SlideShare a Scribd company logo

10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)

CodeScience
CodeScience

The Security Review process is the final step every ISV must complete before they can bring their app to market on the AppExchange. Yet it’s not uncommon for ISVs to fail on their first attempt. For many, it can take 2 to 3 more tries to pass, delaying your time to market. But Security Review doesn’t have to be a mystery! In this webinar, Salesforce Security Review Operation Analyst, Lubdha Dahale, joins CodeScience ISV Specialist, Jeremy Engler, and CodeScience Global Alliances Manager, Erin Murray, to de-mystify the Sec Rev process and provide actionable advice to help you succeed.

1 of 29
Downloaded 12 times
10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)
Today’s Speakers: Erin Murray Global Alliances Manager CodeScience Lubdha Dahale Security Review Operation Analyst Salesforce Jeremy Engler ISV Specialist CodeScience
Company Introduction
Who is CodeScience? ● Founding partner of the Salesforce Product Development Organization (PDO) Program ● We partner with clients to build solutions on the Salesforce AppExchange ● Named first Master PDO in 2017 ● From design to build to implementation, we support through the full lifecycle
Client success: 10% of the AppExchange
CodeScience Client Focus:
How to Prep like a Pro Security Review doesn’t happen in a day
Planning 1. Reframe how you approach it a. Think of it as a security hardening sprint 2. ISV Partner Agreement a. Get your ISV Agreement fully executed ASAP 3. Concurrent work a. Start prepping your deliverables early b. Don’t wait for the day you want to submit c. Listing content 4. Organize your resources a. Security Review folder
Prep 5. Code Scans & Code Review a. If you need to scan an off-platform system, do it early b. Search for every instance of issues that the code scanners find 6. Compliance & Questionnaire a. Prep this information beforehand 7. Documentation a. Solution Architecture b. Use Cases 8. Demo org a. Use the trialforce template ID from Salesforce b. The review team uses the Admin credentials
Submittal 9. Contact Info a. Always use a distribution list 10. Credit Card (Only) a. Must be able to charge $2700 now and $150/year ongoing 11. Pre-Book Security Review Office Hours a. Security review can take between 4-6 weeks b. Ideally schedule a session 10 weeks after your app is placed in queue
The SF Security Review Team Meet the team who reviews your apps
Ops Submission Validation SR Wizard Guidance Trial Template Reviews Periodic Re-Review Strategy Fees Delistings Prod Sec Penetration Testing Partner Security Portal Technical Office Hours Salesforce Security Review Teams
The Security Review Process
10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)
Operations Check ● The Security Review Operations team reviews each submission for completeness before placing the SR queue ● Checks for things like: ○ Unrelated packages in the demo org ○ Incorrect version in the demo org ○ Not marked as “Lightning Ready” ○ Missing Use Case doc ○ Problem with scans or false positive docs ● Log a case after resolving any issues ● Should receive an email once in the SR queue
● Always provide the Listing ID, Package ID and Version ID related to your case ● Correct credentials to Web environments, Native environment (https://login.salesforce.com/) ● Clean scan reports (ZAP, Burp, Chimera or Checkmarx) or attach supporting False-Positive document ● Hit “Start Review” button beside version ID on Publishing Console Tips to avoid delays in Security Review
Why apps fail Security Review ● Issues with the package: ○ CRUD/FLS Enforcement ■ Not checking user’s perms to do what the code does ■ #1 failure reason ○ Insecure Storage of Sensitive Data ○ Sensitive Information in Debug ● Issues with the client API/web UI: ○ Password enumeration: shows if username is correct ○ TLS/SSL Configuration ○ XSS Vulnerabilities ● Office Hours ○ Book early ○ Link
Top Vulnerabilities in Security Review
Example Security Findings Report Note the bolded point at the top of the report: The report starts with a table of contents summarizing the types of vulnerabilities found.
Fail Faster Turn lemons into success
Have a Plan ● Triage ○ Track each issue like you do bugs ○ Is the issue a False Positive? ○ Identify where the issue/fix resides ○ Assign an Owner and LOE ● Up to your project and deadlines as to whether “hero effort” is required ● Agree on communication cadence to management
Address the Issues ● Legitimate issues need to be fixed, either in the package or off-platform ● Not a comprehensive list ○ Need to check for other instances of issues in the code ● Off-platform fixes are the biggest risk/effort ○ Must schedule that work alongside your existing product roadmap ● Issues in the package will require a new upload ○ Post-SR development in the master branch can hamper SR fixes ○ Keep new dev in a new, non-master branch until SR is passed ●
Resubmit ● Update ○ Code Scans ○ False positive documentation ○ Demo org ● In the Partner Community: ○ Link the new package version to the listing ○ Submit the new package version with all required docs & information ○ Log a case under “Security Review” with the Package ID ● Alert your PAM
Resources
For More Information ● OWASP Top 10 Security Issues list ● Build Secure Apps Trailhead ● Partner Security Portal ● Prevent Common Violations of Secure Coding Guidelines ● Security Review Office Hours
You don’t have to go it alone!
CodeScience Pre-Security Review Service ● ISVs who approach Security Review with a solid plan and partner with some expert assistance typically pass Sec Rev sooner and get to market faster ● Salesforce recently asked CodeScience to help ISVs plan for Security Review and the CodeScience Pre-Security Review Service is the result! ● Reach out to us at info@codescience.com to start your Pre-Security Review, or visit https://learn.codescience.com/pre-security-review.html for more information
Please Submit Your Questions via Q&A What would you like to see more of in our next Security Review webinar? Let us know in the chat! Open Q&A
Contact Us: Thank you CodeScience info@codescience.com
Ad

