Get Started with Application Security
Over the past five years, criminals have increasingly found ways to steal from businesses with applications—particularly web-based applications. You’ve most likely seen many news reports of stolen credit cards, exposed passwords, and defaced websites.
So it’s important to make sure your custom web applications are secure. Salesforce is constantly striving to make our platform as secure as possible. Because we are a platform, we release some of that security control to you, so you have the flexibility you need to meet the business requirements of your organization. As a result, security for the apps you develop on the Lightning Platform is a joint responsibility between Salesforce and you.
Many think the Salesforce admin is responsible for protecting end users, but developers also have an important role to play. The admin configures many of the security policies to protect the org’s data and users, but it’s up to the developers to ensure that these configurations are enforced in custom applications.
If you’re developing applications to release on the AppExchange, your role in application security becomes even more significant. Before an application can be released, a Salesforce security expert must look at the application’s source code as well as any external integrations to ensure proper security standards are followed. This is called a security review. Only after an application passes the security review with zero security findings can it be released onto the AppExchange. The security review also prepares our partners and developers to meet the enterprise security standards that most of their future customers will ask for.
To teach you how to handle different security issues you might encounter while developing on the Lightning Platform, we’ll use a sample app called Kingdom Management. In this module you’ll assume the role of the lead Apex developer for the app, which lets castle-dwelling users track their inventory. You follow news about security breaches across the globe, and you’re worried about all the custom code you’ve created. You know you’ll have to pass a security review by the Salesforce security team to list your app on the AppExchange. Are there vulnerabilities in your app that can be used to expose your customers’ data?
This module teaches you about the different security issues that you should consider when developing on the Lightning Platform. You’ll learn how to spot, exploit, and mitigate vulnerabilities in the Kingdom Management app with the hopes of passing the AppExchange security review on the first try!
A developer edition org is a safe environment where you can practice the skills you’re learning, and you’ll definitely need one as you work through the challenges here on Trailhead. Don’t worry—we’re not going to teach you how to write vulnerable Lightning Platform code. Instead, we’ve created a special org that has vulnerable applications already deployed for you to practice in. Your job will be to identify the vulnerabilities and to fix them.
To get set up in the Kingdom Management developer org, you’ll need to sign up:
- Go to the custom sign-up page for the Kingdom Management developer org.
- Fill out the form using an active email address and click Sign Me Up
- Check your email for an activation request.
- Click the link in the email, and complete your registration by setting a new password and challenge question
After you have your Kingdom Management developer username, you’ll be ready to start learning how to defend your users and data using application security.