Jan 26, 2017by Astha Singhal
The AppExchange Security Review is a crucial part of the Salesforce Partner Program for App Innovators (ISVs). The Security Review is designed to ensure the security of partner offerings and maintain a high bar for the AppExchange ecosystem. This helps partners meet enterprise security expectations and benefits our mutual customers leading to shared success. As we are closing out our fiscal year, I wanted to look back and share some highlights on what has kept us busy this past year.
We performed thousands of security tests in FY17 (Starting February 1, 2016) on apps comprised of technologies including Lightning, Wave, Force.com, Mobile and a variety of other Web Application Frameworks. These security tests helped us prevent at least 5,723 potential vulnerabilities from making it into the Salesforce app ecosystem. It took an average of 2.25 tests for apps to pass the review. Each review submission on an average took 14 days from submission to results. Our main focus this year beyond the security reviews themselves was partner enablement to make sure partners have all the resources they need to be able to pass the security review the first time around.
The most important part of enablement is education and we invested our time in several security education projects. At Dreamforce 2016, we presented multiple talks on secure coding topics and taught three sessions of a hands-on workshop to learn about XSS issues. The talks in the 2016 Security Webinar Series are a great way to review detailed guidance on specific issues.
At Dreamforce, we also released our new trail, “Develop Secure Web Apps”, for learning secure coding the Salesforce way. We will continue to add more content to this trail in FY18 to build a complete hands-on learning path for our App Innovators (ISVs). Complementing the technical content, now the ISV Security Review Module is also live on Trailhead. We improved our security documentation by revising existing secure coding guides and adding new content around topics including Sharing, PostMessage and Secure WebSockets. We even added an updates page so you know when things change. At this point, I am sure you are thinking, “That’s too many things! How do I find them all?”. You can now go to our brand new App Cloud Security Center to find everything Salesforce Security!
Another medium for partner enablement that we prioritize as a team is automation and self-service. It gives our partners all the tools necessary to maintain a secure offering on our ecosystem. The Force.com Source Scanner scanned 1.23 billion lines of code across 41,378 scans and prevented 4.43 million potential security issues in FY17. This year we increased capacity on the scanner from 100 scans per day to 3,000 scans per day which drastically reduced wait times. In addition to support for issue types like CRUD/FLS and JS-based issues, we also increased the max lines of code from 750k to 2.5 million. This enables our partners to scan very large packages and find instances of more issue types. The scanner reports have gotten a facelift with a concise, more readable format. For partners that want to use their own Checkmarx instance, there is now detailed information for better handoff to Checkmarx and they can even download the latest rulesets from Salesforce for free. In FY18, we will continue to invest in improving our rule sets to include new technologies (including Lightning) and to reduce false positives.
As a part of our open source suite of tools, we provide a check in time analysis tool, Providence, that lets you detect anti-patterns in your code as you develop your app. This tool now has a base set of Force.com rules that you can easily deploy on your code management system.
This year, we also open-sourced our penetration test management tool, Vulnreport, along with all Force.com issue types. You can use this to manage internal security tests for your Salesforce apps. For composite app testing, we will continue to improve our Web App Scanner, Chimera, to find more issues automatically and improve report quality. In FY18, we are also looking into integrating all our partner interaction under one unified portal for partners to interface with.
To keep improving the security review process and providing one-on-one guidance, it’s important for us to engage with the partner community. With an increased capacity of office hours in the EMEA time zone, we now have 50% more time slots to resolve partner issues. We had several great conversations with partners, both technical and non-technical, at the Dreamforce Security Booth, Partner Forums and the Partner Security Advisory Council (PSAC). These conversations have driven a lot of the above mentioned efforts and helped guide the roadmap for next year for improvements to the AppExchange Security Review. This feedback loop is very important to us and we are always listening.
In conclusion, FY17 was a busy year, but we have a lot more work to do. In the coming year, Enablement through education, automation and partner engagement is going to remain an important theme for us. We will continue to drive towards a more streamlined, efficient and informed Security Review process.