Presentation is loading. Please wait.

Presentation is loading. Please wait.

AppExchange Security Certification

Published byAgnes Horton Modified over 5 years ago

Similar presentations

Presentation on theme: "AppExchange Security Certification"— Presentation transcript:

1 AppExchange Security Certification
Aarti Kumar Program Manager

2 What is Security Certification?
To list your commercial application on the AppExchange, we must certify that your application meets our requirements and best practices around security. This helps: Customers Have trust in third party solutions that work with salesforce.com Partners Be successful in selling solutions that span multiple systems to salesforce.com customers salesforce.com Build a trust-worthy AppExchange ecosystem

3 Security Certification – What, When, Who?
A review of: Qualitative Security: Policies and practices review Quantitative Security: Penetration testing When is security certification required? From March 15th, 2007 security certification is required for all new commercial applications Existing commercial applications that were not previously security certified must do so within this year Who should be involved? Technical resources – architect, developer, IT resource, operations resource, information security resource etc

4 Application Elements A given AppExchange application can have multiple components, each of which has its own certification requirements: Native No code, no external systems AJAX AJAX S-control code only Excludes S-controls that communicate with external systems Software On premise desktop or server software Includes browser plugins delivered as S-controls On Demand Cert Host Ext. service, managed host (Opsource, Rackspace) Approved hosting providers using pre-certified configurations On Demand Other Host External service, unmanaged host Native: Adoption Dashboards AJAX: Mass update No external integration Software: Active Prime On-demand: hosted applications – like salesforce.com Integration with external hosted service Cert Host: certified 2 hosting providers Opsource and Rackspace Worked out an AppExchange configuration package with them Meets our certification requirements Certification applicable only for Last 3 buckets as integrating with external services Important that you identify which category you belong to Runs entirely on Apex Platform; Certification not applicable Depends on services or software outside of Apex; Certification available

5 Test Types & Categories
Qualitative assessment of security based on questions & answers Active security testing of various system components via standard tools Questionnaire System Test Test Categories Network Host Application Operations Network configuration, IDS, firewall, etc Operating system and component configuration, patching, etc Application construction, authentication, etc Operations procedures, data access, etc

6 Security Review Matrix
Software On Demand (Certified Host) On Demand Network Host App Ops Questionnaire System Tests

7 Test Detail: Network Questionnaire System Test
Firewall, IDS and NAT configuration Network access policies & procedures Log monitoring System Test Must pass Nessus with no medium or high warnings Test for open ports, known vulnerabilities, SSL config, etc Conduct dry run test with Nessus or Qualys

8 Test Detail: Host Questionnaire System Test Host configuration
Access & password policies Patching & maintenance policies Physical Security System Test None

9 Test Detail: App Questionnaire System Test
Software development processes Common vulnerabilities (buffer overflow, cross site scripting, SQL injection, etc) App user & password management Salesforce user & password management System Test Application Penetration Testing tools Authentication mechanism (i.e. password length) Injection attacks (XSS, SQL)

10 Test Detail: Operations
Questionnaire HR (employee security policies & security training) Business Continuity Incident Response Procedure documentation & change management System Test None

11 Security Certification/Re-certification Process
1 2 3 Prepare Test Pass Execute agreement and PO for $5K Complete pre-qualification questionnaire Attend Certification consultation (optional) Determine relevant questionnaire and tests for your app Software, On Demand (Cert Host), On Demand Execute dry run tests Attend interview Organize resources / teams for appropriate tests Network vs App, etc Conduct testing with salesforce.com Certification Contact Some tests may be done by a third party (Symantec) Receive Certification badge on listing Receive Client ID for deploying to Professional Edition users

12 Security Certification Process
Pass All Qualitative question areas No Medium or High warnings All Quantitative tests Fail Repeat specific area of assessment (at additional cost) Or repeat entire assessment if remediation has broad impact

13 Sample Report Risk Ease of Exploit Business Impact Recommendation
Shared Encryption Key Stored In Compiled Application The key used to decrypt the Salesforce.com password is compiled into the application. In addition, the same encryption key is used for all customer installations. Sophisticated. An attacker would need to gain access to the target application servlet in order to decompile the servlet and compromise the encryption key. Note that existing clients could access their servlet to compromise the encryption key, but would need to gain access to another client’s application servlet to compromise that client’s Salesforce.com credentials High. It is possible that Salesforce.com authentication credentials could be compromised. The encryption key used to decrypt Salesforce.com authentication credentials should be stored in a Java KeyStore (JKS). A JKS would provide defense-in-depth in case the application servlet is compromised. In addition, different encryption keys should be used for each customer installation. Outdated Apache Version The web server appears to be running versions of Apache that is not up to date Trivial. There is at least one publicly available proof of concept. Please refer to: CVE High. A remote attacker may be able to cause a Denial of Service to the server. Apache version: The tested configuration was not compromised during testing. The server should be upgraded to ensure those future configurations are not vulnerable. Upgrade to latest version of Apache available from the Apache Foundation

14 Next Steps Start thinking of security certification right away
Contact your Partner Success Manager for starting the process For questions/feedback contact:

15 Top 5 things to remember about Security Certification
From March 15th certification is required for all new AppExchange applications Comprises of 2 types of assessments conducted by Symantec: Qualitative: question and answer round to review policies and procedures Quantitative: conduct network and application penetration test Security certification is an annual process Once certified, get access to Professional Edition orgs For more details, visit:

Download ppt "AppExchange Security Certification"

Similar presentations

System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Introduction to Network Defense

Introduction to Network Defense
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
How to Publish Your App Aarti Kumar & Shay Casey AppExchange Partner Enablement Part 1 – Becoming certified Part 2 – Building your listing.

How to Publish Your App Aarti Kumar & Shay Casey AppExchange Partner Enablement Part 1 – Becoming certified Part 2 – Building your listing.
Www.regouniversity.com Clarity Educational Community Get the Results You Need When You Need Them Transitioning to CA PPM On Demand Presented by: Joshua.

Clarity Educational Community Get the Results You Need When You Need Them Transitioning to CA PPM On Demand Presented by: Joshua.
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Paul Butterworth Management Technology Architect

Paul Butterworth Management Technology Architect
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
How to Publish & Certify your App Aarti Kumar & Shay Casey

How to Publish & Certify your App Aarti Kumar & Shay Casey
Managed IT Services JND Consulting Group LLC 1.888.288.3007.

Managed IT Services JND Consulting Group LLC
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
ABOUT COMPANY Janbask is one among the fastest growing IT Services and consulting company. We provide various solutions for strategy, consulting and implement.

ABOUT COMPANY Janbask is one among the fastest growing IT Services and consulting company. We provide various solutions for strategy, consulting and implement.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Similar presentations

Ads by Google