1. How to Publish Your App Aarti Kumar & Shay Casey AppExchange Partner Enablement Part 1 – Becoming certified Part 2 – Building your listing

2. 4 Steps to AppExchange Success Plan BuildPublishGo-To-Market http://www.appexchange.com/abc

3. Becoming certified What is AppExchange Certification? Application Types Security Review Process Testing Details

4. 4 What is AppExchange Certification? To list your commercial application on the AppExchange, we must certify that your application meets our requirements and best practices around security. This helps: CustomersHave trust in third party solutions that work with salesforce.com PartnersBe successful in selling solutions that span multiple systems to salesforce.com customers salesforce.comBuild a trust-worthy AppExchange ecosystem

5. AppExchange Certification – What, When, Who?  A review of:  Qualitative Security: Policies and practices review  Quantitative Security: Penetration testing  When is certification required?  From March 15 th, 2007 security certification is required for all new commercial applications  Existing commercial applications that were not previously security certified must do so within this year  Who should be involved?  Technical resources – architect, developer, IT resource, operations resource, information security resource etc

6. Becoming certified What is AppExchange Certification? Application Types Security Review Process Testing Details

7. Application Elements Native No code, no external systems AJAX AJAX S-control code only Excludes S-controls that communicate with external systems Software On premise desktop or server software Includes browser plugins delivered as S-controls On Demand Other Host External service, unmanaged host On Demand Cert Host Ext. service, managed host (Opsource, Rackspace) Approved hosting providers using pre- certified configurations A given AppExchange application can have multiple components, each of which has its own certification requirements: Runs entirely on Apex Platform; Certification not applicable Depends on services or software outside of Apex; Certification available

8. Security Review Matrix SoftwareOn Demand (Certified Host) On Demand Network Host App Ops Questionnaire System Tests

9. Becoming certified What is AppExchange Certification? Application Types Security Review Process Testing Details

10. Certification/Re-certification Process PrepareTestPass  Execute agreement and PO for $5K  Complete pre-qualification questionnaire  Attend Certification consultation (optional)  Determine relevant questionnaire and tests for your app  Software, On Demand (Cert Host), On Demand  Execute dry run tests  Attend interview  Organize resources / teams for appropriate tests  Network vs App, etc  Conduct testing with salesforce.com Certification Contact  Some tests may be done by a third party  Receive Certification badge on listing  Receive Client ID for deploying to Professional Edition users 1 2 3

11. Certification Process  Pass  All Qualitative question areas No Medium or High warnings  All Quantitative tests No Medium or High warnings  Fail  Repeat specific area of assessment (at additional cost)  Or repeat entire assessment if remediation has broad impact

12. Sample Report RiskEase of ExploitBusiness ImpactRecommendation Shared Encryption Key Stored In Compiled Application The key used to decrypt the Salesforce.com password is compiled into the application. In addition, the same encryption key is used for all customer installations. Sophisticated. An attacker would need to gain access to the target application servlet in order to decompile the servlet and compromise the encryption key. Note that existing clients could access their servlet to compromise the encryption key, but would need to gain access to another client’s application servlet to compromise that client’s Salesforce.com credentials High. It is possible that Salesforce.com authentication credentials could be compromised. The encryption key used to decrypt Salesforce.com authentication credentials should be stored in a Java KeyStore (JKS). A JKS would provide defense-in-depth in case the application servlet is compromised. In addition, different encryption keys should be used for each customer installation. Outdated Apache Version The web server appears to be running versions of Apache that is not up to date Trivial. There is at least one publicly available proof of concept. Please refer to: http://seclists.org/fulldisclosure/ 2004/Nov/0022.html CVE-2004-0942 High. A remote attacker may be able to cause a Denial of Service to the server. Apache version: 2.0.52 The tested configuration was not compromised during testing. The server should be upgraded to ensure those future configurations are not vulnerable. Upgrade to latest version of Apache available from the Apache Foundation

13. Becoming certified What is AppExchange Certification? Application Types Security Review Process Testing Details

14. Test Detail: Network  Questionnaire  Firewall, IDS and NAT configuration  Network access policies & procedures  Log monitoring  System Test  Must pass Nessus with no medium or high warnings  Test for open ports, known vulnerabilities, SSL config, etc  Conduct dry run test with Nessus or Qualys

15. Test Detail: Host  Questionnaire  Host configuration  Access & password policies  Patching & maintenance policies  Physical Security  System Test  None

16. Test Detail: App  Questionnaire  Software development processes  Common vulnerabilities (buffer overflow, cross site scripting, SQL injection, etc)  App user & password management  Salesforce user & password management  System Test  Application Penetration Testing tools  Authentication mechanism (i.e. password length)  Injection attacks (XSS, SQL)

