How to Publish & Certify your App Aarti Kumar & Shay Casey
AppExchange Partner Lifecycle There are 3 steps in the process:
3 What is AppExchange Certification? To list your commercial application on the AppExchange, we must certify that your application meets our requirements and best practices around security. This helps: CustomersHave trust in third party solutions that work with salesforce.com PartnersBe successful in selling solutions that span multiple systems to salesforce.com customers salesforce.comBuild a trust-worthy AppExchange ecosystem
AppExchange Certification – What, When, Who? A review of: Qualitative Security: Policies and practices review Quantitative Security: Penetration testing When is certification required? From March 15 th, 2007 security certification is required for all new commercial applications Existing commercial applications that were not previously security certified must do so within this year Who should be involved? Technical resources – architect, developer, IT resource, operations resource, information security resource etc
Application Elements Native No code, no external systems AJAX AJAX S-control code only Excludes S-controls that communicate with external systems Software On premise desktop or server software Includes browser plugins delivered as S-controls On Demand Other Host External service, unmanaged host On Demand Cert Host Ext. service, managed host (Opsource, Rackspace) Approved hosting providers using pre- certified configurations A given AppExchange application can have multiple components, each of which has its own certification requirements: Runs entirely on Apex Platform; Certification not applicable Depends on services or software outside of Apex; Certification available
Security Review Matrix SoftwareOn Demand (Certified Host) On Demand Network Host App Ops Questionnaire System Tests
Certification/Re-certification Process PrepareTestPass Execute agreement and PO for $5K Determine relevant questionnaire and tests for your app Software, On Demand (Cert Host), On Demand Execute dry run tests Attend interview conducted by Symantec or KPMG Organize resources / teams for appropriate tests Network vs App, etc Conduct testing with salesforce.com Certification Contact Receive Certification badge on listing Receive Client ID for deploying to Professional Edition users 1 2 3
Certification Process Pass All Qualitative question areas No Medium or High warnings All Quantitative tests No Medium or High warnings Fail Repeat specific area of assessment (at additional cost) Or repeat entire assessment if remediation has broad impact
Sample Report RiskEase of ExploitBusiness ImpactRecommendation Shared Encryption Key Stored In Compiled Application The key used to decrypt the Salesforce.com password is compiled into the application. In addition, the same encryption key is used for all customer installations. Sophisticated. An attacker would need to gain access to the target application servlet in order to decompile the servlet and compromise the encryption key. Note that existing clients could access their servlet to compromise the encryption key, but would need to gain access to another client’s application servlet to compromise that client’s Salesforce.com credentials High. It is possible that Salesforce.com authentication credentials could be compromised. The encryption key used to decrypt Salesforce.com authentication credentials should be stored in a Java KeyStore (JKS). A JKS would provide defense-in-depth in case the application servlet is compromised. In addition, different encryption keys should be used for each customer installation. Outdated Apache Version The web server appears to be running versions of Apache that is not up to date Trivial. There is at least one publicly available proof of concept. Please refer to: /Nov/0022.html CVE High. A remote attacker may be able to cause a Denial of Service to the server. Apache version: The tested configuration was not compromised during testing. The server should be upgraded to ensure those future configurations are not vulnerable. Upgrade to latest version of Apache available from the Apache Foundation
Test Detail: Network Questionnaire Firewall, IDS and NAT configuration Network access policies & procedures Log monitoring System Test Must pass Nessus with no medium or high warnings Test for open ports, known vulnerabilities, SSL config, etc Conduct dry run test with Nessus or Qualys
Test Detail: Host Questionnaire Host configuration Access & password policies Patching & maintenance policies Physical Security System Test None
Test Detail: App Questionnaire Software development processes Common vulnerabilities (buffer overflow, cross site scripting, SQL injection, etc) App user & password management Salesforce user & password management System Test Application Penetration Testing tools Authentication mechanism (i.e. password length) Injection attacks (XSS, SQL)
Test Detail: Operations Questionnaire HR (employee security policies & security training) Business Continuity Incident Response Procedure documentation & change management System Test None
