Tips and Tricks to Pass Salesforce Security Review
The huge growth and popularity of Salesforce AppExchange and the extremely fluid nature of the platform as it offers evergreen scope for developing new apps. Salesforce requires all AppExchange and OEM applications to pass a security review before listing on the AppExchange. In the security review, the security team tests your product’s defenses against the attacks described on the OWASP list. Also, their mission is to steal data that they don’t have permission to access.
Following these tips and tricks to pass Salesforce security review
Passing the security review you need to put efforts from the very beginning of the application development.
- Understand the salesforce process before submitting for reviews. Read the Force.com requirements checklist and secure coding guidelines carefully upfront. To understand the major security risks from Force.com’s standpoint, and incorporate the same in the app.
- Almost all developers ignore the security coding library in Apex to create CRUD/FLS rules, but Force.com takes it seriously. You should always add CRUD/FLS rules before processing DML operations.
- Understand how Salesforce prefers to store credentials (i.e. security key, secret tokens, passwords etc.). If you are using a custom setting for storing secure data, custom setting’s visibility should be set to p Among the three key concepts for handling and storing secure data: custom settings, apex crypto functions, and encrypted custom fields. The best practice is a combination of apex crypto function and protected custom setting to generate and subsequently store secure data.
- Understand how Salesforce prefers to store credentials (i.e. security key, secret tokens, passwords etc.). If you are using a custom setting for storing secure data, custom setting’s visibility should be set to p Among the three key concepts for handling and storing secure data: custom settings, apex crypto functions, and encrypted custom fields. The best practice is a combination of apex crypto function and protected custom setting to generate and subsequently store secure data.
- Using ESAPI (The OWASP Enterprise Security API), an open source, free, web application security control library would help in a big way. Programmers can leverage the ESAPI libraries to either build a solid base for new development or retrofit security into existing applications. The Force.com implementation of the ESAPI library is designed and customized for the security needs of the Force.com platform.
- Try to avoid DML operation on page load. You might be using DML operation to store data on VisualForce page load.
- While using controller variables at VisualForce page level use platform encoding in Visualforce to neutralize potential XSS threats. In Visualforce, the platform has three main encoding functions that developers can use to neutralize potential XSS threats: HTMLENCODE, JSENCODE, and JSINHTMLENCODE.
- Example:
<script> var x = '{!JSENCODE($CurrentPage.parameters.userInput)}'; </script> - Run a free self-service source code analysis against code developed on the Force.com Platform (Apex and Visualforce)
- Run a free web-application scan against your web-servers that integrate with Force.com. This is required if you are using external web service.
Top 10 vulnerabilities detected by Salesforce in the reviews:
- SQL and XML Injection
- Cross Site Scripting (XSS)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross Site Request Forgery (CSRF/XSRF)
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection (no SSL enforcement, weak or null ciphers, session cookies without secure attribute
- Unvalidated Redirects and Forwards
There are three possible outcomes of the review
Full Approval:
- No medium or high risk issues were identified within your organization and application.
- You will immediately be allowed to list your application on the AppExchange.
- API token to access Professional Edition accounts will be provided.
Provisional Approval:
- Certain low and medium risk issues were identified, which can be addressed fairly easily and do not pose significant risk to salesforce.com or its customers.
- You will be allowed to list your application on the AppExchange. However, failure to remedy the noted issues within the specified time period will result in removal of the application from the AppExchange.
- API token to access Professional Edition accounts will be provided.
Failure:
- High risk issues were identified during the testing phase.
- You will not be allowed to list your application on the AppExchange until all issues have been addressed and reviewed by the AppExchange Security team. If the application is already listed on the AppExchange, you will be provided 60 days to address issues.
- API token to access Professional Edition accounts will not be provided.
Are you looking for a Salesforce AppExchange Development? GetOnCRM Solutions is a global Salesforce silver consulting partner based in California (USA), with offices in Canada and India. At GetOnCRM Solutions, We help customers to pass their application security review. Contact us for any Salesforce requirements.
