Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific...
Transcript of Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific...
![Page 1: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/1.jpg)
Building a Security Ecosystem
Robert Fly
VP, Product Security
salesforce.com
![Page 2: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/2.jpg)
750 1125 15002000
25003000
3500
43004900 5100
57006300
70007700
8700
9800
11100
12500
13900
15500
16900
18700
20500
22700
24800
27100
29800
32300
35300
38100
41000
43600
47700
51800
55400
59300
62300
67900
72500
77300
82400
87200
92300
Paying Customers
92,300+
FY2006 FY2007 FY2008FY2003 FY2004 FY2005 FY2009 FY2010 FY2011
Salesforce.com Customers
![Page 3: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/3.jpg)
Intro to AppExchange
AppExchange1100+ Applications
Composite, Native, Client
780,000+ Installs
Security Reviews
Listing Fee
Security Review~12 month review cycle
Automated & Manual Assessments
OWASP/WASC checks
Requirements for what to fix and
how quickly
![Page 4: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/4.jpg)
Agenda
What we did and why?
![Page 5: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/5.jpg)
Force.com Secure Cloud Development
Vision Build an ecosystem and community
of developers who hold trust as their top value.
![Page 6: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/6.jpg)
Why?
75% | 86% | ???
![Page 7: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/7.jpg)
Developer Security Savvy?
25% 40%
60% 75%
![Page 8: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/8.jpg)
Fail Rates
85% 75%composite native
![Page 9: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/9.jpg)
Leader in this space
“Salesforce gets a gold star” – Alex Stamos
(Founder iSEC)
Secure Building BlocksAuth, Session Handling, Filtering, SSL,
Infrastructure, Patching, Auditing &
Logging
Default ProtectionsXSS, CSRF
Separate Domains
PAC
![Page 10: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/10.jpg)
Where did we focus…
Easy - Free - Transparent
Partnered With…Product Management and R&D
Alliances
Developer Evangelists
AppExchange Team
Training and Certification
Developer ExperienceIntegrated into Force.com (not OWASP)
Focus 100% on 80%
Usable
Align incentives
No cost
![Page 11: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/11.jpg)
Force.com Secure Cloud Development
Education
Design
DevelopTest
Release
Seamless integration of security into your existing SDLC
![Page 12: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/12.jpg)
(Secure) Education
Overview of Force.com Security
– Learn about the sharing model and various
security controls available to org
administrators
Writing Secure Apps (online)
– Get educated on writing secure code on
Force.com
Developer Quiz
– Assess your security awareness and learn to
identify vulnerabilities within Force.com code
Security Blog and Twitter
– Consistent updates on our latest security
research, contests and more.
![Page 13: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/13.jpg)
(Secure) Design
Security Resources
– Generic Force.com articles and resources.
Topics include SAML, sharing, etc.
Security Self-Assessment
– Receive a customized report with links to
security articles and resources specific to your
application architecture
Office Hours
– Receive free consultation from a member of
the salesforce.com security team
Security Discussion Board
– Community based forum for answering
security questions
![Page 14: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/14.jpg)
(Secure) Development
Secure Coding Guidelines
– Obtain platform-specific (Force.com, Java,
.Net, etc.) recommendations on mitigating
security vulnerabilities such as XSS,
Injection, Session Management, etc.
Secure Coding Library
– Open source library for implementing
additional security features (CRUD/FLS,
input validation, output encoding, etc.)
– Part of OWASP Enterprise Security API
![Page 15: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/15.jpg)
(Secure) Testing
Force.com Source Scanner
– On-demand static source code analysis tool
to help identify potential vulnerabilities and
code quality issues within your Apex and
Visualforce code
Web Application Security Scanner
– Integrating a web applications with
Force.com? AppExchange partners receive a
free license for Burp Suite Professional
![Page 16: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/16.jpg)
(Secure) Release
Salesforce.com Security Review
– Periodic security review of AppExchange
and OEM applications
– Details published at:
http://wiki.developerforce.com/index.php/
Security_Review
Incident Response (Coming Soon)
– Guidance on engaging with customers
and salesforce.com in case of a security
incident
![Page 17: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/17.jpg)
Force.com Secure Cloud Development
Free, ready to “consume” resources
More secure Force.com ecosystem
Reduced development costs
Streamlined AppExchange security process
Education
Design
DevelopTest
Release
![Page 18: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/18.jpg)
One More Thing…
![Page 19: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/19.jpg)
Force.com Eclipse Code Scanner
Direct visibility into security and quality issues
– Eclipse Plugin
– Line by line click-through
Offered by Checkmarx
![Page 20: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/20.jpg)
Are we any better?
![Page 21: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/21.jpg)
Stats
10000+ code bases scanned
183 Million Lines of Code Scanned
280,000+ issues identified by the scanner
– ~80% accuracy rate
– 55/45 split between security and quality, respectively
![Page 22: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/22.jpg)
Positives
I *heart* the security scanner. Use it with every project.
Have u run the #Salesforce Security Scanner today?
It’s like Old Spice for your apps. Be fresh, secure and
confident!
Don’t forget to run the free code scanner. It’s soooo
helpful for writing secure #salesforce code
Using Eclipse/Force.com Ide … #loveTheScanner
Awesome to see @salesforce respond to customer
needs via twitter. Security Review team has been
fantastic. Great work @benioff and team.
![Page 23: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/23.jpg)
Positives
75%native
19% 50%composite
273 42724 hours over 3 months
30
![Page 24: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/24.jpg)
Positives
83% 25%improvement quiz
45%
![Page 25: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/25.jpg)
Where To Focus Next
Require issues to be addressed & auditing
Better integration into product
Improve composite app first time pass rate
Other platforms
Continued laser focus on quality
![Page 26: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/26.jpg)
http://developer.force.com/security
Key Take Aways
![Page 27: Robert Fly VP, Product Security salesforce · Secure Coding Guidelines –Obtain platform-specific (Force.com, Java, .Net, etc.) recommendations on mitigating security vulnerabilities](https://reader034.fdocuments.in/reader034/viewer/2022042221/5ec73ce549d3a10a1b76e4ae/html5/thumbnails/27.jpg)
Robert Fly
Question & Answer
salesforce.com