Recommended

Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Salesforce Partners
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and Tricks
Ryan Flood
 
TRANSITIONING from ACCOUNT GENERATOR SLA
TRANSITIONING from ACCOUNT GENERATOR SLA TRANSITIONING from ACCOUNT GENERATOR SLA
TRANSITIONING from ACCOUNT GENERATOR SLA
Navin Chaitanya
 
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
Spring introduction
Spring introductionSpring introduction
Spring introduction
Manav Prasad
 
Secure Your Salesforce Org with Two-Factor Authentication
Secure Your Salesforce Org with Two-Factor AuthenticationSecure Your Salesforce Org with Two-Factor Authentication
Secure Your Salesforce Org with Two-Factor Authentication
Salesforce Admins
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App Integrations
Salesforce Developers
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
54188703 i proc-catalog
54188703 i proc-catalog54188703 i proc-catalog
54188703 i proc-catalog
obulreddy biyyam
 
All About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptxAll About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptx
Metaorange
 
Oracle Application Framework Cases
Oracle Application Framework Cases Oracle Application Framework Cases
Oracle Application Framework Cases
Feras Ahmad
 
How to Build an AppExchange Strategy
How to Build an AppExchange StrategyHow to Build an AppExchange Strategy
How to Build an AppExchange Strategy
Salesforce Admins
 
Introduction to SharePoint Framework (SPFx)
Introduction to SharePoint Framework (SPFx)Introduction to SharePoint Framework (SPFx)
Introduction to SharePoint Framework (SPFx)
Fabio Franzini
 
From Lead to Cash Vision
From Lead to Cash Vision From Lead to Cash Vision
From Lead to Cash Vision
Dennis Stoutjesdijk
 
Oracle Fusion Applications Security - Designing Roles
Oracle Fusion Applications Security - Designing RolesOracle Fusion Applications Security - Designing Roles
Oracle Fusion Applications Security - Designing Roles
kmundy
 
Introduction to Salesforce Connected Apps
Introduction to Salesforce Connected AppsIntroduction to Salesforce Connected Apps
Introduction to Salesforce Connected Apps
Cloud Analogy
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
From Sandbox To Production: An Introduction to Salesforce Release Management
From Sandbox To Production: An Introduction to Salesforce Release ManagementFrom Sandbox To Production: An Introduction to Salesforce Release Management
From Sandbox To Production: An Introduction to Salesforce Release Management
Salesforce Developers
 
Integrating with salesforce using platform events
Integrating with salesforce using platform eventsIntegrating with salesforce using platform events
Integrating with salesforce using platform events
Amit Chaudhary
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Introduction to lightning web component
Introduction to lightning web component Introduction to lightning web component
Introduction to lightning web component
Sudipta Deb ☁
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And Monitor
Anton Chuvakin
 
Advanced Uses of Salesforce's Login Flows
Advanced Uses of Salesforce's Login FlowsAdvanced Uses of Salesforce's Login Flows
Advanced Uses of Salesforce's Login Flows
Salesforce Developers
 
