Secure Salesforce Chimera External Integration Security Tim Bach Product Security Engineer Salesforce Travis Safford Product Security Engineer Salesforce
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Secure Salesforce Chimera External Integration Security
Tim Bach Product Security Engineer Salesforce
Travis Safford Product Security Engineer Salesforce
Tim Bach Product Security Engineer
Travis Safford Product Security Engineer
Secure Salesforce Dreamforce 2015
Overview
What is the AppExchange Security Review process?
Why does external application security matter?
Goals for Chimera
What can Chimera do for you?
Demo!
Chimera technical overview
What’s coming next [week / month / quarter / year]?
Q&A
Security Review Process Overview
The AppExchange 1-slide primer
The Salesforce App Marketplace
Independent Software Vendors (ISV’s) build and list apps for customers to install & expand the platform’s capabilities
Apps may be platform-only or interface with external web systems, mobile apps, and desktop software
Currently, 2,800+ apps available for free or for purchase
Apps may have scoped or total access to users and/or data within the Salesforce org they are installed in or authenticated against
Apps listed on the AppExchange must undergo a rigorous Security Review by the Product Security team and regular re-reviews
AppExchange Security Review
Managed by the Salesforce Product Security team
Comprehensive security audit and penetration test of the application
Partner/ISV provides automated code and application security scans – repeat this process until automated scanners find nothing or only false positives
Partners are provided with ZAP (previously Burp Suite), which they must install and configure before using to run a web application security test against their application
Product Security reviews scan results and application code
In the case of external systems/software connecting to the platform, full penetration test
AppExchange Security Review
External Threats Why is Security Review Important?
ZAP What is it? How do partners use it?
Introducing Chimera
Chimera What and why?
Chimera (mythology): …a monstrous fire-breathing hybrid creature composed of the parts… Chimera (genetics): …a single organism composed of genetically distinct cells…
Chimera (Salesforce): A web security scanner composed of parts of the best open-source scanning, analysis, and fingerprinting tools available today. Consolidated and analyzed by purpose-built code and powered on the Heroku platform for massive scalability.
“ ”
Chimera
A fully featured, cloud-based security scanner
Fire-and-forget scanning – just give it a target
Made up of multiple industry-standard security tools
Free for all AppExchange ISV’s for the life of their AppExchange offering
Chimera Goals
Give partners and ISV’s better tools that make it easier to become secure
Reduce confusion and delay in the Security Review process
Use our resources to make security easier for our AppExchange partners
Drive down the number of tests it takes a partner to pass Security Review and allow them to get to market faster on the AppExchange
Promote the security of the AppExchange ecosystem
Let’s start a scan…
What are we scanning with?
A variety of open-source tools as well as some internally developed ones
ZAP – general web application security scanner
Nikto – web application vulnerability scanner
SSLyze – SSL vulnerability scanner
nmap – port scanner
Plus: SSL fingerprinting, web application fingerprinting
Background Magic
Chimera isn’t just running scans and sending you raw results files
After all scans complete on your target, Chimera correlates all results into a single report
Report includes remediation steps for you to resolve issues between scans
Chimera will remove duplicate issues as much as possible to provide you with an accurate and actionable report
Thanks to Heroku, Chimera scales based on activity
Even around the Dreamforce AppExchange spike, you won’t be waiting long
Chimera Technology
Chimera’s scanners are entirely Heroku-based
Architecture allows for massive scaling
Portal to submit scans and receive results is Force platform-based, allowing for integration with existing Partner portal and AppExchange accounts
Chimera core code + internal components are written in mostly Python
Get Started!
Chimera will be live on October 1st, 2015
Links will be live on DeveloperForce - Security
What’s Next? Future Work
We’re not done yet!
Chimera will become the primary means of preparing for Security Review
We want to go one step further towards promoting partner security
As Chimera becomes more stable, we’ll start to experiment with automatic, periodic scans of live offerings to ensure continuous security for partners and customers
Threat intelligence and proactive vulnerability notification will become possible for our partners at no cost or burden to them – ensuring partner success on the platform
Demo Scan Complete
Let’s take a look at that scan that we kicked off earlier…
Thank you
http://sforce.co/1HHrjRL
Related Documents
