Download presentation
Presentation is loading. Please wait.
1
AppExchange Security Certification
Aarti Kumar Program Manager
2
What is Security Certification?
To list your commercial application on the AppExchange, we must certify that your application meets our requirements and best practices around security. This helps: Customers Have trust in third party solutions that work with salesforce.com Partners Be successful in selling solutions that span multiple systems to salesforce.com customers salesforce.com Build a trust-worthy AppExchange ecosystem
3
Security Certification – What, When, Who?
A review of: Qualitative Security: Policies and practices review Quantitative Security: Penetration testing When is security certification required? From March 15th, 2007 security certification is required for all new commercial applications Existing commercial applications that were not previously security certified must do so within this year Who should be involved? Technical resources – architect, developer, IT resource, operations resource, information security resource etc
4
Application Elements A given AppExchange application can have multiple components, each of which has its own certification requirements: Native No code, no external systems AJAX AJAX S-control code only Excludes S-controls that communicate with external systems Software On premise desktop or server software Includes browser plugins delivered as S-controls On Demand Cert Host Ext. service, managed host (Opsource, Rackspace) Approved hosting providers using pre-certified configurations On Demand Other Host External service, unmanaged host Native: Adoption Dashboards AJAX: Mass update No external integration Software: Active Prime On-demand: hosted applications – like salesforce.com Integration with external hosted service Cert Host: certified 2 hosting providers Opsource and Rackspace Worked out an AppExchange configuration package with them Meets our certification requirements Certification applicable only for Last 3 buckets as integrating with external services Important that you identify which category you belong to Runs entirely on Apex Platform; Certification not applicable Depends on services or software outside of Apex; Certification available
5
Test Types & Categories
Qualitative assessment of security based on questions & answers Active security testing of various system components via standard tools Questionnaire System Test Test Categories Network Host Application Operations Network configuration, IDS, firewall, etc Operating system and component configuration, patching, etc Application construction, authentication, etc Operations procedures, data access, etc
6
Security Review Matrix
Software On Demand (Certified Host) On Demand Network Host App Ops Questionnaire System Tests
7
Test Detail: Network Questionnaire System Test
Firewall, IDS and NAT configuration Network access policies & procedures Log monitoring System Test Must pass Nessus with no medium or high warnings Test for open ports, known vulnerabilities, SSL config, etc Conduct dry run test with Nessus or Qualys
8
Test Detail: Host Questionnaire System Test Host configuration
Access & password policies Patching & maintenance policies Physical Security System Test None
9
Test Detail: App Questionnaire System Test
Software development processes Common vulnerabilities (buffer overflow, cross site scripting, SQL injection, etc) App user & password management Salesforce user & password management System Test Application Penetration Testing tools Authentication mechanism (i.e. password length) Injection attacks (XSS, SQL)
10
Test Detail: Operations
Questionnaire HR (employee security policies & security training) Business Continuity Incident Response Procedure documentation & change management System Test None
11
Security Certification/Re-certification Process
1 2 3 Prepare Test Pass Execute agreement and PO for $5K Complete pre-qualification questionnaire Attend Certification consultation (optional) Determine relevant questionnaire and tests for your app Software, On Demand (Cert Host), On Demand Execute dry run tests Attend interview Organize resources / teams for appropriate tests Network vs App, etc Conduct testing with salesforce.com Certification Contact Some tests may be done by a third party (Symantec) Receive Certification badge on listing Receive Client ID for deploying to Professional Edition users
12
Security Certification Process
Pass All Qualitative question areas No Medium or High warnings All Quantitative tests Fail Repeat specific area of assessment (at additional cost) Or repeat entire assessment if remediation has broad impact
13
Sample Report Risk Ease of Exploit Business Impact Recommendation
Shared Encryption Key Stored In Compiled Application The key used to decrypt the Salesforce.com password is compiled into the application. In addition, the same encryption key is used for all customer installations. Sophisticated. An attacker would need to gain access to the target application servlet in order to decompile the servlet and compromise the encryption key. Note that existing clients could access their servlet to compromise the encryption key, but would need to gain access to another client’s application servlet to compromise that client’s Salesforce.com credentials High. It is possible that Salesforce.com authentication credentials could be compromised. The encryption key used to decrypt Salesforce.com authentication credentials should be stored in a Java KeyStore (JKS). A JKS would provide defense-in-depth in case the application servlet is compromised. In addition, different encryption keys should be used for each customer installation. Outdated Apache Version The web server appears to be running versions of Apache that is not up to date Trivial. There is at least one publicly available proof of concept. Please refer to: CVE High. A remote attacker may be able to cause a Denial of Service to the server. Apache version: The tested configuration was not compromised during testing. The server should be upgraded to ensure those future configurations are not vulnerable. Upgrade to latest version of Apache available from the Apache Foundation
14
Next Steps Start thinking of security certification right away
Contact your Partner Success Manager for starting the process For questions/feedback contact:
15
Top 5 things to remember about Security Certification
From March 15th certification is required for all new AppExchange applications Comprises of 2 types of assessments conducted by Symantec: Qualitative: question and answer round to review policies and procedures Quantitative: conduct network and application penetration test Security certification is an annual process Once certified, get access to Professional Edition orgs For more details, visit:
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.