SFDX Presentation
SFDX PresentationSFDX Presentation
SFDX Presentation
Bohdan Dovhań
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
Org-dependent Unlocked Packages for ISVs
Org-dependent Unlocked Packages for ISVsOrg-dependent Unlocked Packages for ISVs
Org-dependent Unlocked Packages for ISVs
CodeScience
 
Ad

More Related Content

What's hot (20)

Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App Integrations
Salesforce Developers
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
54188703 i proc-catalog
54188703 i proc-catalog54188703 i proc-catalog
54188703 i proc-catalog
obulreddy biyyam
 
All About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptxAll About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptx
Metaorange
 
Oracle Application Framework Cases
Oracle Application Framework Cases Oracle Application Framework Cases
Oracle Application Framework Cases
Feras Ahmad
 
How to Build an AppExchange Strategy
How to Build an AppExchange StrategyHow to Build an AppExchange Strategy
How to Build an AppExchange Strategy
Salesforce Admins
 
Introduction to SharePoint Framework (SPFx)
Introduction to SharePoint Framework (SPFx)Introduction to SharePoint Framework (SPFx)
Introduction to SharePoint Framework (SPFx)
Fabio Franzini
 
From Lead to Cash Vision
From Lead to Cash Vision From Lead to Cash Vision
From Lead to Cash Vision
Dennis Stoutjesdijk
 
Oracle Fusion Applications Security - Designing Roles
Oracle Fusion Applications Security - Designing RolesOracle Fusion Applications Security - Designing Roles
Oracle Fusion Applications Security - Designing Roles
kmundy
 
Introduction to Salesforce Connected Apps
Introduction to Salesforce Connected AppsIntroduction to Salesforce Connected Apps
Introduction to Salesforce Connected Apps
Cloud Analogy
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
From Sandbox To Production: An Introduction to Salesforce Release Management
From Sandbox To Production: An Introduction to Salesforce Release ManagementFrom Sandbox To Production: An Introduction to Salesforce Release Management
From Sandbox To Production: An Introduction to Salesforce Release Management
Salesforce Developers
 
Integrating with salesforce using platform events
Integrating with salesforce using platform eventsIntegrating with salesforce using platform events
Integrating with salesforce using platform events
Amit Chaudhary
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Introduction to lightning web component
Introduction to lightning web component Introduction to lightning web component
Introduction to lightning web component
Sudipta Deb ☁
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And Monitor
Anton Chuvakin
 
Advanced Uses of Salesforce's Login Flows
Advanced Uses of Salesforce's Login FlowsAdvanced Uses of Salesforce's Login Flows
Advanced Uses of Salesforce's Login Flows
Salesforce Developers
 
SFDX Presentation
SFDX PresentationSFDX Presentation
SFDX Presentation
Bohdan Dovhań
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
Frances Coronel
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App Integrations
Salesforce Developers
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
54188703 i proc-catalog
54188703 i proc-catalog54188703 i proc-catalog
54188703 i proc-catalog
obulreddy biyyam
 
All About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptxAll About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptx
Metaorange
 
Oracle Application Framework Cases
Oracle Application Framework Cases Oracle Application Framework Cases
Oracle Application Framework Cases
Feras Ahmad
 
How to Build an AppExchange Strategy
How to Build an AppExchange StrategyHow to Build an AppExchange Strategy
How to Build an AppExchange Strategy
Salesforce Admins
 
Introduction to SharePoint Framework (SPFx)
Introduction to SharePoint Framework (SPFx)Introduction to SharePoint Framework (SPFx)
Introduction to SharePoint Framework (SPFx)
Fabio Franzini
 
From Lead to Cash Vision
From Lead to Cash Vision From Lead to Cash Vision
From Lead to Cash Vision
Dennis Stoutjesdijk
 
Oracle Fusion Applications Security - Designing Roles
Oracle Fusion Applications Security - Designing RolesOracle Fusion Applications Security - Designing Roles
Oracle Fusion Applications Security - Designing Roles
kmundy
 
Introduction to Salesforce Connected Apps
Introduction to Salesforce Connected AppsIntroduction to Salesforce Connected Apps
Introduction to Salesforce Connected Apps
Cloud Analogy
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
From Sandbox To Production: An Introduction to Salesforce Release Management
From Sandbox To Production: An Introduction to Salesforce Release ManagementFrom Sandbox To Production: An Introduction to Salesforce Release Management
From Sandbox To Production: An Introduction to Salesforce Release Management
Salesforce Developers
 