Building your listing Get to know the AppExchange Listing Select the Setup for your Application listing Build Your Application Listing Frequently Asked Questions
Get to know the AppExchange Listing Title Abstract TD/ GIN Thumbnail Additional Resources Logo
Building your listing: Agenda Get to know the AppExchange Listing Select the Setup for your Application listing Build Your Application Listing Frequently Asked Questions
Select the Setup for your Application Demonstrate your application using: Distribute your application through: or
Select the Setup for your Application Demonstrate your application using: Distribute your application through: or
Demonstrate your Application through: Fully functional read only version of the application Allow customers to “kick the tires” Present data in a dynamic working environment Appropriate for all Native applications and some Composite applications
For applications that are too complicated to demonstrate through a Test Drive Demonstrates the functionality of the application Walkthrough of the application- “A day in the life” Appropriate for some Composite applications and all Client applications Demonstrate your Application through:
Demo- Suggested Format 1.Overview- Quick introduction to the demo and a discussion of the value proposition. 2.Step by Step – Show everyday use of the application Outline the functionality a user will see- show it in action! How does your application interact with Salesforce.com- do you create data in a custom object? Do you import leads? What are the steps that make this happen? 3.Additional info and conclusion
Additional Considerations in Building a Market your demo toward Salesforce.com users Stay away from marketing your company Screenshots are a must! Remember: you only have 60 seconds to grab a customer’s attention.
Select the Setup for your Application Demonstrate your application using: Distribute your application through: or
Distribute your Application Through: Deploy your custom salesforce.com application at the click of a button Automatically install various elements ranging from Custom Tabs to Pre-Made dashboards Appropriate for all Native and Composite applications
Distribute your Application Through: For applications where an immediate installation is not available: Hardware Appliances Integration services Applications that require contact with direct sales or consulting services The Learn More landing page provides: Additional information about the application Sales contact information Marketing directed towards a salesforce.com customer The “Get It Now” should be packaged and left private
Distribute your Application Through: For applications that install directly to the users desktop or external services that do not use the salesforce.com interface Links to a landing page with more information about the download (not just a direct link to the file)
How do I enable these buttons? By default only Get It Now and Test Drive are available for your listing Other buttons – Demo, Learn More, Download- need to be enabled by salesforce.com for an evaluation of your
Building your listing: Agenda Get to know the AppExchange Listing Select the Setup for your Application listing Build Your Application Listing –Tips and Tricks! Frequently Asked Questions
Use the Listing Form as a Guide Use the form when writing your copy for the listing. Log into and click on edit for your listingwww.appexchange.com You can now see the text limitations for each item
Title and Logo Title- the name of your product - should not include “for AppExchange” Logo- Your 60x60 record cover
Thumbnail and Screenshot Two separate files Thumbnail is 160x115
Datasheet and Customization Guide Datasheet- Two page summary of key information Customization Guide- For applications that require additional setup or customization to function Step by Step walkthrough for System Admins Adding page layouts for standard salesforce.com objects and tabs Any steps that are needed to activate the application
Presentation Excellent supplement to a Test Drive Give the business value of your application Use any format
Building your listing: Agenda Get to know the AppExchange Listing Select the Setup for your Application listing Build Your Application Listing Frequently Asked Questions
FAQ: I don’t have a listing! Log into the publisher area of Native/ Composite application- After you package and register your first version you will see your listing in the manage my apps area. Client Application- you will need to request a listing from support Log in to the publisher area of Click Manage My Publisher Profile and create a profile Click “Request Assistance” and log a case for a new listing
FAQ: My publisher tab is blank! Your publisher profile needs to match the username associated with the profile you created. It will always be in the format of an address e.g. Tip: When in doubt – after clicking Assign Publisher Profile just click My Publisher Profile
FAQ: My Publisher Tab is Blank!
Questions? Send to Click on request assistance under Manage My Apps