SlideShare uma empresa Scribd logo

10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)

CodeScience
CodeScience

The Security Review process is the final step every ISV must complete before they can bring their app to market on the AppExchange. Yet it’s not uncommon for ISVs to fail on their first attempt. For many, it can take 2 to 3 more tries to pass, delaying your time to market. But Security Review doesn’t have to be a mystery! In this webinar, Salesforce Security Review Operation Analyst, Lubdha Dahale, joins CodeScience ISV Specialist, Jeremy Engler, and CodeScience Global Alliances Manager, Erin Murray, to de-mystify the Sec Rev process and provide actionable advice to help you succeed.

Software
1 de 29
Baixar para ler offline
Today’s Speakers: Erin Murray Global Alliances Manager CodeScience Lubdha Dahale Security Review Operation Analyst Salesforce Jeremy Engler ISV Specialist CodeScience
Company Introduction
Who is CodeScience? ● Founding partner of the Salesforce Product Development Organization (PDO) Program ● We partner with clients to build solutions on the Salesforce AppExchange ● Named first Master PDO in 2017 ● From design to build to implementation, we support through the full lifecycle
Client success: 10% of the AppExchange
CodeScience Client Focus:
How to Prep like a Pro Security Review doesn’t happen in a day
Planning 1. Reframe how you approach it a. Think of it as a security hardening sprint 2. ISV Partner Agreement a. Get your ISV Agreement fully executed ASAP 3. Concurrent work a. Start prepping your deliverables early b. Don’t wait for the day you want to submit c. Listing content 4. Organize your resources a. Security Review folder
Prep 5. Code Scans & Code Review a. If you need to scan an off-platform system, do it early b. Search for every instance of issues that the code scanners find 6. Compliance & Questionnaire a. Prep this information beforehand 7. Documentation a. Solution Architecture b. Use Cases 8. Demo org a. Use the trialforce template ID from Salesforce b. The review team uses the Admin credentials
Submittal 9. Contact Info a. Always use a distribution list 10. Credit Card (Only) a. Must be able to charge $2700 now and $150/year ongoing 11. Pre-Book Security Review Office Hours a. Security review can take between 4-6 weeks b. Ideally schedule a session 10 weeks after your app is placed in queue
The SF Security Review Team Meet the team who reviews your apps
Ops Submission Validation SR Wizard Guidance Trial Template Reviews Periodic Re-Review Strategy Fees Delistings Prod Sec Penetration Testing Partner Security Portal Technical Office Hours Salesforce Security Review Teams
The Security Review Process
Operations Check ● The Security Review Operations team reviews each submission for completeness before placing the SR queue ● Checks for things like: ○ Unrelated packages in the demo org ○ Incorrect version in the demo org ○ Not marked as “Lightning Ready” ○ Missing Use Case doc ○ Problem with scans or false positive docs ● Log a case after resolving any issues ● Should receive an email once in the SR queue
● Always provide the Listing ID, Package ID and Version ID related to your case ● Correct credentials to Web environments, Native environment (https://login.salesforce.com/) ● Clean scan reports (ZAP, Burp, Chimera or Checkmarx) or attach supporting False-Positive document ● Hit “Start Review” button beside version ID on Publishing Console Tips to avoid delays in Security Review
Why apps fail Security Review ● Issues with the package: ○ CRUD/FLS Enforcement ■ Not checking user’s perms to do what the code does ■ #1 failure reason ○ Insecure Storage of Sensitive Data ○ Sensitive Information in Debug ● Issues with the client API/web UI: ○ Password enumeration: shows if username is correct ○ TLS/SSL Configuration ○ XSS Vulnerabilities ● Office Hours ○ Book early ○ Link
Top Vulnerabilities in Security Review
Example Security Findings Report Note the bolded point at the top of the report: The report starts with a table of contents summarizing the types of vulnerabilities found.
Fail Faster Turn lemons into success
Have a Plan ● Triage ○ Track each issue like you do bugs ○ Is the issue a False Positive? ○ Identify where the issue/fix resides ○ Assign an Owner and LOE ● Up to your project and deadlines as to whether “hero effort” is required ● Agree on communication cadence to management
Address the Issues ● Legitimate issues need to be fixed, either in the package or off-platform ● Not a comprehensive list ○ Need to check for other instances of issues in the code ● Off-platform fixes are the biggest risk/effort ○ Must schedule that work alongside your existing product roadmap ● Issues in the package will require a new upload ○ Post-SR development in the master branch can hamper SR fixes ○ Keep new dev in a new, non-master branch until SR is passed ●
Resubmit ● Update ○ Code Scans ○ False positive documentation ○ Demo org ● In the Partner Community: ○ Link the new package version to the listing ○ Submit the new package version with all required docs & information ○ Log a case under “Security Review” with the Package ID ● Alert your PAM
Resources
For More Information ● OWASP Top 10 Security Issues list ● Build Secure Apps Trailhead ● Partner Security Portal ● Prevent Common Violations of Secure Coding Guidelines ● Security Review Office Hours
You don’t have to go it alone!
CodeScience Pre-Security Review Service ● ISVs who approach Security Review with a solid plan and partner with some expert assistance typically pass Sec Rev sooner and get to market faster ● Salesforce recently asked CodeScience to help ISVs plan for Security Review and the CodeScience Pre-Security Review Service is the result! ● Reach out to us at info@codescience.com to start your Pre-Security Review, or visit https://learn.codescience.com/pre-security-review.html for more information
Please Submit Your Questions via Q&A What would you like to see more of in our next Security Review webinar? Let us know in the chat! Open Q&A
Contact Us: Thank you CodeScience info@codescience.com