Integrating with salesforce using platform events
Integrating with salesforce using platform eventsIntegrating with salesforce using platform events
Integrating with salesforce using platform events
Amit Chaudhary
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Introduction to lightning web component
Introduction to lightning web component Introduction to lightning web component
Introduction to lightning web component
Sudipta Deb ☁
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And Monitor
Anton Chuvakin
 
Advanced Uses of Salesforce's Login Flows
Advanced Uses of Salesforce's Login FlowsAdvanced Uses of Salesforce's Login Flows
Advanced Uses of Salesforce's Login Flows
Salesforce Developers
 
SFDX Presentation
SFDX PresentationSFDX Presentation
SFDX Presentation
Bohdan Dovhań
 

Similar to 10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!) (20)

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
Org-dependent Unlocked Packages for ISVs
Org-dependent Unlocked Packages for ISVsOrg-dependent Unlocked Packages for ISVs
Org-dependent Unlocked Packages for ISVs
CodeScience
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
Matt Tesauro
 
Year Zero
Year ZeroYear Zero
Year Zero
leifdreizler
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
Salesforce Partners
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Cory Scott
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
Jeremy Brown
 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer Risks
Kevo Meehan
 
Software Chapter 5 software testing.pptx
Software Chapter 5 software testing.pptxSoftware Chapter 5 software testing.pptx
Software Chapter 5 software testing.pptx
JeelChheta
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
Checkmarx
 
ApExchange Security Review and Compliance
ApExchange Security Review and ComplianceApExchange Security Review and Compliance
ApExchange Security Review and Compliance
CEPTES Software Inc
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
jamieayre
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Nada G.Youssef
 
How to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopHow to run an Enterprise PHP Shop
How to run an Enterprise PHP Shop
Jim Plush
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
DrBasemMohamedElomda
 
Introduction to Software Engineering
Introduction to Software EngineeringIntroduction to Software Engineering
Introduction to Software Engineering
International Islamic University Islamabad
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
Org-dependent Unlocked Packages for ISVs
Org-dependent Unlocked Packages for ISVsOrg-dependent Unlocked Packages for ISVs
Org-dependent Unlocked Packages for ISVs
CodeScience
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
Matt Tesauro
 
Year Zero
Year ZeroYear Zero
Year Zero
leifdreizler
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
Salesforce Partners
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Cory Scott
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
Jeremy Brown
 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer Risks
Kevo Meehan
 
Software Chapter 5 software testing.pptx
Software Chapter 5 software testing.pptxSoftware Chapter 5 software testing.pptx
Software Chapter 5 software testing.pptx
JeelChheta
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
Checkmarx
 
ApExchange Security Review and Compliance
ApExchange Security Review and ComplianceApExchange Security Review and Compliance
ApExchange Security Review and Compliance
CEPTES Software Inc
 
HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software HIS 2017 Paul Sherwood- towards trustable software
HIS 2017 Paul Sherwood- towards trustable software
jamieayre
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Nada G.Youssef
 
How to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopHow to run an Enterprise PHP Shop
How to run an Enterprise PHP Shop
Jim Plush
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
DrBasemMohamedElomda
 
Introduction to Software Engineering
Introduction to Software EngineeringIntroduction to Software Engineering
Introduction to Software Engineering
International Islamic University Islamabad
 
Ad

More from CodeScience (20)

Journey Through the AppExchange: Product-Led Growth with MagicRobot
Journey Through the AppExchange: Product-Led Growth with MagicRobotJourney Through the AppExchange: Product-Led Growth with MagicRobot
Journey Through the AppExchange: Product-Led Growth with MagicRobot
CodeScience
 
Journey Through the AppExchange: From SI to ISV with Virsys12
Journey Through the AppExchange: From SI to ISV with Virsys12Journey Through the AppExchange: From SI to ISV with Virsys12
Journey Through the AppExchange: From SI to ISV with Virsys12
CodeScience
 
Leveraging Dynamic Interactions on Salesforce Lightning Pages
Leveraging Dynamic Interactions on Salesforce Lightning PagesLeveraging Dynamic Interactions on Salesforce Lightning Pages
Leveraging Dynamic Interactions on Salesforce Lightning Pages
CodeScience
 
