Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Publish & Certify your App Aarti Kumar & Shay Casey

Published byPhebe Boone Modified over 9 years ago

Similar presentations

Presentation on theme: "How to Publish & Certify your App Aarti Kumar & Shay Casey"— Presentation transcript:

1 How to Publish & Certify your App Aarti Kumar & Shay Casey AppExchangePartners@salesforce.com

2 AppExchange Partner Lifecycle There are 3 steps in the process: http://www.appexchange.com/abc

3 3 What is AppExchange Certification? To list your commercial application on the AppExchange, we must certify that your application meets our requirements and best practices around security. This helps: CustomersHave trust in third party solutions that work with salesforce.com PartnersBe successful in selling solutions that span multiple systems to salesforce.com customers salesforce.comBuild a trust-worthy AppExchange ecosystem

4 AppExchange Certification – What, When, Who?  A review of:  Qualitative Security: Policies and practices review  Quantitative Security: Penetration testing  When is certification required?  From March 15 th, 2007 security certification is required for all new commercial applications  Existing commercial applications that were not previously security certified must do so within this year  Who should be involved?  Technical resources – architect, developer, IT resource, operations resource, information security resource etc

5 Application Elements Native No code, no external systems AJAX AJAX S-control code only Excludes S-controls that communicate with external systems Software On premise desktop or server software Includes browser plugins delivered as S-controls On Demand Other Host External service, unmanaged host On Demand Cert Host Ext. service, managed host (Opsource, Rackspace) Approved hosting providers using pre- certified configurations A given AppExchange application can have multiple components, each of which has its own certification requirements: Runs entirely on Apex Platform; Certification not applicable Depends on services or software outside of Apex; Certification available

6 Security Review Matrix SoftwareOn Demand (Certified Host) On Demand Network Host App Ops Questionnaire System Tests

7 Certification/Re-certification Process PrepareTestPass  Execute agreement and PO for $5K  Determine relevant questionnaire and tests for your app  Software, On Demand (Cert Host), On Demand  Execute dry run tests  Attend interview conducted by Symantec or KPMG  Organize resources / teams for appropriate tests  Network vs App, etc  Conduct testing with salesforce.com Certification Contact  Receive Certification badge on listing  Receive Client ID for deploying to Professional Edition users 1 2 3

8 Certification Process  Pass  All Qualitative question areas No Medium or High warnings  All Quantitative tests No Medium or High warnings  Fail  Repeat specific area of assessment (at additional cost)  Or repeat entire assessment if remediation has broad impact

9 Sample Report RiskEase of ExploitBusiness ImpactRecommendation Shared Encryption Key Stored In Compiled Application The key used to decrypt the Salesforce.com password is compiled into the application. In addition, the same encryption key is used for all customer installations. Sophisticated. An attacker would need to gain access to the target application servlet in order to decompile the servlet and compromise the encryption key. Note that existing clients could access their servlet to compromise the encryption key, but would need to gain access to another client’s application servlet to compromise that client’s Salesforce.com credentials High. It is possible that Salesforce.com authentication credentials could be compromised. The encryption key used to decrypt Salesforce.com authentication credentials should be stored in a Java KeyStore (JKS). A JKS would provide defense-in-depth in case the application servlet is compromised. In addition, different encryption keys should be used for each customer installation. Outdated Apache Version The web server appears to be running versions of Apache that is not up to date Trivial. There is at least one publicly available proof of concept. Please refer to: http://seclists.org/fulldisclosure/ 2004/Nov/0022.html CVE-2004-0942 High. A remote attacker may be able to cause a Denial of Service to the server. Apache version: 2.0.52 The tested configuration was not compromised during testing. The server should be upgraded to ensure those future configurations are not vulnerable. Upgrade to latest version of Apache available from the Apache Foundation

10 Test Detail: Network  Questionnaire  Firewall, IDS and NAT configuration  Network access policies & procedures  Log monitoring  System Test  Must pass Nessus with no medium or high warnings  Test for open ports, known vulnerabilities, SSL config, etc  Conduct dry run test with Nessus or Qualys

11 Test Detail: Host  Questionnaire  Host configuration  Access & password policies  Patching & maintenance policies  Physical Security  System Test  None

