Df10101 badhwar
-
Upload
salesforce -
Category
Documents
-
view
766 -
download
2
Transcript of Df10101 badhwar
Secure Cloud DevelopmentDevelopers
Varun Badhwar: Senior Manager, Force.com Security, salesforce.com
Safe HarborSafe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year ended January 31, 2010. This documents and others are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Agenda
Salesforce.com’s Philosophy
Vision
Secure Cloud Development Lifecycle:– Education
– Secure Design
– Secure Development
– Secure Testing
Security Libraries for Common Development Platforms
Recommended Free Testing Tools
Spot the Bug Contest
Q&A
Success of cloud computing dependant on
earning and maintaining customer trust
Protecting the privacy of customer data is
salesforce.com’s core value
Details available at:
http://trust.salesforce.com/trust/security/
Salesforce.com Philosophy
“Security better be on top of everyone’s mind.”- Marc Benioff CEO, salesforce.com
Vision
Create a security conscious community
within which all developers / ISVs value trust
as a priority
Provide free educational resources, tools
and processes that help deliver trusted
Force.com applications
Reduce overall development costs– According to NIST*, eliminating vulnerabilities
in the design stage can cost 30 times less
than fixing them post-release
* NIST –The National Institute of Standard and Technology
Secure (Software) Development Lifecycle
Security
Education
Design
DevelopTest
Release
Seamless integration of security into your existing SDLC
Secure Development Lifecycle: Education
Overview of Force.com Security– Learn about the sharing model and various
security controls available to org
administrators
Developer Training– Get educated on writing secure code on
Force.com
Developer Quiz– Assess your security awareness and learn to
identify vulnerabilities within Force.com code
Secure Development Lifecycle: Design
Security Design Resources– Generic Force.com articles and resources. Topics
include authentication, single sign-on, sharing, etc.
Security Discussion Board– Discuss your questions & concerns with Force.com
developers and employees
Security Self-Assessment– Receive a customized report with links to security
articles and resources specific to your application
architecture
Office Hours– Receive free consultation from a member of the
salesforce.com security team
Secure Development Lifecycle: Development
Secure Coding Guidelines– Obtain platform-specific (Force.com,
Java, .Net, etc.) recommendations on
mitigating security vulnerabilities such as
XSS, Injection, Session Management, etc.
Secure Coding Library– Open source library for implementing
additional security features (CRUD/FLS,
input validation, output encoding, etc.)
– Follows OWASP Enterprise Security API
Secure Development Lifecycle: Testing
Force.com Security Source Code Scanner– On-demand static source code analysis tool
to identify security vulnerabilities within your
Apex and Visualforce code
Web Application Security Scanner– Integrating a web-application with Force.com?
AppExchange & OEM partners are entitled to
receive a free license for Burp Suite
Professional
Secure Development Lifecycle: Release
Salesforce.com Security Review– Periodic security review of AppExchange and
OEM applications
– Details published at:
http://wiki.developerforce.com/index.php/Security_Review
Incident Response (Coming Soon)– Guidance on engaging with customers and
salesforce.com in case of a security incident
Recommended Security Libraries for Common Development Platforms
Java– ESAPI (authentication, validation, encoding/decoding, WAF, cryptography)
– Apache Shiro (authentication, authorization, session management, cryptography)
PHP– ESAPI (authentication, validation, encoding/decoding, WAF, cryptography)
– HTML Purifier (white-list based filtering & XSS protection)
ASP.Net– MS Web Protection Library (XSS and SQLi protection)
– ESAPI (authentication, validation, encoding/decoding, WAF, cryptography)
Ruby on Rails– Loofah (XSS protection)
– ESAPI coming soon
Recommended (Free) Testing Tools
Application:– Websecurify
– Acunetix Free Edition (XSS only)
– Netsparker Community Edition (SQLi & XSS only)
– SWFScan & Nemo440 (Flash)
– CookieDigger (Cookies)
Network:– OpenSSL, SSLDigger
– Wireshark
– Nessus, nMap
Multi-purpose Proxies & Plug-ins:– Proxies: Paros, WebScarab, Burp
– Plug-ins: Web Developer, Firebug, Tamper Data
Checkmarx Eclipse Plug-in for Force.com
Direct visibility into security and quality
issues– Eclipse Plugin
– Line by line click-through
Free 90 day trial for first 1000
downloads
Download at www.apexscanner.com
Spot the Bug Contest
Identify the bug in this code snippet and win a $50
Amazon gift card!
Key Take Aways
Deliver Secure Applications – http://developer.force.com/security
– Educate developers on security
– Consider security implications at design time
– Leverage guidelines, open-source code and assistance from salesforce.com to your advantage
– Incorporate security testing into each release cycle
Earn & Maintain Customer Trust
Save $$$ in Development Costs
Varun Badhwar
Question & Answer
Secure Cloud Development
D I S C O V E R
Visit the Developer Training and Support Booth in Force.com Zone
Discover
Developer
Learning Paths
Developer training, certification and support resources
S U C C E S SFind us in the Partner Demo Area of
Force.com Zone 2nd Floor Moscone West
that help you achieve
Learn about Developer
Certifications
How Could Dreamforce Be Better? Tell Us!
Log in to the Dreamforce app to submit
surveys for the sessions you attendedUse the
Dreamforce Mobile app to submit
surveysEvery session survey you submit is
a chance to win an iPod nano!
OR