Strategic Partnerships: The New Key to Innovation
Strategic Partnerships: The New Key to InnovationStrategic Partnerships: The New Key to Innovation
Strategic Partnerships: The New Key to Innovation
CodeScience
 
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...
CodeScience
 
Designing Salesforce Platform Events
Designing Salesforce Platform EventsDesigning Salesforce Platform Events
Designing Salesforce Platform Events
CodeScience
 
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a Time
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a TimeReady, Set, Launch: Accelerating Healthcare Innovation One App at a Time
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a Time
CodeScience
 
Journey Through the AppExchange: How Place Technology Created a New Category
Journey Through the AppExchange: How Place Technology Created a New CategoryJourney Through the AppExchange: How Place Technology Created a New Category
Journey Through the AppExchange: How Place Technology Created a New Category
CodeScience
 
Journey to the AppExchange: How to Launch Into a New Ecosystem
Journey to the AppExchange: How to Launch Into a New EcosystemJourney to the AppExchange: How to Launch Into a New Ecosystem
Journey to the AppExchange: How to Launch Into a New Ecosystem
CodeScience
 
Top 5 Ways to Build Pipeline With AppExchange Chat
Top 5 Ways to Build Pipeline With AppExchange ChatTop 5 Ways to Build Pipeline With AppExchange Chat
Top 5 Ways to Build Pipeline With AppExchange Chat
CodeScience
 
Everything You Need to Know About Salesforce LMA & COA
Everything You Need to Know About Salesforce LMA & COAEverything You Need to Know About Salesforce LMA & COA
Everything You Need to Know About Salesforce LMA & COA
CodeScience
 
Streamline Page Layouts with Dynamic Forms
Streamline Page Layouts with Dynamic FormsStreamline Page Layouts with Dynamic Forms
Streamline Page Layouts with Dynamic Forms
CodeScience
 
Getting to Yes: How to build executive alignment to win big on the AppExchange
Getting to Yes: How to build executive alignment to win big on the AppExchangeGetting to Yes: How to build executive alignment to win big on the AppExchange
Getting to Yes: How to build executive alignment to win big on the AppExchange
CodeScience
 
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...
CodeScience
 
How FinancialForce Leverages Labs to Accelerate Innovation
How FinancialForce Leverages Labs to Accelerate InnovationHow FinancialForce Leverages Labs to Accelerate Innovation
How FinancialForce Leverages Labs to Accelerate Innovation
CodeScience
 
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...
CodeScience
 
ISV Error Handling With Spring '21 Update
ISV Error Handling With Spring '21 UpdateISV Error Handling With Spring '21 Update
ISV Error Handling With Spring '21 Update
CodeScience
 
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...
CodeScience
 
[Tech Webinar] Second Generation Packaging for ISVs
[Tech Webinar] Second Generation Packaging for ISVs[Tech Webinar] Second Generation Packaging for ISVs
[Tech Webinar] Second Generation Packaging for ISVs
CodeScience
 
Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...
Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...
Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...
CodeScience
 
Journey Through the AppExchange: Product-Led Growth with MagicRobot
Journey Through the AppExchange: Product-Led Growth with MagicRobotJourney Through the AppExchange: Product-Led Growth with MagicRobot
Journey Through the AppExchange: Product-Led Growth with MagicRobot
CodeScience
 
Journey Through the AppExchange: From SI to ISV with Virsys12
Journey Through the AppExchange: From SI to ISV with Virsys12Journey Through the AppExchange: From SI to ISV with Virsys12
Journey Through the AppExchange: From SI to ISV with Virsys12
CodeScience
 
Leveraging Dynamic Interactions on Salesforce Lightning Pages
Leveraging Dynamic Interactions on Salesforce Lightning PagesLeveraging Dynamic Interactions on Salesforce Lightning Pages
Leveraging Dynamic Interactions on Salesforce Lightning Pages
CodeScience
 
Strategic Partnerships: The New Key to Innovation
Strategic Partnerships: The New Key to InnovationStrategic Partnerships: The New Key to Innovation
Strategic Partnerships: The New Key to Innovation
CodeScience
 
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...
Journey Through the AppExchange: How inriver is Filling a Gap for Salesforce ...
CodeScience
 