12 Test Detail: App  Questionnaire  Software development processes  Common vulnerabilities (buffer overflow, cross site scripting, SQL injection, etc)  App user & password management  Salesforce user & password management  System Test  Application Penetration Testing tools  Authentication mechanism (i.e. password length)  Injection attacks (XSS, SQL)

13 Test Detail: Operations  Questionnaire  HR (employee security policies & security training)  Business Continuity  Incident Response  Procedure documentation & change management  System Test  None

14 Building your listing Get to know the AppExchange Listing Select the Setup for your Application listing Build Your Application Listing Frequently Asked Questions

15 Get to know the AppExchange Listing Title Abstract TD/ GIN Thumbnail Additional Resources Logo

16 Building your listing: Agenda Get to know the AppExchange Listing Select the Setup for your Application listing Build Your Application Listing Frequently Asked Questions

17 Select the Setup for your Application Demonstrate your application using: Distribute your application through: or

18 Select the Setup for your Application Demonstrate your application using: Distribute your application through: or

19 Demonstrate your Application through:  Fully functional read only version of the application  Allow customers to “kick the tires”  Present data in a dynamic working environment  Appropriate for all Native applications and some Composite applications

20  For applications that are too complicated to demonstrate through a Test Drive  Demonstrates the functionality of the application  Walkthrough of the application- “A day in the life”  Appropriate for some Composite applications and all Client applications Demonstrate your Application through:

21 Demo- Suggested Format 1.Overview- Quick introduction to the demo and a discussion of the value proposition. 2.Step by Step –  Show everyday use of the application  Outline the functionality a user will see- show it in action!  How does your application interact with Salesforce.com- do you create data in a custom object? Do you import leads? What are the steps that make this happen? 3.Additional info and conclusion

22 Additional Considerations in Building a  Market your demo toward Salesforce.com users  Stay away from marketing your company  Screenshots are a must!  Remember: you only have 60 seconds to grab a customer’s attention.

23 Select the Setup for your Application Demonstrate your application using: Distribute your application through: or

24 Distribute your Application Through:  Deploy your custom salesforce.com application at the click of a button  Automatically install various elements ranging from Custom Tabs to Pre-Made dashboards  Appropriate for all Native and Composite applications

25 Distribute your Application Through:  For applications where an immediate installation is not available:  Hardware Appliances  Integration services  Applications that require contact with direct sales or consulting services  The Learn More landing page provides:  Additional information about the application  Sales contact information  Marketing directed towards a salesforce.com customer  The “Get It Now” should be packaged and left private

26 Distribute your Application Through:  For applications that install directly to the users desktop or external services that do not use the salesforce.com interface  Links to a landing page with more information about the download (not just a direct link to the file)

27 How do I enable these buttons?  By default only Get It Now and Test Drive are available for your listing  Other buttons – Demo, Learn More, Download- need to be enabled by salesforce.com  Email AppExchangePartners@salesforce.com for an evaluation of your application@salesforce.com

28 Building your listing: Agenda Get to know the AppExchange Listing Select the Setup for your Application listing Build Your Application Listing –Tips and Tricks! Frequently Asked Questions

29 Use the Listing Form as a Guide  Use the form when writing your copy for the listing. Log into www.appexchange.com and click on edit for your listingwww.appexchange.com  You can now see the text limitations for each item

30 Title and Logo  Title- the name of your product - should not include “for AppExchange”  Logo- Your 60x60 record cover

31 Thumbnail and Screenshot  Two separate files  Thumbnail is 160x115

32 Datasheet and Customization Guide  Datasheet- Two page summary of key information  Customization Guide- For applications that require additional setup or customization to function  Step by Step walkthrough for System Admins  Adding page layouts for standard salesforce.com objects and tabs  Any steps that are needed to activate the application

33 Presentation  Excellent supplement to a Test Drive  Give the business value of your application  Use any format

34 Building your listing: Agenda Get to know the AppExchange Listing Select the Setup for your Application listing Build Your Application Listing Frequently Asked Questions

35 FAQ: I don’t have a listing!  Log into the publisher area of https://www.salesforce.com/appexchange/publishing.jsp  Native/ Composite application- After you package and register your first version you will see your listing in the manage my apps area.  Client Application- you will need to request a listing from support  Log in to the publisher area of www.appexchange.comwww.appexchange.com  Click Manage My Publisher Profile and create a profile  Click “Request Assistance” and log a case for a new listing

