Apex Code Development You need to sign in to do that
Don't have an account?
NileshAspire MD5 Security issue with webservice
HI,
The requirement is authentication between webservice and salesforce.
I have created webservice in .net which is import and export data in excel sheet.
i have built one page which has list of salesforce user in .net, it will display in salesforce(for that i used web tab).
if administrator select one of user from the list and save it.it will save userId,Username and new generated security token in sql server and update that security token in according user record in salesforce.
when salesforce user request the webservice it will check with username and token.whether this user has permission or not and preceed further.
I am getting this issue, when i request webservice from salesforce.
Insecure Storage of Sensitive Data Vulnerability
If your application copies and stores sensitive data that originated at salesforce.com, you should take extra precaution. Salesforce.com takes threats to data that originated at their site very seriously, and a data breach or loss could jeopardize your relationship with salesforce.com if you are a partner.
If you must store passwords (including non-Salesforce passwords), note that storing them in plaintext or hashed (such as with the MD5 function) makes your application vulnerable to mass user exploitation if an attacker can get access (even just read-only access) to your database (such as through stealing a backup tape or SQL injection). Although a successful SQL injection or data exposure attack is a huge problem in itself, if the attacker can recover passwords from the data, they cantransparently compromise user accounts on a mass scale.
My question is,
if i convert username and token before saving into the sql server, it will solve my problem..?
i would like to inform that, i am using lead data in webservice..
This data also i want to convert it into the mdf before import or export in excel sheet..?
Please help me, to solved this issue.
Thanks & Regards,
Nilesh Badrakiya
When generating, storing, and using secrets (i.e. tokens, passwords, etc.) on salesforce that are intended to be used to access external services, there are a few areas you should consider:
1. Data creation: You should make sure to use a good random source with enough entropy to generate these tokens.
2. Data at rest on salesforce servers: You should use protected custom settings within a managed package. This allow access to your tokens only from apex code that is within your managed package.
3. Data at rest on your servers: You should use standard mechanisms to protect passwords. For example, use SHA256 to hash the password with a strong and unique salt per user, and store the output only on a DB.
4. Data in transit: You should make sure to use proper encryption and authentication for the outbound call from salesforce to your servers.
Hope this helps,
Yoel Gluck
Product Security Team @ Salesforce.com
Hi Yoel Gluck,
Thanks for your reply.
will try this solution and let you know if it works for me..
Thanks & Regards,
Nilesh Badrakiya.
Hi Yoel Gluck,
2. Data at rest on salesforce servers: You should use protected custom settings within a managed package. This allow access to your tokens only from apex code that is within your managed package.
How can i do this, because i am creating token from the .net.and i have to update token when administrator select the user from the user list which is created in .net..
what i can do in this case..?
Thanks,
Nilesh Badrakiya.
Here is a link that explains a bit about custom settings: http://na1.salesforce.com/help/doc/en/cs_about.htm
Since you want to use Protected Custom Settings. This will only access from Apex, not from API. You will need to create some Apex code that handles setting and retrieving these values. One way to do this would be with web service apex methods (Obviously, these methods would have to handle authentication and authorization). You would call into these API methods from your .NET program and set and get the tokens when needed.
P.S. You would want your custom setting type to be "Hierarchy" and visibility to be "Protected".
Yoel Gluck
Product Security Team @ Salesforce.com
Hi Yoel,
Thanks for your comments.
I am Nilesh's colleague working on same problem.
My one basic question is, it is not possibel to store/exchange secure tokens without going to Custom Settings?
If there is any alternate, it is highly preferred by us.
If there is no alternate, then I think what you are saying is:
1. Create a webservices in apex
2. Call that web serivce from .Net to store tokens in custom settings
My question in this regard is, if somebody having PE installs our app, then would we be able to call the apex web service that we create? I read that you can have web services installed in PE but you cannot invoke them.
Thanks again...
Bakul
Hi Bakul,
There are other options (http://wiki.developerforce.com/page/Secure_Coding_Storing_Secrets), however, in your case, if you are developing a package, I would recommend using the protected custom settings. If you are just developing it for your own org, then you can use encrypted custom fields and make sure only authorized accounts have the "view encrypted data" perm.
Yoel Gluck
Product Security Team @ Salesforce.com
Hi Yoel,
Ok, I think I should then go for Custom Settings.
But how can I call apex web services from .Net if the package is instaleld in Professional Edition? Is it that once web service are in managed package they can be called?
Bakul
From AppExchange Security Review FAQ :
Q: I understand that reviewed solutions are able to work with PE & GE orgs. How does this work?
A: Eligible partners can apply for an API token via the partner portal. This token is to be used for all API calls for that specific application. Subsequent to the security review and if you are an eligible partner, we allow API transactions identified with your API token to operate with Professional Edition and Group Edition orgs. See the Use of ClientID page for code examples.
Yoel Gluck
Product Security Team @ Salesforce.com
Hi Yoel,
thanks for this clarification, it really helps.
