function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
rsweetlandrsweetland 

Security requirements on composite / hosted apps.

This is an extension of the below thread...

 

Security Review - Am I Ready?  which has this text...

"We understand that our partners are of varying sizes and may not necessarily have all the organizational security processes and policies in place. As long as your application and network security is solid and you've address issues flagged by Checkmarx and Burp, you should be in good shape."

 

The Requirements Checklist provides a number of security points including specific application password handling (enforcing password expiration, etc). 

 

For a hosted application, I am curious how much these policies are enforced, or if they are largely recommendations.  We are a small team and have not yet implemented all of these points, but have locked down our application with other standard means.

 

If we focus on Burb and Checkmark security scans will we be pretty much ok? (I have another post about FLS being a concern since we are integrating only per the API).

 

I'd hate to spend the time and money waiting for the review only to be rejected for one of these points. Anyone have any insight?

 

Thanks!

 

Reilly

jamesDjamesD

Burp and Checkmarx are a good start and a great way to get the low hanging fruit. I'd recommend that you also dedicate some time to manual review of your offering and secure development practices as well. The security team will spend most of their time manually testing your web app and any code you have on the platform in this way. Automated tools are used as well, but only to augment the testers. Check out the resources below for some of the basics.

 

Secure Cloud Development: http://developer.force.com/security

 

OWASP Secure Coding Practices: https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

 

OWASP Testing Guide: https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents

rsweetlandrsweetland

Great - Thanks, James. This makes sense. I appreciate the links as well!