Recomendados

Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Salesforce Partners
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksRyan Flood
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSalesforce Developers
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 
Deep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDeep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDhanik Sahni
 
Setting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSetting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSalesforce Developers
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation PrasadThorat23
 
Build Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App BuilderBuild Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App BuilderSalesforce Developers
 

Recomendados

Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Salesforce Partners
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksRyan Flood
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSalesforce Developers
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 
Deep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDeep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDhanik Sahni
 
Setting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSetting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSalesforce Developers
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation PrasadThorat23
 
Build Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App BuilderBuild Apps Visually with Lightning App Builder
Build Apps Visually with Lightning App BuilderSalesforce Developers
 
Salesforce Einstein - Everything You Need To Know
Salesforce Einstein - Everything You Need To KnowSalesforce Einstein - Everything You Need To Know
Salesforce Einstein - Everything You Need To KnowThinqloud
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionSalesforce Developers
 
Salesforce Omnichannel flow
Salesforce Omnichannel flowSalesforce Omnichannel flow
Salesforce Omnichannel flowchakravarthy vivek
 
Data model in salesforce
Data model in salesforceData model in salesforce
Data model in salesforceChamil Madusanka
 
einstein-cheatsheet.pdf
einstein-cheatsheet.pdfeinstein-cheatsheet.pdf
einstein-cheatsheet.pdfexperio1
 
Introduction to apex code
Introduction to apex codeIntroduction to apex code
Introduction to apex codeEdwinOstos
 
Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce IntegrationJoshua Hoskins
 
Omni channel - Salesforce Developer Group Bengaluru
Omni channel - Salesforce Developer Group BengaluruOmni channel - Salesforce Developer Group Bengaluru
Omni channel - Salesforce Developer Group BengaluruAbhilash Kuntar
 
Salesforce Cross-Cloud Architecture
Salesforce Cross-Cloud ArchitectureSalesforce Cross-Cloud Architecture
Salesforce Cross-Cloud ArchitectureThierry TROUIN ☁
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingSalesforce Developers
 
Planning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperiencePlanning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperienceShell Black
 
Lecture3
Lecture3Lecture3
Lecture3soloeng
 
Introducing the Salesforce platform
Introducing the Salesforce platformIntroducing the Salesforce platform
Introducing the Salesforce platformJohn Stevenson
 
Reasons To Automate API Testing Process
Reasons To Automate API Testing ProcessReasons To Automate API Testing Process
Reasons To Automate API Testing ProcessQASource
 
