss
 
Live Coding with Salesforce Developers: Adding CI to Your Salesforce Project
Live Coding with Salesforce Developers: Adding CI to Your Salesforce ProjectLive Coding with Salesforce Developers: Adding CI to Your Salesforce Project
Live Coding with Salesforce Developers: Adding CI to Your Salesforce Project
 
S1 Tour Paris Developpeurs
S1 Tour Paris DeveloppeursS1 Tour Paris Developpeurs
S1 Tour Paris Developpeurs
 
Build Together And Deliver Continuously With Salesforce DX
Build Together And Deliver Continuously With Salesforce DXBuild Together And Deliver Continuously With Salesforce DX
Build Together And Deliver Continuously With Salesforce DX
 
SalesforceDX Demo by Manish
SalesforceDX Demo by ManishSalesforceDX Demo by Manish
SalesforceDX Demo by Manish
 
Learn to Leverage the Power of SOQL
Learn to Leverage the Power of SOQLLearn to Leverage the Power of SOQL
Learn to Leverage the Power of SOQL
 
#DF17Recap series: Integrate apps easier with the Salesforce platform
#DF17Recap series: Integrate apps easier with the Salesforce platform#DF17Recap series: Integrate apps easier with the Salesforce platform
#DF17Recap series: Integrate apps easier with the Salesforce platform
 
Dreamforce 2014 - Salesforce Python SDK for REST/SOAP APIs
Dreamforce 2014 - Salesforce Python SDK for REST/SOAP APIsDreamforce 2014 - Salesforce Python SDK for REST/SOAP APIs
Dreamforce 2014 - Salesforce Python SDK for REST/SOAP APIs
 
Detroit ELEVATE Track 1
Detroit ELEVATE Track 1Detroit ELEVATE Track 1
Detroit ELEVATE Track 1
 
Create Lightning from Salesforce Lightning & IoT
Create Lightning from Salesforce Lightning & IoTCreate Lightning from Salesforce Lightning & IoT
Create Lightning from Salesforce Lightning & IoT
 
Force.com Friday: Intro to Force.com Slides
Force.com Friday: Intro to Force.com SlidesForce.com Friday: Intro to Force.com Slides
Force.com Friday: Intro to Force.com Slides
 
Create Lightning with Lightning & IoT
Create Lightning with Lightning & IoTCreate Lightning with Lightning & IoT
Create Lightning with Lightning & IoT
 
TrailheaDX Global Gathering London 2018
TrailheaDX Global Gathering London 2018TrailheaDX Global Gathering London 2018
TrailheaDX Global Gathering London 2018
 

Mehr von Salesforce Engineering

Locker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackLocker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackSalesforce Engineering
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudTechniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudSalesforce Engineering
 
Predictive System Performance Data Analysis
Predictive System Performance Data AnalysisPredictive System Performance Data Analysis
Predictive System Performance Data AnalysisSalesforce Engineering
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveAspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveSalesforce Engineering
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteA Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteSalesforce Engineering
 
Implementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesImplementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesSalesforce Engineering
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Engineering
 
Global State Management of Micro Services
Global State Management of Micro ServicesGlobal State Management of Micro Services
Global State Management of Micro ServicesSalesforce Engineering
 
Apache BookKeeper Distributed Store- a Salesforce use case
Apache BookKeeper Distributed Store- a Salesforce use caseApache BookKeeper Distributed Store- a Salesforce use case
Apache BookKeeper Distributed Store- a Salesforce use caseSalesforce Engineering
 

Mehr von Salesforce Engineering (20)

Locker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackLocker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With Webpack
 
Scaling HBase for Big Data
Scaling HBase for Big DataScaling HBase for Big Data
Scaling HBase for Big Data
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudTechniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the Cloud
 
Predictive System Performance Data Analysis
Predictive System Performance Data AnalysisPredictive System Performance Data Analysis
Predictive System Performance Data Analysis
 
