Understand the Need for App Security
After completing this unit, you’ll be able to:
- Describe what’s at stake in your product’s security.
- Explain the business value of a security review.
- Describe the most common web vulnerabilities.
- Identify unique Salesforce security concerns.
As an AppExchange partner with Salesforce, you’ve chosen to innovate with our platform to create great products for all of our customers. Your innovation inspires ours, and your partnership is essential to our continued success.
At Salesforce, our highest priority is our customers’ trust. As Parker Harris, Salesforce cofounder and EVP of technology says, “Nothing is more important to our company than the privacy of our customers’ data.” Trust requires security.
Did you hear the news? Hackers successfully attacked a large company using the latest security vulnerability. Thousands of private customer records were stolen, including personal and financial information. In response, the company promises to pay for 3 years’ worth of credit protection for everyone affected. Did you get a letter from them?
Every week we hear stories like this. Maybe you or someone you know have even received a letter from one of those companies. We see news stories about ransomware jeopardizing hospital patients or disrupting public transportation. Attackers steal internal company documents and sell them to competitors. These events have become so frequent that we almost expect them now.
Insecure software costs businesses US$4 million on average per incident, according to a Ponemon Institute study. According to another by the Center for Strategic and International Studies (CSIS), companies in the United States collectively lose US$100 billion a year to cybercrime.
This brings us back to trust, the number-one value at Salesforce. The previous figures are meant to factor in the indirect cost of rebuilding customer trust, but trust itself is hard to quantify.
Salesforce changed the business world by convincing enterprise customers to store their data in the cloud. It was a tough sell at first, because many of these customers worried about the security of their data. But after years of innovating, building customer trust, and succeeding time and again, Salesforce proved that cloud computing is the best business platform.
At Salesforce, our customers’ success is our success—and yours. Salesforce customers purchase our services on a subscription model. If they can’t trust us—and you—to secure their data, they have no reason to stick around!
As a Salesforce partner, you have an advantage: you’re building your apps on the Salesforce Platform. We built security into our platform so that you don’t have to do it all from scratch. However, we rely on you to use the platform to build your apps in a way that protects your customers’ data. To help you along the way, the Salesforce security team conducts rigorous reviews of all products before green-lighting them for AppExchange.
For our AppExchange partners, passing the security review takes planning and effort, but the payoff is awesome. A passing grade demonstrates your commitment to your customers and adds real value to your product. Customers know that any offering on AppExchange provides the highest level of protection for their data.
At Salesforce, we’re proud of the role we play in securing customer data. And we know that data security is a team effort. So we give you the tools necessary to implement security, and you can rely on them to build secure products.
The Salesforce security review focuses on an app’s vulnerability to the most common attacks. The Product Security team pummels your app with a battery of these attacks. They try their hardest to gain access to the precious data within your product. If they can’t break in, you pass the review!
In this module, we give you the inside information on how to emerge unscathed with your app listed on AppExchange.
The Open Web Application Security Project (OWASP) maintains a comprehensive list of the most common web attacks. The top three items are:
- Injection: a query sends bad data to a system in an attempt to do damage.
- Session hacking: an attacker gains entry to a secure session by intercepting credentials.
- Cross-site scripting: an application passes unvalidated data to a web browser, allowing malicious code to run.
To pass the security review, you must protect your app against these and every other attack on the OWASP list. Use the list as a guide to develop a minimum level of security in your app. To learn more about these nefarious attacks, check out the Develop Secure Web Apps trail.
One of the unique security features of the Salesforce platform is CRUD/FLS: Create/Read/Update/Delete and Field Level Security. This feature, described in detail Data Leak Prevention module, determines who can access individual objects and fields within an org. Because CRUD/FLS is related to how objects interact within your app, you must consider it when designing your app. Beware: Failure to properly enforce CRUD/FLS security is the #1 reason apps fail the Security Review. Don’t let it happen to you!
It’s rewarding to spend time designing and developing great features. Your salespeople surely value that effort, because it makes your product easy to sell. And certainly your customers appreciate that effort, because they get to enjoy the results.
Security work isn’t so high-profile and glamorous. Try talking about TLS or SHA-2 hashes with a customer, and watch their eyes glaze over. If you love getting kudos for your work, it can be hard to get excited about beefing up your product’s security. Because when you do your job well, no one notices.
But don’t let that stop you. We all know that anyone who thwarts attackers is a superhero. Your customers may never know how much work you put in. But they’ll thank you for your efforts by giving you their business—and recommending your app to others. And aren’t those the best compliments of all?
In the next unit, we walk you through how to create a plan for building a secure app.