Boehm Software Quality Model
Boehm Software Quality ModelBoehm Software Quality Model
Boehm Software Quality ModelProfessional QA
 
Real Time Integration with Salesforce Platform Events
Real Time Integration with Salesforce Platform EventsReal Time Integration with Salesforce Platform Events
Real Time Integration with Salesforce Platform EventsSalesforce Developers
 
Software Development
Software DevelopmentSoftware Development
Software DevelopmentMark Jhon Oxillo
 
Architect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionArchitect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionSalesforce - Sweden, Denmark, Norway
 
Build Reliable Asynchronous Code with Queueable Apex
Build Reliable Asynchronous Code with Queueable ApexBuild Reliable Asynchronous Code with Queueable Apex
Build Reliable Asynchronous Code with Queueable ApexSalesforce Developers
 
Customer Service in Salesforce: Managing Cases Effectively
Customer Service in Salesforce: Managing Cases EffectivelyCustomer Service in Salesforce: Managing Cases Effectively
Customer Service in Salesforce: Managing Cases EffectivelyInternetCreations
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Org-dependent Unlocked Packages for ISVs
Org-dependent Unlocked Packages for ISVsOrg-dependent Unlocked Packages for ISVs
Org-dependent Unlocked Packages for ISVsCodeScience
 

Mais conteúdo relacionado

Mais procurados

Salesforce Einstein - Everything You Need To Know
Salesforce Einstein - Everything You Need To KnowSalesforce Einstein - Everything You Need To Know
Salesforce Einstein - Everything You Need To KnowThinqloud
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionSalesforce Developers
 
einstein-cheatsheet.pdf
einstein-cheatsheet.pdfeinstein-cheatsheet.pdf
einstein-cheatsheet.pdfexperio1
 
Introduction to apex code
Introduction to apex codeIntroduction to apex code
Introduction to apex codeEdwinOstos
 
Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce IntegrationJoshua Hoskins
 
Omni channel - Salesforce Developer Group Bengaluru
Omni channel - Salesforce Developer Group BengaluruOmni channel - Salesforce Developer Group Bengaluru
Omni channel - Salesforce Developer Group BengaluruAbhilash Kuntar
 
Salesforce Cross-Cloud Architecture
Salesforce Cross-Cloud ArchitectureSalesforce Cross-Cloud Architecture
Salesforce Cross-Cloud ArchitectureThierry TROUIN ☁
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingSalesforce Developers
 
Planning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperiencePlanning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperienceShell Black
 
Lecture3
Lecture3Lecture3
Lecture3soloeng
 
Introducing the Salesforce platform
Introducing the Salesforce platformIntroducing the Salesforce platform
Introducing the Salesforce platformJohn Stevenson
 
Reasons To Automate API Testing Process
Reasons To Automate API Testing ProcessReasons To Automate API Testing Process
Reasons To Automate API Testing ProcessQASource
 
Boehm Software Quality Model
Boehm Software Quality ModelBoehm Software Quality Model
Boehm Software Quality ModelProfessional QA
 
Real Time Integration with Salesforce Platform Events
Real Time Integration with Salesforce Platform EventsReal Time Integration with Salesforce Platform Events
Real Time Integration with Salesforce Platform EventsSalesforce Developers
 
Build Reliable Asynchronous Code with Queueable Apex
Build Reliable Asynchronous Code with Queueable ApexBuild Reliable Asynchronous Code with Queueable Apex
Build Reliable Asynchronous Code with Queueable ApexSalesforce Developers
 
Customer Service in Salesforce: Managing Cases Effectively
Customer Service in Salesforce: Managing Cases EffectivelyCustomer Service in Salesforce: Managing Cases Effectively
Customer Service in Salesforce: Managing Cases EffectivelyInternetCreations
 

Mais procurados (20)

Salesforce Einstein - Everything You Need To Know
Salesforce Einstein - Everything You Need To KnowSalesforce Einstein - Everything You Need To Know
Salesforce Einstein - Everything You Need To Know
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An Introduction
 
Salesforce Omnichannel flow
Salesforce Omnichannel flowSalesforce Omnichannel flow
Salesforce Omnichannel flow
 
