• Page
|
• Edit

Assumptions:

• This article assumes that you are an IT/ Security Professional who understands security best practices.
• For detailed information, please refer to the Detailed Security Guidance document.
• Please note that it is not required to have all of the below mentioned items in place in order to pass the security review. The review is a slightly subjective process whereby the organization size, application architecture, data handling, etc. are taken into consideration.

Force.com Code

Apex:

• Sharing: Leverage the “with sharing” keyword when declaring a class to respect sharing rules that apply to current users, unless there is a specific business case to over-ride this. Controllers retrieving user-specified objects should always use sharing.
• CRUD and FLS: Enforce and respect FLS (Field Level Security) and CRUD (Create, Read, Update, Delete) settings configured by your customer's org administrator. More information on Describe Calls can be found on page 135 of the Apex language reference and in the developerforce CRUD/FLS guide .
• Cross-Site Request Forgery in Visualforce pages: Ensure requests resulting in data deletion or changes to critical data elements incorporate a randomized parameter or other authentication token to protect against Cross Site Request Forgery (http://www.cgisecurity.com/csrf-faq.html)? A possible work-around could be to insert an intermediate VisualForce confirmation page before taking the action, to make sure the user intended to call the page. Note that a Javascript based confirmation page can easily be bypassed and therefore is not effective.
• Triggers: Ensure triggers are bulkified.
• Tests: Use System.assert methods as much as possible to prove that code behaves properly. This is key to ensure that the Apex code executes to the expected value or behavior. More information on Best Practices can be found here: http://wiki.developerforce.com/index.php/An_Introduction_to_Apex_Code_Test_Methods

Custom Javascript & HTML:

• In order to prevent XSS attacks, your application must escape all queried data, page elements, and request parameters by replacing the characters < ' > & " with their HTML-safe counterparts before use in any rendering operations (e.g. element.innerHTML=…).

Storing Sensitive Information (e.g. credentials or API keys to other applications):

• Ensure that sensitive information is not available to all users in a customer org. This can be achieved by using Custom Settings in "Protected" mode, and creating a Visualforce page for authorized users to update information. The previously stored data should not be displayed back to the user on this page. For more information, search for "Custom Settings" under Help & Training within any Salesforce org,

For detailed information and guidance on the issues above, please refer to Apex & VisualForce Security Tips

Client (Desktop) and Composite (Hosted) Applications

Policies

• Implement an Information Security Policy that is periodically reviewed, approved by Senior Management, and communicated to all employees.

Standards & Procedures

• System Configuration
• Application Development
• Application Configuration
• Database Configuration
• Network Configuration (Including Firewall/IDS)
• Patching Process
• Logging Process/Log Review
• Physical Security
• Incident Management Process
• Authentication & Authorization
• Encryption Standard

Host/Platform Security

• Disable unnecessary services on key servers (web application, database, etc.)
• Implement robust patch management
• Remove/Rename default accounts and change default passwords
• Encrypt all passwords
• Create unique usernames for all users
• Implement a robust password policy (organizational and application)
  • Minimum 6-8 characters
  • Combination (2 out of 4) of numbers, letters (lower and upper) and special characters
  • Enable lock outs for bad attempts (3-5)
  • Enable password expiration (90-180 days)
  • Enable password history (don’t allow reuse of last 5 passwords)
• Implement system logging and enforce periodic review of logs
• Implement host based firewalls on critical systems
• Implement secure remote access (VPN – SSHv2, SSL, IPSEC 3DES, or AES)
  • Persistent tunnels configured with appropriate ACLs
• Implement an enterprise-wide anti-virus solution with daily updates
• Remote Desktop or Terminal Services Remote Administration should not be exposed to Internet facing connections.

Application Security

• Implement a strong SDLC with security being a core component
  • Implement code reviews
  • Implement a testing/QA methodology
  • Implement a methodology for rolling code to production
• Implement appropriate segregation of duties within the test, development and production environments
• Unless necessary, do not store salesforce.com credentials (leverage the Session IDs)
  • If necessary, have a clear rationale and communicate this to salesforce.com
• Implement encryption in transmission and storage (login credentials and salesforce.com customer data)
  • Support SSLv3 and newer versions
  • Set "secure" flag on session cookies
  • Do not store encryption keys in source code
  • Implement encryption key management
• Avoid Dynamic SQL
  • If Using Dynamic SQL, prepare appropriate rationale for salesforce.com
  • Implement appropriate compensating controls
• Implement appropriate input validation and URL cleansing to prevent SQL Injection and Cross-Site Scripting (XSS) attacks
• Implement controls to protect the Salesforce Session ID. Specifically:
  • Session ID should always be encrypted in transmission
  • Session ID should not be sent to third parties (Example: Google Analytics)
  • Validate that the connection is being requested from a valid Salesforce server. Below is the regex to validate legitimate SFDC SOAP servers:
    • https://[^/?]+\\.(sales|visual\\.)force\\.com/services/(S|s)(O|o)(A|a)(P|p)/(u|c)/.*
    • To summarize the above regex, it ensures that the URL starts with ‘https://’, followed by a character other than ‘/ ‘ or '?' for 1 or more times, followed by a ‘.’, followed by ‘sales’ or ‘visual.’, followed by ‘force.com/services/SOAP/’, followed by ‘u’ or ‘c’, followed by ‘/’. This will allow:
      • https://*.salesforce.com/services/SOAP/u/
      • https://*.salesforce.com/services/SOAP/c/
      • https://*.visual.force.com/services/SOAP/u/
      • https://*.visual.force.com/services/SOAP/c/
• Ensure that Flash security recommendations are followed as described in the following document:
  • http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps_13.html

Operational Security

• Actively monitor your network
• Implement and periodically test Disaster Recovery and Business Continuity Plans
• Implement an Employee Training and Security Awareness Program
• Implement Encryption Key and Privileged User Password Rotation
• Implement a robust change management process which includes documentation and approval of all changes
• Perform security review of third-party organizations

Network Security (Hosted Applications Only)

• Stateful Packet Inspection Firewall
• Segregation of Web/Application and database servers
• Network IDS/IPS implemented (required if critical Salesforce data is stored in external servers)
• Log aggregation, alerting and daily review for key network devices, application and database servers
• Wireless Networking
  • No wireless in collocation facilities
  • WPA2 and wireless IDS implemented at corporate
• E-mail Spam filter and Anti-virus (required if e-mail is used by your product)

Physical Security (Hosted Applications Only)

• Restrict data center access to authorized personnel
• Maintain physical access logs at the data center
• Implement security cameras, motion detectors and alarms at data centers that are monitored on a 24/7/365 basis
• Implement controls to to prevent the infrastructure against external threats and hazards (fire, earthquake, flooding, etc.)

Updated: February 15, 2009