17. Test Detail: Operations  Questionnaire  HR (employee security policies & security training)  Business Continuity  Incident Response  Procedure documentation & change management  System Test  None

18. Building your listing Get to know the AppExchange Listing Select the Setup for your Application listing Build Your Application Listing Frequently Asked Questions

19. Get to know the AppExchange Listing Title Abstract TD/ GIN Thumbnail Additional Resources Logo

20. Building your listing: Agenda Get to know the AppExchange Listing Select the Setup for your Application listing Build Your Application Listing Frequently Asked Questions

21. Select the Setup for your Application Demonstrate your application using: Distribute your application through: or

22. Select the Setup for your Application Demonstrate your application using: Distribute your application through: or

23. Demonstrate your Application through:  Fully functional read only version of the application  Allow customers to “kick the tires”  Present data in a dynamic working environment  Appropriate for all Native applications and some Composite applications

24.  For applications that are too complicated to demonstrate through a Test Drive  Demonstrates the functionality of the application  Walkthrough of the application- “A day in the life”  Appropriate for some Composite applications and all Client applications Demonstrate your Application through:

25. Demo- Suggested Format 1.Overview- Quick introduction to the demo and a discussion of the value proposition. 2.Step by Step –  Show everyday use of the application  Outline the functionality a user will see- show it in action!  How does your application interact with Salesforce.com- do you create data in a custom object? Do you import leads? What are the steps that make this happen? 3.Additional info and conclusion

26. Additional Considerations in Building a  Market your demo toward Salesforce.com users  Stay away from marketing your company  Screenshots are a must!  Remember: you only have 60 seconds to grab a customer’s attention.

27. Select the Setup for your Application Demonstrate your application using: Distribute your application through: or

28. Distribute your Application Through:  Deploy your custom salesforce.com application at the click of a button  Automatically install various elements ranging from Custom Tabs to Pre-Made dashboards  Appropriate for all Native and Composite applications

29. Distribute your Application Through:  For applications where an immediate installation is not available:  Hardware Appliances  Integration services  Applications that require contact with direct sales or consulting services  The Learn More landing page provides:  Additional information about the application  Sales contact information  Marketing directed towards a salesforce.com customer  The “Get It Now” should be packaged and left private

30. Distribute your Application Through:  For applications that install directly to the users desktop or external services that do not use the salesforce.com interface  Links to a landing page with more information about the download (not just a direct link to the file)

31. How do I enable these buttons?  By default only Get It Now and Test Drive are available for your listing  Other buttons – Demo, Learn More, Download- need to be enabled by salesforce.com  Email AppxCertification@salesforce.com for an evaluation of your application@salesforce.com

32. Building your listing: Agenda Get to know the AppExchange Listing Select the Setup for your Application listing Build Your Application Listing –Tips and Tricks! Frequently Asked Questions

33. Use the Listing Form as a Guide  Use the form when writing your copy for the listing. Log into www.appexchange.com and click on edit for your listingwww.appexchange.com  You can now see the text limitations for each item

34. Title and Logo  Title- the name of your product - should not include “for AppExchange”  Logo- Your 60x60 record cover

35. Thumbnail and Screenshot  Two separate files  Thumbnail is 160x115

36. Datasheet and Customization Guide  Datasheet- Two page summary of key information  Customization Guide- For applications that require additional setup or customization to function  Step by Step walkthrough for System Admins  Adding page layouts for standard salesforce.com objects and tabs  Any steps that are needed to activate the application

37. Presentation  Excellent supplement to a Test Drive  Give the business value of your application  Use any format

38. Building your listing: Agenda Get to know the AppExchange Listing Select the Setup for your Application listing Build Your Application Listing Frequently Asked Questions

39. FAQ: I don’t have a listing!  Log into the publisher area of https://www.salesforce.com/appexchange/publishing.jsp  Native/ Composite application- After you package and register your first version you will see your listing in the manage my apps area.  Client Application- you will need to request a listing from support  Log in to the publisher area of www.appexchange.comwww.appexchange.com  Click Manage My Publisher Profile and create a profile  Click “Request Assistance” and log a case for a new listing

40. FAQ: My publisher tab is blank!  Your publisher profile needs to match the username associated with the profile you created.  It will always be in the format of an email address e.g. jdailey@salesforce.comjdailey@salesforce.com  Tip: When in doubt – after clicking Assign Publisher Profile just click My Publisher Profile

41. FAQ: My Publisher Tab is Blank!

42. Questions?  Send email to AppExchangePartners@salesforce.com  Click on request assistance under Manage My Apps Thanks!