Designing Salesforce Platform Events
Designing Salesforce Platform EventsDesigning Salesforce Platform Events
Designing Salesforce Platform Events
CodeScience
 
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a Time
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a TimeReady, Set, Launch: Accelerating Healthcare Innovation One App at a Time
Ready, Set, Launch: Accelerating Healthcare Innovation One App at a Time
CodeScience
 
Journey Through the AppExchange: How Place Technology Created a New Category
Journey Through the AppExchange: How Place Technology Created a New CategoryJourney Through the AppExchange: How Place Technology Created a New Category
Journey Through the AppExchange: How Place Technology Created a New Category
CodeScience
 
Journey to the AppExchange: How to Launch Into a New Ecosystem
Journey to the AppExchange: How to Launch Into a New EcosystemJourney to the AppExchange: How to Launch Into a New Ecosystem
Journey to the AppExchange: How to Launch Into a New Ecosystem
CodeScience
 
Top 5 Ways to Build Pipeline With AppExchange Chat
Top 5 Ways to Build Pipeline With AppExchange ChatTop 5 Ways to Build Pipeline With AppExchange Chat
Top 5 Ways to Build Pipeline With AppExchange Chat
CodeScience
 
Everything You Need to Know About Salesforce LMA & COA
Everything You Need to Know About Salesforce LMA & COAEverything You Need to Know About Salesforce LMA & COA
Everything You Need to Know About Salesforce LMA & COA
CodeScience
 
Streamline Page Layouts with Dynamic Forms
Streamline Page Layouts with Dynamic FormsStreamline Page Layouts with Dynamic Forms
Streamline Page Layouts with Dynamic Forms
CodeScience
 
Getting to Yes: How to build executive alignment to win big on the AppExchange
Getting to Yes: How to build executive alignment to win big on the AppExchangeGetting to Yes: How to build executive alignment to win big on the AppExchange
Getting to Yes: How to build executive alignment to win big on the AppExchange
CodeScience
 
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...
Ready, Set, Deploy: How Place Technology Streamlined Deployment on the AppExc...
CodeScience
 
How FinancialForce Leverages Labs to Accelerate Innovation
How FinancialForce Leverages Labs to Accelerate InnovationHow FinancialForce Leverages Labs to Accelerate Innovation
How FinancialForce Leverages Labs to Accelerate Innovation
CodeScience
 
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...
Acting Like a Top 25 Salesforce ISV: How Appinium Applies Buyer's and Seller'...
CodeScience
 
ISV Error Handling With Spring '21 Update
ISV Error Handling With Spring '21 UpdateISV Error Handling With Spring '21 Update
ISV Error Handling With Spring '21 Update
CodeScience
 
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...
Acting Like a Top 25 Salesforce ISV: Designing the Seller's Journey for the ...
CodeScience
 
[Tech Webinar] Second Generation Packaging for ISVs
[Tech Webinar] Second Generation Packaging for ISVs[Tech Webinar] Second Generation Packaging for ISVs
[Tech Webinar] Second Generation Packaging for ISVs
CodeScience
 
Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...
Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...
Webinar: Acting Like a Top 25 Salesforce ISV - Designing Trial Experiences th...
CodeScience
 
Ad

Recently uploaded (20)

Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Revolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptxRevolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptx
nidhisingh691197
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and CollaborateMeet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Meet the Agents: How AI Is Learning to Think, Plan, and Collaborate
Maxim Salnikov
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Revolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptxRevolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptx
nidhisingh691197
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 

10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)

