Understand the Need for Solution Security
After completing this unit, you’ll be able to:
- Describe what’s at stake in your product’s security.
- Explain the business value of a security review.
- Describe the most common web vulnerabilities.
- Identify unique Salesforce security concerns.
We Value Your Partnership
As an AppExchange partner with Salesforce, you’ve chosen to innovate with our platform to create great products for all of our customers. Your innovation inspires ours, and your partnership is essential to our continued success.
At Salesforce, our highest priority is our customers’ trust. As Parker Harris, Salesforce cofounder and EVP of technology says, “Nothing is more important to our company than the privacy of our customers’ data.” Trust requires security.
Security in the Internet Age
Did you hear the news? Hackers successfully attacked a large company using the latest security vulnerability. Thousands of private customer records were stolen, including personal and financial information. In response, the company promises to pay for 3 years’ worth of credit protection for everyone affected. Did you get a letter from them?
Every week we hear stories like this. Maybe you or someone you know have even received a letter from one of those companies. We see news stories about ransomware jeopardizing hospital patients or disrupting public transportation. Attackers steal internal company documents and sell them to competitors. These events have become so frequent that we almost expect them now.
Insecure software costs businesses US$4 million on average per incident, according to a Ponemon Institute study. According to another by the Center for Strategic and International Studies (CSIS), companies in the United States collectively lose US$100 billion a year to cybercrime.
Without Security, There Is No Trust
This brings us back to trust, the number-one value at Salesforce. The previous figures are meant to factor in the indirect cost of rebuilding customer trust, but trust itself is hard to quantify.
Salesforce changed the business world by convincing enterprise customers to store their data in the cloud. It was a tough sell at first, because many of these customers worried about the security of their data. But after years of innovating, building customer trust, and succeeding over and over, Salesforce proved that cloud computing is the best business platform.
At Salesforce, our customers’ success is our success—and yours. Salesforce customers purchase our services on a subscription model. If they can’t trust us—and you—to secure their data, they have no reason to stick around!
Security Requires Commitment
As a Salesforce partner, you have an advantage: you’re building your solutions on the Salesforce Platform. We built security into our platform so that you don’t have to do it all from scratch. However, we rely on you to use the platform to build your apps, components, and other solutions in ways that protect your customers’ data. To help you along the way, the Salesforce security team conducts rigorous reviews of all products before green-lighting them for AppExchange.
For our AppExchange partners, passing the security review takes planning and effort, but the payoff is awesome. A passing grade demonstrates your commitment to your customers and adds real value to your product. Customers know that any offering on AppExchange provides the highest level of protection for their data.
Help Us Help You
At Salesforce, we’re proud of the role we play in securing customer data. And we know that data security is a team effort. So we give you the tools necessary to implement security, and you can rely on them to build secure products.
Learn to Recognize and Neutralize Threats
The Salesforce security review focuses on a solution’s vulnerability to the most common attacks. The Product Security team pummels your solution with a battery of these attacks. They try their hardest to gain access to the precious data within your solution. If they can’t break in, you pass the review!
In this module, we give you the inside information on how to emerge unscathed with your solution listed on AppExchange. We step through our security review process using a Lightning-compatible app developed as a second-generation (2GP) managed package. If you have another type of solution, things might look a little different to you. However, the security review process and principles are the same.
The Top 10 Web Security Threats
The Open Web Application Security Project (OWASP) maintains a comprehensive list of the most common web attacks. The top three items are:
- Injection: a query sends bad data to a system in an attempt to do damage.
- Session hacking: an attacker gains entry to a secure session by intercepting credentials.
- Cross-site scripting: a solution passes unvalidated data to a web browser, allowing malicious code to run.
To pass the security review, you must protect your solution against these and every other attack on the OWASP list. Use the list as a guide to develop a minimum level of security in your solution. To learn more about these nefarious attacks, check out the Develop Secure Web Apps trail.
One of the unique security features of the Salesforce platform is CRUD/FLS: Create/Read/Update/Delete and Field Level Security. This, described in detail in the Secure Server-Side Development Trailhead module, feature determines who can access individual objects and fields within an org. Because CRUD/FLS is related to how objects interact within your solution, you must consider it when designing your product. Beware: Failure to properly enforce CRUD/FLS security is the #1 reason solutions fail the security review. Don’t let it happen to you!
Do It Right and No One Will Notice
It’s rewarding to spend time designing and developing great features. Your salespeople surely value that effort, because it makes your product easy to sell. And certainly your customers appreciate that effort, because they get to enjoy the results.
Security work isn’t so high-profile and glamorous. Try talking about TLS or SHA-2 hashes with a customer, and watch their eyes glaze over. If you love getting kudos for your work, it can be hard to get excited about beefing up your solution’s security. Because when you do your job well, no one notices.
But don’t let that stop you. We all know that anyone who thwarts attackers is a superhero. Your customers may never know how much work you put in. But they’ll thank you for your efforts by giving you their business—and recommending your solution to others. And aren’t those the best compliments of all?
In the next unit, we walk you through how to create a plan for building a secure solution.