Apache HBase State of the Project
Apache HBase State of the ProjectApache HBase State of the Project
Apache HBase State of the Project
 
Hit the Trail with Trailhead
Hit the Trail with TrailheadHit the Trail with Trailhead
Hit the Trail with Trailhead
 
HBase/PHOENIX @ Scale
HBase/PHOENIX @ ScaleHBase/PHOENIX @ Scale
HBase/PHOENIX @ Scale
 
Scaling up data science applications
Scaling up data science applicationsScaling up data science applications
Scaling up data science applications
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveAspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already Have
 
Monitoring @ Scale in Salesforce
Monitoring @ Scale in SalesforceMonitoring @ Scale in Salesforce
Monitoring @ Scale in Salesforce
 
Performance Tuning with XHProf
Performance Tuning with XHProfPerformance Tuning with XHProf
Performance Tuning with XHProf
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteA Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
 
Implementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesImplementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 Miles
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
 
Koober Preduction IO Presentation
Koober Preduction IO PresentationKoober Preduction IO Presentation
Koober Preduction IO Presentation
 
Microservices
MicroservicesMicroservices
Microservices
 
Global State Management of Micro Services
Global State Management of Micro ServicesGlobal State Management of Micro Services
Global State Management of Micro Services
 
The Future of Hbase
The Future of HbaseThe Future of Hbase
The Future of Hbase
 
Apache BookKeeper Distributed Store- a Salesforce use case
Apache BookKeeper Distributed Store- a Salesforce use caseApache BookKeeper Distributed Store- a Salesforce use case
Apache BookKeeper Distributed Store- a Salesforce use case
 

Kürzlich hochgeladen

Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"mphochane1998
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdfKamal Acharya
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayEpec Engineered Technologies
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXssuser89054b
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdfKamal Acharya
 
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...Amil baba
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxchumtiyababu
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Servicemeghakumariji156
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiessarkmank1
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsvanyagupta248
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Call Girls Mumbai
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...drmkjayanthikannan
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationBhangaleSonal
 
Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdfKamal Acharya
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 

Kürzlich hochgeladen (20)

Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptx
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdf
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 

Finding Security Issues Fast!