Data model in salesforce
Data model in salesforceData model in salesforce
Data model in salesforce
 
einstein-cheatsheet.pdf
einstein-cheatsheet.pdfeinstein-cheatsheet.pdf
einstein-cheatsheet.pdf
 
Introduction to apex code
Introduction to apex codeIntroduction to apex code
Introduction to apex code
 
Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce Integration
 
Omni channel - Salesforce Developer Group Bengaluru
Omni channel - Salesforce Developer Group BengaluruOmni channel - Salesforce Developer Group Bengaluru
Omni channel - Salesforce Developer Group Bengaluru
 
Salesforce Cross-Cloud Architecture
Salesforce Cross-Cloud ArchitectureSalesforce Cross-Cloud Architecture
Salesforce Cross-Cloud Architecture
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and Testing
 
Planning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperiencePlanning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning Experience
 
Lecture3
Lecture3Lecture3
Lecture3
 
Introducing the Salesforce platform
Introducing the Salesforce platformIntroducing the Salesforce platform
Introducing the Salesforce platform
 
Reasons To Automate API Testing Process
Reasons To Automate API Testing ProcessReasons To Automate API Testing Process
Reasons To Automate API Testing Process
 
Boehm Software Quality Model
Boehm Software Quality ModelBoehm Software Quality Model
Boehm Software Quality Model
 
Real Time Integration with Salesforce Platform Events
Real Time Integration with Salesforce Platform EventsReal Time Integration with Salesforce Platform Events
Real Time Integration with Salesforce Platform Events
 
Software Development
Software DevelopmentSoftware Development
Software Development
 
Architect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionArchitect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon Session
 
Build Reliable Asynchronous Code with Queueable Apex
Build Reliable Asynchronous Code with Queueable ApexBuild Reliable Asynchronous Code with Queueable Apex
Build Reliable Asynchronous Code with Queueable Apex
 
Customer Service in Salesforce: Managing Cases Effectively
Customer Service in Salesforce: Managing Cases EffectivelyCustomer Service in Salesforce: Managing Cases Effectively
Customer Service in Salesforce: Managing Cases Effectively
 

Semelhante a 10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Org-dependent Unlocked Packages for ISVs
Org-dependent Unlocked Packages for ISVsOrg-dependent Unlocked Packages for ISVs
Org-dependent Unlocked Packages for ISVsCodeScience
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)Salesforce Partners
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer RiskSecurity Innovation
 
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015Cory Scott
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer RisksKevo Meehan
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile DevelopmentCheckmarx
 
ApExchange Security Review and Compliance
ApExchange Security Review and ComplianceApExchange Security Review and Compliance
ApExchange Security Review and ComplianceCEPTES Software Inc
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software jamieayre
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and MaintenanceNada G.Youssef
 
How to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopHow to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopJim Plush
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptDrBasemMohamedElomda
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 

Semelhante a 10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!) (20)

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Org-dependent Unlocked Packages for ISVs
Org-dependent Unlocked Packages for ISVsOrg-dependent Unlocked Packages for ISVs
Org-dependent Unlocked Packages for ISVs
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Year Zero
Year ZeroYear Zero
Year Zero
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
 
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer Risks
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 
ApExchange Security Review and Compliance
ApExchange Security Review and ComplianceApExchange Security Review and Compliance
ApExchange Security Review and Compliance
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance
 
How to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopHow to run an Enterprise PHP Shop
How to run an Enterprise PHP Shop
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
 
Introduction to Software Engineering
Introduction to Software EngineeringIntroduction to Software Engineering
Introduction to Software Engineering
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 

Mais de CodeScience

Journey Through the AppExchange: Product-Led Growth with MagicRobot
Journey Through the AppExchange: Product-Led Growth with MagicRobotJourney Through the AppExchange: Product-Led Growth with MagicRobot
Journey Through the AppExchange: Product-Led Growth with MagicRobotCodeScience
 