36 FAQ: My publisher tab is blank!  Your publisher profile needs to match the username associated with the profile you created.  It will always be in the format of an email address e.g. jdailey@salesforce.comjdailey@salesforce.com  Tip: When in doubt – after clicking Assign Publisher Profile just click My Publisher Profile

37 FAQ: My Publisher Tab is Blank!

38 Questions?  Send email to AppExchangePartners@salesforce.com  Click on request assistance under Manage My Apps

Download ppt "How to Publish & Certify your App Aarti Kumar & Shay Casey"

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
SP Business Suite Deployment Kick-off

SP Business Suite Deployment Kick-off
© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo Client Offerings For Service Providers Ceedo Client Workspace Virtualization.

© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo Client Offerings For Service Providers Ceedo Client Workspace Virtualization.
OVERVIEW TEAM5 SOFTWARE The TEAM5 software manages personnel and test data for personal ESD grounding devices. Test and personnel data may be viewed/reported.

OVERVIEW TEAM5 SOFTWARE The TEAM5 software manages personnel and test data for personal ESD grounding devices. Test and personnel data may be viewed/reported.
Compliance on Demand. Introduction ComplianceKeeper is a web-based Licensing and Learning Management System (LLMS), that allows users to manage all Company,

Compliance on Demand. Introduction ComplianceKeeper is a web-based Licensing and Learning Management System (LLMS), that allows users to manage all Company,
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
ManageEngine TM Applications Manager 8 Monitoring Custom Applications.

ManageEngine TM Applications Manager 8 Monitoring Custom Applications.
1 Technology Readiness Maryland 2014-2015. 2014/2015 Admin Schedule 2 AssessmentOnline/CBT Testing Dates PARCC - PBAMarch 2 – May 8 MSA ScienceApril 13.

1 Technology Readiness Maryland /2015 Admin Schedule 2 AssessmentOnline/CBT Testing Dates PARCC - PBAMarch 2 – May 8 MSA ScienceApril 13.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.
Offsite Backups. The purpose of this Startup Guide is to familiarize you with Own Web Now's Offsite Backup offering and show you how to purchase, deploy.

Offsite Backups. The purpose of this Startup Guide is to familiarize you with Own Web Now's Offsite Backup offering and show you how to purchase, deploy.
Partner of Salesforce Partners. Index 1.Company Overview 2.Why Dreamwares? 3.Salesforce Development Services 4.About 15-hours free development 5.Methodology.

Partner of Salesforce Partners. Index 1.Company Overview 2.Why Dreamwares? 3.Salesforce Development Services 4.About 15-hours free development 5.Methodology.
Individual User Logins

Individual User Logins
Site License Online Application Demo. Agenda Licensing Portal1 License Draw Down – All User4 License Draw Down – Super Users5 Contract Administration.

Site License Online Application Demo. Agenda Licensing Portal1 License Draw Down – All User4 License Draw Down – Super Users5 Contract Administration.
Tutorial Introduction Fidelity NTSConnect is an innovative Web-based software solution designed for use by customers of Fidelity National Title Insurance.

Tutorial Introduction Fidelity NTSConnect is an innovative Web-based software solution designed for use by customers of Fidelity National Title Insurance.
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.

1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.
AppExchange Partner Academy- Building Your Application Listing By Jesse Dailey.

AppExchange Partner Academy- Building Your Application Listing By Jesse Dailey.
Partner Network Portal Anna Jones :: July 2006 Partner Training Webinar Communications Sector.

Partner Network Portal Anna Jones :: July 2006 Partner Training Webinar Communications Sector.
This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.

This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.
SmartLog X 3 TEAM Basic SmartLog X 3 TEAM Basic DescoEMIT.com USER STATUS USER EDIT E-MAIL TEST LOG ADMIN TEST MACHINE SCHEDULE INSTALL System Requirements:

SmartLog X 3 TEAM Basic SmartLog X 3 TEAM Basic DescoEMIT.com USER STATUS USER EDIT TEST LOG ADMIN TEST MACHINE SCHEDULE INSTALL System Requirements:

Similar presentations

Ads by Google