  • 1. Finding Security Issues FAST! @ser_gor @MaratVy Sergey Gorbaty, Marat Vyshegorodtsev Lead Security Engineers
  • 2. Forward-Looking Statements Statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  • 3. Security Tests in Salesforce The path from Beginner to Hardcore Pass the AppExchange test in a breeze! Open sourcing for everyone Salesforce Learning Curve New tools! Future work Our motivation to automate
  • 4. The Developer Learning Curve Apex VisualForce Formulas Custom Objects ~9 hours
  • 5. The Developer Learning Curve Apex VisualForce Formulas Custom Objects ~9 hours Lightning Webservices APIs Mobile ~19 hours
  • 6. Apex Enterprise Security ~11 hours The Developer Learning Curve Apex VisualForce Formulas Custom Objects ~9 hours Lightning Webservices APIs Mobile ~19 hours
  • 7. Apex Enterprise Security ~11 hours The Developer Learning Curve Apex VisualForce Formulas Custom Objects ~9 hours Lightning Webservices APIs Mobile ~19 hours
  • 8. Clearly a bug Security reviewers think in three categories Possibly a bug Clearly not a bug
  • 9. Clearly a bug Security reviewers think in three categories Possibly a bug Clearly not a bug AppExchange Criteria
  • 10. Clearly a bug Security reviewers think in three categories Possibly a bug Clearly not a bug Enterprise Security Criteria
  • 11. Our ultimate motivation No bugs with (almost) no effort Einstein on a plane
  • 12. How to help ~2 million developers write secure code?
  • 14.
  • 15.
  • 16. Let’s find a bug with PMD help! public class HotLeads { public Lead getTopLead() { return [SELECT … ] ; } }
  • 17. Let’s find a bug: Sharing violation public with sharing class HotLeads { public Lead getTopLead() { return [SELECT … ] ; } }
  • 18. How we see class sharing definitions public class MyClass public without sharing class MyClass public with sharing class MyClass
  • 19. Let’s find one more bug public void saveTopLead() { insert new Lead(firstName='Astro'); }
  • 20. Let’s find one more bug: CRUD and FLS public void saveTopLead() { Boolean canCreate = Schema.sObjectType.Lead.fields.firstName.isCreateable(); if(canCreate){ insert new Lead(firstName='Astro'); } }
  • 21. How we see CRUD/FLS checks insert new Lead() insert new Lead() // but there are checks for other objects if(<FLSCHECK>){ insert new Lead() }
  • 22.
  • 23. A typical VisualForce page layout example <apex:page> <script> var userData = {! userData }; </script> </apex:page>
  • 24. First attempt on fixing it <apex:page> <script> var userData = {! JSENCODE(userData) }; </script> </apex:page>
  • 25. Second attempt on fixing it <apex:page> <script> var userData = '{! JSENCODE(userData) }'; </script> </apex:page>
  • 26. Third and final attempt on fixing it <apex:page> <script> var userData = JSON.parse('{! JSENCODE(userData) }'); </script> </apex:page>
  • 27. Merging into strings Similar to Template Strings in ES6 <apex:page> <script> var greeting = ' {! ' Howdy, ' + $User.Name }!'; </script> </apex:page>
  • 28. Merging into strings Similar to Template Strings in ES6 <apex:page> <script> var greeting = ' {! ' Howdy, ' + JSENCODE($User.Name) }!'; </script> </apex:page>
  • 29. The bright future: linting, autofixing, and CI
  • 30. Already Released Sending new security rules to pmd pmd/pmd
  • 31. Future Work: Open Source Projects acorn-visualforce — JS parser extension to support VF syntax eslint-plugin-visualforce — Linter rules for merge fields stylelint-visualforce — Linter rules for inline <style> tags in VisualForce pages

Hinweis der Redaktion

  1. Today we will talk about
  2. Demo here
  3. Sharing enables record access through a set of rules including Default org level Ownership Hierarchy
  4. CRUD controls user access and actions performed to a record. FLS controls specific record field access, FLS checks include CRUD checks!
  5. Demo here
  6. Typical vulnerable example, since we do not know where userData came from
  7. JSENCODE mades an Apex value to be JS string-safe, not JS-safe Escapes single and double quotes, left angle bracket, and backslashes, doesn’t escape anything else
  8. Now it is safe, because it is a string, and JSENCODE makes anything safe to be merged in a string. But this is not what the developer wanted… Originally the developer wanted some literal there like “null”, “true”, or “false”, or object literal {“some”: “json”}.
  9. Now it is safe, because it is a string, and JSENCODE makes anything safe to be merged in a string. But this is not what the developer wanted… Originally the developer wanted some literal there like “null”, “true”, or “false”, or object literal {“some”: “json”}.
  10. Now it is safe, because it is a string, and JSENCODE makes anything safe to be merged in a string. But this is not what we wanted… Originally the developer wanted some literal there like “null”, “true”, or “false”, or object literal {“some”: “json”}.
  11. Now it is safe, because it is a string, and JSENCODE makes anything safe to be merged in a string. But this is not what we wanted… Originally the developer wanted some literal there like “null”, “true”, or “false”, or object literal {“some”: “json”}.
  12. Now it is safe, because it is a string, and JSENCODE makes anything safe to be merged in a string. But this is not what we wanted… Originally the developer wanted some literal there like “null”, “true”, or “false”, or object literal {“some”: “json”}.
  13. Now it is safe, because it is a string, and JSENCODE makes anything safe to be merged in a string. But this is not what we wanted… Originally the developer wanted some literal there like “null”, “true”, or “false”, or object literal {“some”: “json”}.