Journey Through the AppExchange: From SI to ISV with Virsys12
Journey Through the AppExchange: From SI to ISV with Virsys12Journey Through the AppExchange: From SI to ISV with Virsys12
Journey Through the AppExchange: From SI to ISV with Virsys12CodeScience
 
Leveraging Dynamic Interactions on Salesforce Lightning Pages
Leveraging Dynamic Interactions on Salesforce Lightning PagesLeveraging Dynamic Interactions on Salesforce Lightning Pages
Leveraging Dynamic Interactions on Salesforce Lightning PagesCodeScience
 
Strategic Partnerships: The New Key to Innovation
Strategic Partnerships: The New Key to InnovationStrategic Partnerships: The New Key to Innovation
Strategic Partnerships: The New Key to InnovationCodeScience
 
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...CodeScience
 
Designing Salesforce Platform Events
Designing Salesforce Platform EventsDesigning Salesforce Platform Events
Designing Salesforce Platform EventsCodeScience
 
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a Time
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a TimeReady, Set, Launch: Accelerating Healthcare Innovation One App at a Time
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a TimeCodeScience
 
Journey Through the AppExchange: How Place Technology Created a New Category
Journey Through the AppExchange: How Place Technology Created a New CategoryJourney Through the AppExchange: How Place Technology Created a New Category
Journey Through the AppExchange: How Place Technology Created a New CategoryCodeScience
 
Journey to the AppExchange: How to Launch Into a New Ecosystem
Journey to the AppExchange: How to Launch Into a New EcosystemJourney to the AppExchange: How to Launch Into a New Ecosystem
Journey to the AppExchange: How to Launch Into a New EcosystemCodeScience
 
Top 5 Ways to Build Pipeline With AppExchange Chat
Top 5 Ways to Build Pipeline With AppExchange ChatTop 5 Ways to Build Pipeline With AppExchange Chat
Top 5 Ways to Build Pipeline With AppExchange ChatCodeScience
 
Everything You Need to Know About Salesforce LMA & COA
Everything You Need to Know About Salesforce LMA & COAEverything You Need to Know About Salesforce LMA & COA
Everything You Need to Know About Salesforce LMA & COACodeScience
 
Streamline Page Layouts with Dynamic Forms
Streamline Page Layouts with Dynamic FormsStreamline Page Layouts with Dynamic Forms
Streamline Page Layouts with Dynamic FormsCodeScience
 
Getting to Yes: How to build executive alignment to win big on the AppExchange
Getting to Yes: How to build executive alignment to win big on the AppExchangeGetting to Yes: How to build executive alignment to win big on the AppExchange
Getting to Yes: How to build executive alignment to win big on the AppExchangeCodeScience
 
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...CodeScience
 
How FinancialForce Leverages Labs to Accelerate Innovation
How FinancialForce Leverages Labs to Accelerate InnovationHow FinancialForce Leverages Labs to Accelerate Innovation
How FinancialForce Leverages Labs to Accelerate InnovationCodeScience
 
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...CodeScience
 
ISV Error Handling With Spring '21 Update
ISV Error Handling With Spring '21 UpdateISV Error Handling With Spring '21 Update
ISV Error Handling With Spring '21 UpdateCodeScience
 
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...CodeScience
 
[Tech Webinar] Second Generation Packaging for ISVs
[Tech Webinar] Second Generation Packaging for ISVs[Tech Webinar] Second Generation Packaging for ISVs
[Tech Webinar] Second Generation Packaging for ISVsCodeScience
 
Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...
Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...
Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...CodeScience
 

Mais de CodeScience (20)

Journey Through the AppExchange: Product-Led Growth with MagicRobot
Journey Through the AppExchange: Product-Led Growth with MagicRobotJourney Through the AppExchange: Product-Led Growth with MagicRobot
Journey Through the AppExchange: Product-Led Growth with MagicRobot
 
Journey Through the AppExchange: From SI to ISV with Virsys12
Journey Through the AppExchange: From SI to ISV with Virsys12Journey Through the AppExchange: From SI to ISV with Virsys12
Journey Through the AppExchange: From SI to ISV with Virsys12
 
Leveraging Dynamic Interactions on Salesforce Lightning Pages
Leveraging Dynamic Interactions on Salesforce Lightning PagesLeveraging Dynamic Interactions on Salesforce Lightning Pages
Leveraging Dynamic Interactions on Salesforce Lightning Pages
 
Strategic Partnerships: The New Key to Innovation
Strategic Partnerships: The New Key to InnovationStrategic Partnerships: The New Key to Innovation
Strategic Partnerships: The New Key to Innovation
 
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...
 