  • 2. Today’s Speakers: Erin Murray Global Alliances Manager CodeScience Lubdha Dahale Security Review Operation Analyst Salesforce Jeremy Engler ISV Specialist CodeScience
  • 4. Who is CodeScience? ● Founding partner of the Salesforce Product Development Organization (PDO) Program ● We partner with clients to build solutions on the Salesforce AppExchange ● Named first Master PDO in 2017 ● From design to build to implementation, we support through the full lifecycle
  • 5. Client success: 10% of the AppExchange
  • 7. How to Prep like a Pro Security Review doesn’t happen in a day
  • 8. Planning 1. Reframe how you approach it a. Think of it as a security hardening sprint 2. ISV Partner Agreement a. Get your ISV Agreement fully executed ASAP 3. Concurrent work a. Start prepping your deliverables early b. Don’t wait for the day you want to submit c. Listing content 4. Organize your resources a. Security Review folder
  • 9. Prep 5. Code Scans & Code Review a. If you need to scan an off-platform system, do it early b. Search for every instance of issues that the code scanners find 6. Compliance & Questionnaire a. Prep this information beforehand 7. Documentation a. Solution Architecture b. Use Cases 8. Demo org a. Use the trialforce template ID from Salesforce b. The review team uses the Admin credentials
  • 10. Submittal 9. Contact Info a. Always use a distribution list 10. Credit Card (Only) a. Must be able to charge $2700 now and $150/year ongoing 11. Pre-Book Security Review Office Hours a. Security review can take between 4-6 weeks b. Ideally schedule a session 10 weeks after your app is placed in queue
  • 11. The SF Security Review Team Meet the team who reviews your apps
  • 12. Ops Submission Validation SR Wizard Guidance Trial Template Reviews Periodic Re-Review Strategy Fees Delistings Prod Sec Penetration Testing Partner Security Portal Technical Office Hours Salesforce Security Review Teams
  • 15. Operations Check ● The Security Review Operations team reviews each submission for completeness before placing the SR queue ● Checks for things like: ○ Unrelated packages in the demo org ○ Incorrect version in the demo org ○ Not marked as “Lightning Ready” ○ Missing Use Case doc ○ Problem with scans or false positive docs ● Log a case after resolving any issues ● Should receive an email once in the SR queue
  • 16. ● Always provide the Listing ID, Package ID and Version ID related to your case ● Correct credentials to Web environments, Native environment (https://login.salesforce.com/) ● Clean scan reports (ZAP, Burp, Chimera or Checkmarx) or attach supporting False-Positive document ● Hit “Start Review” button beside version ID on Publishing Console Tips to avoid delays in Security Review
  • 17. Why apps fail Security Review ● Issues with the package: ○ CRUD/FLS Enforcement ■ Not checking user’s perms to do what the code does ■ #1 failure reason ○ Insecure Storage of Sensitive Data ○ Sensitive Information in Debug ● Issues with the client API/web UI: ○ Password enumeration: shows if username is correct ○ TLS/SSL Configuration ○ XSS Vulnerabilities ● Office Hours ○ Book early ○ Link
  • 18. Top Vulnerabilities in Security Review
  • 19. Example Security Findings Report Note the bolded point at the top of the report: The report starts with a table of contents summarizing the types of vulnerabilities found.
  • 20. Fail Faster Turn lemons into success
  • 21. Have a Plan ● Triage ○ Track each issue like you do bugs ○ Is the issue a False Positive? ○ Identify where the issue/fix resides ○ Assign an Owner and LOE ● Up to your project and deadlines as to whether “hero effort” is required ● Agree on communication cadence to management
  • 22. Address the Issues ● Legitimate issues need to be fixed, either in the package or off-platform ● Not a comprehensive list ○ Need to check for other instances of issues in the code ● Off-platform fixes are the biggest risk/effort ○ Must schedule that work alongside your existing product roadmap ● Issues in the package will require a new upload ○ Post-SR development in the master branch can hamper SR fixes ○ Keep new dev in a new, non-master branch until SR is passed ●
  • 23. Resubmit ● Update ○ Code Scans ○ False positive documentation ○ Demo org ● In the Partner Community: ○ Link the new package version to the listing ○ Submit the new package version with all required docs & information ○ Log a case under “Security Review” with the Package ID ● Alert your PAM
  • 25. For More Information ● OWASP Top 10 Security Issues list ● Build Secure Apps Trailhead ● Partner Security Portal ● Prevent Common Violations of Secure Coding Guidelines ● Security Review Office Hours
  • 26. You don’t have to go it alone!
  • 27. CodeScience Pre-Security Review Service ● ISVs who approach Security Review with a solid plan and partner with some expert assistance typically pass Sec Rev sooner and get to market faster ● Salesforce recently asked CodeScience to help ISVs plan for Security Review and the CodeScience Pre-Security Review Service is the result! ● Reach out to us at [email protected] to start your Pre-Security Review, or visit https://learn.codescience.com/pre-security-review.html for more information
  • 28. Please Submit Your Questions via Q&A What would you like to see more of in our next Security Review webinar? Let us know in the chat! Open Q&A