force.com: secure cloud development · secure development secure coding guidelines – obtain...
TRANSCRIPT
Force.com: Secure Cloud Development
Varun Badhwar Force.com Security Manager
Safe Harbor Statement
“Safe harbor” statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements including but not limited to statements concerning the potential market for our existing service offerings and future offerings. All of our forward looking statements involve risks, uncertainties and assumptions. If any such risks or uncertainties materialize or if any of the assumptions proves incorrect, our results could differ materially from the results expressed or implied by the forward-looking statements we make.
The risks and uncertainties referred to above include - but are not limited to - risks associated with possible fluctuations in our operating results and cash flows, rate of growth and anticipated revenue run rate, errors, interruptions or delays in our service or our Web hosting, our new business model, our history of operating losses, the possibility that we will not remain profitable, breach of our security measures, the emerging market in which we operate, our relatively limited operating history, our ability to hire, retain and motivate our employees and manage our growth, competition, our ability to continue to release and gain customer acceptance of new and improved versions of our service, customer and partner acceptance of the AppExchange, successful customer deployment and utilization of our services, unanticipated changes in our effective tax rate, fluctuations in the number of shares outstanding, the price of such shares, foreign currency exchange rates and interest rates.
Further information on these and other factors that could affect our financial results is included in the reports on Forms 10-K, 10-Q and 8-K and in other filings we make with the Securities and Exchange Commission from time to time. These documents are available on the SEC Filings section of the Investor Information section of our website at www.salesforce.com/investor. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements, except as required by law.
Agenda
Salesforce.com’s Philosophy
Vision
Secure Cloud Development: – Education – Secure Design
– Secure Development
– Secure Testing
– Secure Release
Resources
Q&A
Success of cloud computing dependant on earning and maintaining customer trust
Protecting the privacy of customer data is salesforce.com’s core value
Details available at: http://trust.salesforce.com/trust/security/
Salesforce.com Philosophy
Vision
Value Trust as a Top Priority – Create a security conscious community
encompassing developers / ISVs
Enabling Success – Provide free educational resources, tools and
processes that help deliver trusted Force.com applications
Reduce Development Costs – According to NIST*, eliminating vulnerabilities in the
design stage can cost 30 times less than fixing them post-release
* NIST –The National Institute of Standard and Technology
Force.com Secure Cloud Development
Education
Design
Develop Test
Release
Seamless integration of security into your existing SDLC
Secure Education
Overview of Force.com Security – Learn about the sharing model and various
security controls available to org administrators
Developer Training – Get educated on writing secure code on
Force.com
Developer Quiz – Assess your security awareness and learn to
identify vulnerabilities within Force.com code
Secure Design
Security Resources – Generic Force.com articles and resources.
Topics include SAML, sharing, etc.
Security Self-Assessment – Receive a customized report with links to
security articles and resources specific to your application architecture
Office Hours – Receive free consultation from a member of the
salesforce.com security team
Security Discussion Board – http://community.salesforce.com/t5/Security/bd-
p/security
Secure Development
Secure Coding Guidelines – Obtain platform-specific (Force.com,
Java, .Net, etc.) recommendations on mitigating security vulnerabilities such as XSS, Injection, Session Management, etc.
Secure Coding Library – Open source library for implementing
additional security features (CRUD/FLS, input validation, output encoding, etc.)
– Part of OWASP Enterprise Security API
Secure Testing
Force.com Security Source Scanner – On-demand static source code analysis tool to
help identify potential vulnerabilities within your Apex and Visualforce code
Web Application Security Scanner – Integrating a web-application with Force.com?
AppExchange partners are entitled to receive a free license for Burp Suite Professional
Secure Release
Salesforce.com Security Review – Periodic security review of AppExchange and
OEM applications
– Details published at: http://wiki.developerforce.com/index.php/Security_Review
Incident Response (Coming Soon) – Guidance on engaging with customers and
salesforce.com in case of a security incident
Conclusion
Free, ready to “consume” resources
Secure Force.com ecosystem
Reduced development costs
Streamlined AppExchange security process
Education
Design
Develop Test
Release
Key Resources
Secure Cloud Development Home Page
On-Demand Security Source Code Scanner
Security Discussion Board
AppExchange Security Review
OWASP
Q&A
Security Discussion Board:
http://community.salesforce.com/t5/Security/bd-p/security