Devise Your Security Strategy
Learning Objectives
After completing this unit, you’ll be able to:
- Identify who on your team is responsible for security.
- List the resources that help you learn to develop secure software.
- Describe when to consider security in developing your solution.
Security Needs Ownership
Your company has rules about who gets access to what information. When you came to work today, maybe you used a key or a badge to enter the office. You probably know the procedure for inviting family members and vendors to visit. And hopefully you don’t often witness total strangers wandering in and snooping around, but if it happens, you know what to do!
Specific people are in charge of setting and enforcing these rules. Sometimes there’s even a person in charge with a fancy title like chief security officer. That person thinks about the security of your company’s information all the time.
Who Owns Your Solution’s Security?
The customer data in your solution also needs protection, just like the information in your company. Does your development team have a chief security officer?
It’s true that security is everyone’s responsibility, but developers are busy folks. Things can get lost in the hustle of getting a solution market-ready. To make sure that security remains a priority, consider appointing a security advocate to your team. A security advocate is your team’s chief security officer—they think about your solution’s security all the time.
Learn to Write Secure Code
After you get your team thinking about security, the next step is to find out more about building secure software. There are several resources available to you, some of which we mentioned in the last unit.
Resource | What It Offers |
---|---|
A list of the most common web app vulnerabilities |
|
A collection of web security flaws commonly found during security audits |
|
AppExchange Security Requirements Checklist (login required) |
Issues explained by technology and solution type |
Comprehensive set of training modules that cover all main security topics specific to the Salesforce Platform |
Everyone Is Responsible
Your security advocate can be a resource for your team, but remember that security is everyone’s responsibility. The more familiar your developers are with these issues, the better they are at recognizing and addressing them.
Security Is a Key Feature, Not an Add-On
Hey, that app you’re working on sounds fabulous! The world doesn’t get to see it until it launches, though. When’s it going to be ready?
Nobody wants to be the one standing between a solution and its release. Your sales and marketing teams don’t like unexpected delays, and they won’t let you forget it. So imagine how tense things can be if your launch date gets pushed back because the Salesforce Product Security team finds a vulnerability. If it’s a minor issue, it’s easy to fix. But if you have to go back and change your design because of a fundamental security flaw, you’re facing extra work and a potentially long delay.
Consider Security in Each Stage of Development
Whatever methodology you use to write your software, make sure that your team thinks about security from the beginning. Apply secure design patterns and programming practices at every stage of development, and test your solution against attacks. Here are several things you can do to improve security throughout the development process.
- Design: The best bugs are the ones you don’t have to fix. There’s no substitute for good software design, and a secure design beats an insecure design any day. Pay attention to how you expect users to interact with features, and be sure to identify related vulnerabilities. Then define specific use cases that highlight these vulnerabilities.
- Implementation: If you have daily scrums, get your security advocate to engage with team members on secure coding strategies. Regularly use Salesforce Code Analyzer, or a similar unified code scanning tool, to identify vulnerabilities as you develop your code. Code reviews are another great forum for discussing security issues. Incorporate secure coding guidelines into your coding style guide. (You do have a style guide, don’t you?)
- Test: You need a specific plan to test your solution’s vulnerability to attacks. Design tests so that they’re repeatable, and apply them consistently throughout the development of the solution.
For a comprehensive picture of web security and testing, check out the OWASP Testing Guide. It can help you put together your own plan.
Secure the Whole Solution
When we talk about building a secure solution, we mean the whole thing. That includes the pieces that live outside our platform, like components or services that you host outside Salesforce. And don’t forget to include your lovely native mobile apps in your security plan. They need protection, too.
Remember:
- An attacker needs only one unguarded entry point in your solution to ruin your day. Or month. A coherent strategy for security helps you create a bulletproof solution.
- Security is everyone’s responsibility, but you can help your team keep it in mind by having a security advocate who owns it.
- Your team can learn about secure software development using the interactive resources we give you.
- Every stage of development comes with its own security considerations.
Resources
- External Site: OWASP Top 10 Most Critical Web Application Security Risks
- Trailhead: Develop Secure Web App Trail
- Salesforce Site: Secure Coding Guidelines
- Salesforce Partner Community AppExchange Security Requirements Checklist (login required)
- External Site: OWASP Web Security Testing Guide
- Salesforce Site: Salesforce Code Analyzer
- Salesforce Site: Security Developer Center