Requirements Checklist


Assumptions:

  • This article assumes that you are an IT/ Security Professional who understands security best practices.
  • For detailed information, please refer to the Detailed Security Guidance document.
  • Please note that it is not required to have all of the below mentioned items in place in order to pass the security review. The review is a slightly subjective process whereby the organization size, application architecture, data handling, etc. are taken into consideration.
edit

Native Applications Built on the Force.com Platform

  • Apex:
    • Sharing: Leverage the “with sharing” keyword when declaring a class to respect sharing rules that apply to current users, unless there is a specific business case to over-ride this. Controllers retrieving user-specified objects should always use sharing.
    • Triggers: Ensure triggers are bulkified.
    • Cross-Site Request Forgery in Visualforce pages: Ensure requests resulting in data deletion or changes to critical data elements incorporate a randomized parameter or other authentication token to protect against Cross Site Request Forgery (http://www.cgisecurity.com/csrf-faq.html)? A possible work-around could be to insert an intermediate confirmation page before taking the action, to make sure the user intended to call the page.
  • Custom Javascript & HTML: In order to prevent XSS attacks, your application must escape all queried data, page elements, and request parameters by replacing the characters < ' > & " with their HTML-safe counterparts before use in any rendering operations (e.g. element.innerHTML=…).



For detailed information and guidance on the issues above, please refer to Apex & VisualForce Security Tips

edit

Client (Desktop) and Composite (Hosted) Applications

edit

Policies

  • Implement an Information Security Policy that is periodically reviewed, approved by Senior Management, and communicated to all employees.
edit

Standards & Procedures

  • System Configuration
  • Application Development
  • Application Configuration
  • Database Configuration
  • Network Configuration (Including Firewall/IDS)
  • Patching Process
  • Logging Process/Log Review
  • Physical Security
  • Incident Management Process
  • Authentication & Authorization
  • Encryption Standard
edit

Host/Platform Security

  • Disable unnecessary services on key servers (web application, database, etc.)
  • Implement robust patch management
  • Remove/Rename default accounts and change default passwords
  • Encrypt all passwords
  • Create unique usernames for all users
  • Implement a robust password policy (organizational and application)
    • Minimum 8 characters
    • Combination (3 out of 4) of numbers, letters (lower and upper) and special characters
    • Enable lock outs for bad attempts (3-5)
    • Enable password expiration (90-180 days)
    • Enable password history (don’t allow reuse of last 5 passwords)
  • Implement system logging and enforce periodic review of logs
  • Implement host based firewalls on critical systems
  • Implement secure remote access (VPN – SSHv2, SSL, IPSEC 3DES, or AES)
    • Persistent tunnels configured with appropriate ACLs
  • Implement an enterprise-wide anti-virus solution with daily updates
edit

Application Security

  • Implement a strong SDLC with security being a core component
    • Implement code reviews
    • Implement a testing/QA methodology
    • Implement a methodology for rolling code to production
  • Implement appropriate segregation of duties within the test, development and production environments
  • Unless necessary, do not store salesforce.com credentials (leverage the Session IDs)
    • If necessary, have a clear rationale and communicate this to salesforce.com
  • Implement encryption in transmission and storage (login credentials and critical data)
    • Support SSLv3 and newer versions
    • Do not store encryption keys in source code
    • Implement encryption key management
  • Avoid Dynamic SQL
    • If Using Dynamic SQL, prepare appropriate rationale for salesforce.com
    • Implement appropriate compensating controls
  • Implement appropriate input validation and URL cleansing to prevent SQL Injection and Cross-Site Scripting (XSS) attacks
  • Implement controls to protect the Salesforce Session ID. Specifically:
edit

Operational Security

  • Actively monitor your network
  • Implement and periodically test Disaster Recovery and Business Continuity Plans
  • Implement an Employee Training and Security Awareness Program
  • Implement Encryption Key and Privileged User Password Rotation
  • Implement a robust change management process which includes documentation and approval of all changes
  • Perform security review of third-party organizations
edit

Network Security (Hosted Applications Only)

  • Stateful Packet Inspection Firewall
  • Segregation of Web/Application and database servers
  • Network IDS/IPS implemented (required if critical Salesforce data is stored in external servers)
  • Log aggregation, alerting and daily review for key network devices, application and database servers
  • Wireless Networking
    • No wireless in collocation facilities
    • WPA2 and wireless IDS implemented at corporate
  • E-mail Spam filter and Anti-virus (required if e-mail is used by your product)
edit

Physical Security (Hosted Applications Only)

  • Restrict data center access to authorized personnel
  • Maintain physical access logs at the data center
  • Implement security cameras, motion detectors and alarms at data centers that are monitored on a 24/7/365 basis
  • Implement controls to to prevent the infrastructure against external threats and hazards (fire, earthquake, flooding, etc.)


Updated: February 15, 2009

Retrieved from "http://wiki.developerforce.com/index.php/Requirements_Checklist"