Designing Salesforce Platform Events
Designing Salesforce Platform EventsDesigning Salesforce Platform Events
Designing Salesforce Platform Events
 
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a Time
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a TimeReady, Set, Launch: Accelerating Healthcare Innovation One App at a Time
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a Time
 
Journey Through the AppExchange: How Place Technology Created a New Category
Journey Through the AppExchange: How Place Technology Created a New CategoryJourney Through the AppExchange: How Place Technology Created a New Category
Journey Through the AppExchange: How Place Technology Created a New Category
 
Journey to the AppExchange: How to Launch Into a New Ecosystem
Journey to the AppExchange: How to Launch Into a New EcosystemJourney to the AppExchange: How to Launch Into a New Ecosystem
Journey to the AppExchange: How to Launch Into a New Ecosystem
 
Top 5 Ways to Build Pipeline With AppExchange Chat
Top 5 Ways to Build Pipeline With AppExchange ChatTop 5 Ways to Build Pipeline With AppExchange Chat
Top 5 Ways to Build Pipeline With AppExchange Chat
 
Everything You Need to Know About Salesforce LMA & COA
Everything You Need to Know About Salesforce LMA & COAEverything You Need to Know About Salesforce LMA & COA
Everything You Need to Know About Salesforce LMA & COA
 
Streamline Page Layouts with Dynamic Forms
Streamline Page Layouts with Dynamic FormsStreamline Page Layouts with Dynamic Forms
Streamline Page Layouts with Dynamic Forms
 
Getting to Yes: How to build executive alignment to win big on the AppExchange
Getting to Yes: How to build executive alignment to win big on the AppExchangeGetting to Yes: How to build executive alignment to win big on the AppExchange
Getting to Yes: How to build executive alignment to win big on the AppExchange
 
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...
 
How FinancialForce Leverages Labs to Accelerate Innovation
How FinancialForce Leverages Labs to Accelerate InnovationHow FinancialForce Leverages Labs to Accelerate Innovation
How FinancialForce Leverages Labs to Accelerate Innovation
 
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...
 
ISV Error Handling With Spring '21 Update
ISV Error Handling With Spring '21 UpdateISV Error Handling With Spring '21 Update
ISV Error Handling With Spring '21 Update
 
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...
 
[Tech Webinar] Second Generation Packaging for ISVs
[Tech Webinar] Second Generation Packaging for ISVs[Tech Webinar] Second Generation Packaging for ISVs
[Tech Webinar] Second Generation Packaging for ISVs
 
Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...
Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...
Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...
 

Último

How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 

Último (20)

Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 

10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)

