AppExchange Security Certification Aarti Kumar Program Manager

What is Security Certification? To list your commercial application on the AppExchange, we must certify that your application meets our requirements and best practices around security. This helps: Customers Have trust in third party solutions that work with salesforce.com Partners Be successful in selling solutions that span multiple systems to salesforce.com customers salesforce.com Build a trust-worthy AppExchange ecosystem

Security Certification – What, When, Who? A review of: Qualitative Security: Policies and practices review Quantitative Security: Penetration testing When is security certification required? From March 15th, 2007 security certification is required for all new commercial applications Existing commercial applications that were not previously security certified must do so within this year Who should be involved? Technical resources – architect, developer, IT resource, operations resource, information security resource etc

Application Elements A given AppExchange application can have multiple components, each of which has its own certification requirements: Native No code, no external systems AJAX AJAX S-control code only Excludes S-controls that communicate with external systems Software On premise desktop or server software Includes browser plugins delivered as S-controls On Demand Cert Host Ext. service, managed host (Opsource, Rackspace) Approved hosting providers using pre-certified configurations On Demand Other Host External service, unmanaged host Native: Adoption Dashboards AJAX: Mass update No external integration Software: Active Prime On-demand: hosted applications – like salesforce.com Integration with external hosted service Cert Host: certified 2 hosting providers Opsource and Rackspace Worked out an AppExchange configuration package with them Meets our certification requirements Certification applicable only for Last 3 buckets as integrating with external services Important that you identify which category you belong to Runs entirely on Apex Platform; Certification not applicable Depends on services or software outside of Apex; Certification available

Test Types & Categories Qualitative assessment of security based on questions & answers Active security testing of various system components via standard tools Questionnaire System Test Test Categories Network Host Application Operations Network configuration, IDS, firewall, etc Operating system and component configuration, patching, etc Application construction, authentication, etc Operations procedures, data access, etc

Security Review Matrix Software On Demand (Certified Host) On Demand Network Host App Ops Questionnaire System Tests

Test Detail: Network Questionnaire System Test Firewall, IDS and NAT configuration Network access policies & procedures Log monitoring System Test Must pass Nessus with no medium or high warnings Test for open ports, known vulnerabilities, SSL config, etc Conduct dry run test with Nessus or Qualys

Test Detail: Host Questionnaire System Test Host configuration Access & password policies Patching & maintenance policies Physical Security System Test None

Test Detail: App Questionnaire System Test Software development processes Common vulnerabilities (buffer overflow, cross site scripting, SQL injection, etc) App user & password management Salesforce user & password management System Test Application Penetration Testing tools Authentication mechanism (i.e. password length) Injection attacks (XSS, SQL)

Test Detail: Operations Questionnaire HR (employee security policies & security training) Business Continuity Incident Response Procedure documentation & change management System Test None

Security Certification/Re-certification Process 1 2 3 Prepare Test Pass Execute agreement and PO for $5K Complete pre-qualification questionnaire Attend Certification consultation (optional) Determine relevant questionnaire and tests for your app Software, On Demand (Cert Host), On Demand Execute dry run tests Attend interview Organize resources / teams for appropriate tests Network vs App, etc Conduct testing with salesforce.com Certification Contact Some tests may be done by a third party (Symantec) Receive Certification badge on listing Receive Client ID for deploying to Professional Edition users

Security Certification Process Pass All Qualitative question areas No Medium or High warnings All Quantitative tests Fail Repeat specific area of assessment (at additional cost) Or repeat entire assessment if remediation has broad impact

Sample Report Risk Ease of Exploit Business Impact Recommendation Shared Encryption Key Stored In Compiled Application The key used to decrypt the Salesforce.com password is compiled into the application. In addition, the same encryption key is used for all customer installations. Sophisticated. An attacker would need to gain access to the target application servlet in order to decompile the servlet and compromise the encryption key. Note that existing clients could access their servlet to compromise the encryption key, but would need to gain access to another client’s application servlet to compromise that client’s Salesforce.com credentials High. It is possible that Salesforce.com authentication credentials could be compromised. The encryption key used to decrypt Salesforce.com authentication credentials should be stored in a Java KeyStore (JKS). A JKS would provide defense-in-depth in case the application servlet is compromised. In addition, different encryption keys should be used for each customer installation. Outdated Apache Version The web server appears to be running versions of Apache that is not up to date Trivial. There is at least one publicly available proof of concept. Please refer to: http://seclists.org/fulldisclosure/2004/Nov/0022.html CVE-2004-0942 High. A remote attacker may be able to cause a Denial of Service to the server. Apache version: 2.0.52 The tested configuration was not compromised during testing. The server should be upgraded to ensure those future configurations are not vulnerable. Upgrade to latest version of Apache available from the Apache Foundation

Next Steps Start thinking of security certification right away Contact your Partner Success Manager for starting the process For questions/feedback contact: AppxCertification@salesforce.com

Top 5 things to remember about Security Certification From March 15th certification is required for all new AppExchange applications Comprises of 2 types of assessments conducted by Symantec: Qualitative: question and answer round to review policies and procedures Quantitative: conduct network and application penetration test Security certification is an annual process Once certified, get access to Professional Edition orgs For more details, visit: https://wiki.apexdevnet.com/index.php/AppExchange_Certification