Secure Salesforce - External App Integrations Astha Singhal Senior Product Security Engineer salesforce.com @astha_singhal @SecureCloudDev Chris Vinecombe Application Security Engineer salesforce.com
Secure Salesforce - External App Integrations
Astha Singhal Senior Product Security Engineer salesforce.com @astha_singhal @SecureCloudDev
Chris Vinecombe Application Security Engineer salesforce.com
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Safe Harbor
Astha Singhal Senior Product Security Engineer salesforce.com
Astha Singhal
- Working with product teams from design to implementation to help them build secure applications for our customers.
- Conduct penetration tests and code reviews on Salesforce applications.
- Facilitating the security process via better security training and enabling self-
service for product teams. - Helping them understand security bugs and guiding through remediation of
security issues.
Chris Vinecombe Application Security Engineer salesforce.com
Chris Vinecombe
- Work with vendors to ensure third party applications used by Salesforce are secure.
- Conduct penetration tests on Salesforce’s vendor applications.
- Assist Salesforce business units in selecting secure vendors and products.
- Help vendors understand security vulnerabilities and assisting with
remediation of security issues.
Building Salesforce Integrations
- Extend Salesforce functionality with external app integrations - Building data flows and interactions between your external app and
Salesforce - Need a way to map Salesforce user identity to your external system
- Need a way to authenticate and secure data flows between the two systems
- Need a way to grant access to Salesforce data without breaking the
Salesforce security model or trust in the Salesforce platform
Integration methods API / OAuth - External services authenticate with Salesforce via OAuth and receive access
tokens
- Tokens must be treated with same sensitivity as a password
- Utilize public-facing API’s to share data with Salesforce instances
- Developers can expose custom Apex REST endpoints
Integration methods
Apex Callouts - Use Apex code to access external REST API’s
- Can be used to send data out or pull data in to/from an external service
- Actions must be initiated by a user action from within Salesforce
Integration methods
Connected App - Runs on the Salesforce app canvas - Does not have access to the Salesforce app DOM at any time
- Authenticate via OAuth or SAML using Salesforce credentials
- Easy way to integrate an external application into the Salesforce “skin”
- The OAuth scope for the connected app determines the amount of access this app would have to your Salesforce data
- Make sure to provide least privilege to the OAuth token being created.
Integration user vs End User
Integration User - Creating an integration user to make callouts from the external app into
Salesforce. - Lets you create a least privilege integration user to perform certain
operations required by the app. - You don’t have to provide API access to all users. - Only one credential to manage on the external system. - You have to make sure that the Salesforce security model is not broken
when the external system accesses Salesforce data.
Integration user vs End User
End User - Lets your external app make requests as current logged in user with the
specified OAuth scope. - Lets the user select if they want to allow access or not. - Preserves the Salesforce security model in your external requests without
any additional measures. - The external app needs to make sure all end user OAuth credentials are
stored securely on the external system.
Setting up a Connected App
- Go to Setup -> Create -> Apps -> New Connected App.
Setting up a Connected App
Advantages of Connected apps No need for custom authentication logic.
Least privilege access control based on the external app use case.
Easy to revoke access for misbehaving apps.
Out of box functionality for standard Auth protocols.
Can provide access without sharing Salesforce username password with the
external app.
Credential handling
- External app credentials (consumer key/secret) should be stored securely off the Salesforce platform.
- Salesforce OAuth tokens should be stored securely off the platform using the
industry best practice for your development platform - API tokens for the external app should be stored via Protected custom
settings inside Salesforce. - All credentials should be secure in transit by using HTTPS (TLS) for all
communication
Transport Security
Security Expectations of HTTP - None
- Anyone on the network can eavesdrop traffic
- Anyone on the network can modify content
- Anyone on the network can divert traffic
Transport Security - What is TLS? A user visiting a site over HTTP has no assurance that the user is interacting
with the legitimate site The Transport Layer Security protocol allows for secure communication
between applications and users. Uses PKI (Public Key Infrastructure) to have a Trusted Certificate Authority
(CA) vouch for the server’s identity. Prevents tampering, eavesdropping, and man-in-the-middle attacks against
secure communications. Provides authentication and confidentiality.
Mutual TLS
- Salesforce supports Mutual TLS for communications between Salesforce and your external server.
- This allows you to do a two-way verification, where the client and server can
confirm one another’s identity. - Good for server to server authentication, where the client is not prompting a
user to log in manually.
Mutual TLS
Acme.com
Salesforce Mutual TLS
- Client certificates are uploaded and stored in the Salesforce database, where they are used for verification.
- You can also download the Salesforce client certificate to authenticate on
your web server, when making Apex callouts, etc.
- Salesforce provides a mechanism to prevent falling back to the standard TLS
port.
Setting Up Mutual TLS
Have mutual TLS enabled for your organization. Generate Certificate Signing Request (CSR) and acquire a certificate from a
Trusted CA.
Setting Up Mutual TLS
Upload the certificate to Security Controls | Certificate and Key Management
Enable “Enforce SSL/TLS Mutual Authentication” permission for the API client
user. This will force mutual TLS on port 8443 for this user. This user permission can be added via a PermSet or by adding the permission
to the user profile. Configure the API client to connect on port 8443 and present the client
certificate.
Setting Up Mutual TLS
Why use mutual TLS ?
- This seems like a lot of work! Why should I do this?
- Provides you a good way to authenticate both parties (Salesforce and external app) when building external integrations
- You don’t just have to rely on IP range restrictions and static API keys for client authentication.
- Out of the box mutual TLS implementation provides authentication and confidentiality.
Thank you
Secure Salesforce at Dreamforce 2015
10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of Security on the Salesforce Platform
Visit our booth in the DevZone with any security questions
Check out the schedule and details at http://bit.ly/DF15Sec
Admin-related security questions?
Join us for coffee in the Admin Zone Security Cafe
Secure Salesforce at Dreamforce 2015 Hardened Apps with the Mobile SDK Martin Vigo and Maxwell Feldman Thursday 2:30pm in Moscone West 2008 Code Scanning with Checkmarx Robert Sussland and Gideon Kreiner Thursday 3:30pm in Moscone West 2011 Lightning Components Best Practices Robert Sussland and Sergey Gorbaty Thursday 4:45pm in Moscone West 2007 Common Secure Coding Mistakes Rachel Black and Alejandro Raigon Munoz Thursday 5:00pm in Moscone West 2006
Chimera: External Integration Security Tim Bach and Travis Safford Friday 10:00am in Moscone West 2009
Additional Resources
Salesforce mutual TLS set up
Salesforce Connected Apps documentation
Digging deeper into OAuth 2.0 on Force.com
Salesforce Trust academy
How to generate a CSR
Share Your Feedback, and Win a GoPro!
3 Earn a GoPro prize entry for each completed survey
Tap the bell to take a survey 2 Enroll in a session 1
Questions?