  • 1.
  • 2. Today’s Speakers: Erin Murray Global Alliances Manager CodeScience Lubdha Dahale Security Review Operation Analyst Salesforce Jeremy Engler ISV Specialist CodeScience
  • 4. Who is CodeScience? ● Founding partner of the Salesforce Product Development Organization (PDO) Program ● We partner with clients to build solutions on the Salesforce AppExchange ● Named first Master PDO in 2017 ● From design to build to implementation, we support through the full lifecycle
  • 5. Client success: 10% of the AppExchange
  • 7. How to Prep like a Pro Security Review doesn’t happen in a day
  • 8. Planning 1. Reframe how you approach it a. Think of it as a security hardening sprint 2. ISV Partner Agreement a. Get your ISV Agreement fully executed ASAP 3. Concurrent work a. Start prepping your deliverables early b. Don’t wait for the day you want to submit c. Listing content 4. Organize your resources a. Security Review folder
  • 9. Prep 5. Code Scans & Code Review a. If you need to scan an off-platform system, do it early b. Search for every instance of issues that the code scanners find 6. Compliance & Questionnaire a. Prep this information beforehand 7. Documentation a. Solution Architecture b. Use Cases 8. Demo org a. Use the trialforce template ID from Salesforce b. The review team uses the Admin credentials
  • 10. Submittal 9. Contact Info a. Always use a distribution list 10. Credit Card (Only) a. Must be able to charge $2700 now and $150/year ongoing 11. Pre-Book Security Review Office Hours a. Security review can take between 4-6 weeks b. Ideally schedule a session 10 weeks after your app is placed in queue
  • 11. The SF Security Review Team Meet the team who reviews your apps
  • 12. Ops Submission Validation SR Wizard Guidance Trial Template Reviews Periodic Re-Review Strategy Fees Delistings Prod Sec Penetration Testing Partner Security Portal Technical Office Hours Salesforce Security Review Teams
  • 14.
  • 15. Operations Check ● The Security Review Operations team reviews each submission for completeness before placing the SR queue ● Checks for things like: ○ Unrelated packages in the demo org ○ Incorrect version in the demo org ○ Not marked as “Lightning Ready” ○ Missing Use Case doc ○ Problem with scans or false positive docs ● Log a case after resolving any issues ● Should receive an email once in the SR queue
  • 16. ● Always provide the Listing ID, Package ID and Version ID related to your case ● Correct credentials to Web environments, Native environment (https://login.salesforce.com/) ● Clean scan reports (ZAP, Burp, Chimera or Checkmarx) or attach supporting False-Positive document ● Hit “Start Review” button beside version ID on Publishing Console Tips to avoid delays in Security Review
  • 17. Why apps fail Security Review ● Issues with the package: ○ CRUD/FLS Enforcement ■ Not checking user’s perms to do what the code does ■ #1 failure reason ○ Insecure Storage of Sensitive Data ○ Sensitive Information in Debug ● Issues with the client API/web UI: ○ Password enumeration: shows if username is correct ○ TLS/SSL Configuration ○ XSS Vulnerabilities ● Office Hours ○ Book early ○ Link
  • 18. Top Vulnerabilities in Security Review
  • 19. Example Security Findings Report Note the bolded point at the top of the report: The report starts with a table of contents summarizing the types of vulnerabilities found.
  • 20. Fail Faster Turn lemons into success
  • 21. Have a Plan ● Triage ○ Track each issue like you do bugs ○ Is the issue a False Positive? ○ Identify where the issue/fix resides ○ Assign an Owner and LOE ● Up to your project and deadlines as to whether “hero effort” is required ● Agree on communication cadence to management
  • 22. Address the Issues ● Legitimate issues need to be fixed, either in the package or off-platform ● Not a comprehensive list ○ Need to check for other instances of issues in the code ● Off-platform fixes are the biggest risk/effort ○ Must schedule that work alongside your existing product roadmap ● Issues in the package will require a new upload ○ Post-SR development in the master branch can hamper SR fixes ○ Keep new dev in a new, non-master branch until SR is passed ●
  • 23. Resubmit ● Update ○ Code Scans ○ False positive documentation ○ Demo org ● In the Partner Community: ○ Link the new package version to the listing ○ Submit the new package version with all required docs & information ○ Log a case under “Security Review” with the Package ID ● Alert your PAM
  • 25. For More Information ● OWASP Top 10 Security Issues list ● Build Secure Apps Trailhead ● Partner Security Portal ● Prevent Common Violations of Secure Coding Guidelines ● Security Review Office Hours
  • 26. You don’t have to go it alone!
  • 27. CodeScience Pre-Security Review Service ● ISVs who approach Security Review with a solid plan and partner with some expert assistance typically pass Sec Rev sooner and get to market faster ● Salesforce recently asked CodeScience to help ISVs plan for Security Review and the CodeScience Pre-Security Review Service is the result! ● Reach out to us at info@codescience.com to start your Pre-Security Review, or visit https://learn.codescience.com/pre-security-review.html for more information
  • 28. Please Submit Your Questions via Q&A What would you like to see more of in our next Security Review webinar? Let us know in the chat! Open Q&A