Now, I think I have only one question. When I am exporting data from Salesforce to my .Net web serivce, this data includes name, phone, email etc information. I think such data is defined as personally-identifying information (PII) or high business impact (HBI) data
So, when exporting the data I need to encrypt the information also that I am sending to .Net service? And that has to be stored on the .Net server in encrypted form?
Thanks,
Bakul
There are two parts to securing PII originating from an SFDC org:
Here is a post explaining a bit more about this: http://wiki.developerforce.com/page/Secure_Coding_Storing_Secrets
P.S. Laws and regulations protecting PII differ based on locations and industries etc. You should make sure you also comply with any other law/regulation relevant to you.
Yoel Gluck
Product Security Team @ Salesforce.com
Hi Yoel,
I was thinking that isn't it little bit extra to encrypt the data on external systems (like .Net server we have)?
The reason why I ask you is, if data is encrypted, then we have to again decrypt the data for consumption. Once the data is decrypted, the vulnerability is again in picture. So, what's the retionale behind requirement that the PII data going out from SDFC needs to be stored in encrypted form at the external system.
Is it the things that, if the data is encrypted then only the people who have the key to decrypt the data will be able to access actual data? Is that the reason?
In our case, what's going to happen is, many individuals who are part of the company will need to have access to that data (which came from Salesforce). And the data is stored in on Excel file. So, they would need to decrypt the data before reading it which will generate a decryped excel file (human readable). Does this violate any security rule that Salesforce imposes?
Thanks,
Bakul
Hi Bakul,
For sensitive data like credentials or credential equivalents, SSN, ETC. we require encryption. (or don't store them) For other sensitive data (PII) we require solid multi tenancy and access control, as well as strong authentication. You do not need to encrypt all data as you have discussed before in your database, however if there are any legal, contractual, or regulatory requirements to do so, you should encrypt or protect that data to satisfy those requirements. As long as you follow these guidelines you should not have a problem with your review.
Cheers,
James
Hi James,
Thanks for the message. That really clarified what are needs on our .Net component.
The data that we get from SFDC are stored in a file on our .Net server and as you are saying, we don't need to encrypt this file as such (unless required by other factors out side of Salesforce.com perview). Given that we store exported data in file (and we don't encrypt them as we don't have such bindings), the only authentication before reaching the file is Server login. If we build strong password policies for the server, does it satisfy your "solid multi tenancy and access control, as well as strong authentication" requirement?
Thanks in advance,
Bakul
Without too much specific information or without testing the solution it's hard to comment if the solution is secure or not. I can say that you can look at some of the links below for our requiremtnsm and industry standard guidance for these topics. At a high level we don't want to expose informaiton to anyone that should not see it.
Requirements: http://wiki.developerforce.com/page/Requirements_Checklist
Secure Coding Guides: http://wiki.developerforce.com/index.php/Secure_Coding_Guideline
OWASP Secure Coding Guide: https://www.owasp.org/index.php/OWASP_Guide_Project
Hi Yoel,
I started to implement based on suggestions I have here, but there seems to be a problem.
You are suggesting that "You would call into these API methods from your .NET program and set and get the tokens when needed." But as I understand, we can't call custom web services created in apex, in case of GE and PE Salesforce editions.
Is it possible I include a prefined token (data in custom settings) as part of my managed package? so that I don't have to call web service to setup token?
Thanks,
Bakul
As indicated previously, you will be able to connect to GE/PE API using a Client ID requested via the partner portal (http://wiki.developerforce.com/page/How_to_use_clientid).
Yoel Gluck
Product Security Team @ Salesforce.com
Hi Yoel,
That's true, I had noticed that point you had made earlier.
But I went through the API spec at http://www.salesforce.com/us/developer/docs/api/index.htm
There isn't any method to read/update custom settings through api.
when I say API, I mean to say API calls that you can do using Parnter wsdl
I read the you can NEVER, in any condition, call your apex web services from external applications.
http://wiki.developerforce.com/page/Designing_an_Application_for_Group_and_Professional_Edition
So, when I can't call apex web service, I have to rely on Parnter wsdl API.
And from my reading, I realized that there is no way to access custom settings through Partner wsdl api.
Am I correct?
Thanks,
Bakul
After checking with the AppExchange team, it appears that you are correct. Using the ClientID gives you API access to regular SOAP API in installed orgs (even if they are GE/PE editions), however, it does not give access to custom web service methods defined in your apex code in GE/PE editions.
Perhaps it makes sense to setup an Office Hours meeting (http://security.force.com/security/contact/ohours) to discuss your options?
Yoel Gluck
Product Security Team @ Salesforce.com
Hi Yoel,
As per our discussion on this forum, I am going to create protected custom settings per user to store authentication credentials for .Net application. My question here is, how can I store these credentials in custom settings which are generated in .Net.
One possible solution that I see is, I can store the credentials in User object (or any other object for that matter), and then through trigger store them in protected custom settings. In the same trigger, these credentials will be wiped out so that they are not stored in User object.
Are there any concerns that security may raise with this solution?
Thanks,
Bakul