Sign Up ›
  • Jdolph
  • NEWBIE
  • 50 Points
  • Member since 2011
  • Chatter
    Feed
  • 2
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 0
    Questions
  • 11
    Replies
SOLVED
9 replies

Questions on Salesforce Security Audit

Hi All,

 

I have heard about security audit in salesforce and I got below link for that.

 

http://wiki.developerforce.com/index.php/Requirements_Checklist

 

I have few questions on that.

 

  1. Is there really security audit from salesforce team?
  2. Is it automatical process or manual process?
  3. In Which point they perform this audit?
  4. How long they take for that process?
  5. What is the output of security audit?
  6. What if we fail the audit?
  7. Can we request for re-audit?

Thanks in Advance

 

SOLVED
3 replies

Sending Session Id to Third Party

I need to develop SSO solution to work with Google App application. So I thought of calling Salesforce Webservice and get Currently logged user. For that i have to send Session Id.

 

But Requirment Checklist says we shouldn't

 

Implement controls to protect the Salesforce Session Id. Specifically:

  • Session ID should always be encrypted in transmission
  • Session ID should not be sent to third parties (Example: Google Analytics)

http://wiki.developerforce.com/index.php/Requirements_Checklist

 

Is there anyway of doing this without sending Session Id?

2 replies

The Force.com Security Source Code Scanner is experiencing delays

For the last couple of days (at least!), http://security.force.com/security/tools/forcecom/scanner has been saying, "At this time the Force.com Security Source Code Scanner is experiencing delays. Expect delays as we work through this issue.

 
If we can't scan our app, we can't submit for Security Review. And the Security Review fees go up NINEFOLD on September 1.
 
Salesforce, can you give us any additional information about this problem or when you expect it to be resolved?
 
Thanks.
1 replies

How to run Burp scanner against a remote server

I'm developing a SF app that interacts with a remote server via a REST API. The app's interation with the API happens in a VF page's controller, not via the page itself.

 

From what I understand about the Burp scanner, it sits as a proxy between my browser and the remote server, but since that's not where the API is being called from, I'm concerned that it won't find anything. How should I run the Burp scan in this case?

 

+ As described in the video on the SF Security page?

+ Develop a simple local HTML test page that has links that exercise the API, and then have the scanner's proxy watch as I click those links?

+ Through some other tool that monitors interaction with the server directly?

 

Thank you for your help.

 

- Jeri

 

4 replies

URL Hacks

Will URL Hacks make you fail Security Review? 

1 replies

CSRF for an app hosted external to salesforce using rest or soap api

 

This question is related to an app hosted externally to salesforce.  The user will access the app through a custom web tab in salesforce.  Based on user actions, the custom app server hosting the app makes calls to salesforce via the REST and SOAP APIs.  The app doesnt store any user state i.e. no sessions.  Instead, the server url, session id and other data are passed (over https of course) from the client to the custom app server when an action is performed.  That means that if an attacker wants to abuse one of the pages of the custom app a valid session id and server url would have to be supplied to perform the action.

 

The communication looks like this:

client browser <--> custom app server <--> salesforce

 

I've been reading http://wiki.developerforce.com/page/Secure_Coding_Cross_Site_Request_Forgery, which  recommends "A secure anti-CSRF mechanism should create a different and unpredictable token for each user session"

 

Measuing the use of session id against the anti-CSRF mechanism critiera mentioned in the article:

 

1) session id is be supplied to perform an action

2) session id is different and unpredictable for each user session

3) session id is different across users

 

 

Does the user's session id act as an anti-CSRF mechanism in this scenario?

 

 

 

19 replies

MD5 Security issue with webservice

HI,

 

The requirement is authentication between webservice and salesforce. 

I have created webservice in .net which is import and export data in excel sheet.

i have built one page which has list of salesforce user in .net, it will display in salesforce(for that i used web tab).

if administrator select one of user from the list and save it.it will save userId,Username and new generated security token in sql server and update that security token in according user record in salesforce. 

when salesforce user request the webservice it will check with username and token.whether this user has permission or not and preceed further.

 

I am getting this issue, when i request webservice from salesforce.

 

Insecure Storage of Sensitive Data Vulnerability

If your application copies and stores sensitive data that originated at salesforce.com, you should take extra precaution. Salesforce.com takes threats to data that originated at their site very seriously, and a data breach or loss could jeopardize your relationship with salesforce.com if you are a partner.

If you must store passwords (including non-Salesforce passwords), note that storing them in plaintext or hashed (such as with the MD5 function) makes your application vulnerable to mass user exploitation if an attacker can get access (even just read-only access) to your database (such as through stealing a backup tape or SQL injection). Although a successful SQL injection or data exposure attack is a huge problem in itself, if the attacker can recover passwords from the data, they cantransparently compromise user accounts on a mass scale.

 

My question is,

if i convert username and token before saving into the sql server, it will solve my problem..?

i would like to inform that, i am using lead data in webservice..

This data also i want to convert it into the mdf before import or export in excel sheet..?

 

Please help me, to solved this issue.

 

Thanks & Regards,

Nilesh Badrakiya

 

SOLVED
9 replies

Questions on Salesforce Security Audit

Hi All,

 

I have heard about security audit in salesforce and I got below link for that.

 

http://wiki.developerforce.com/index.php/Requirements_Checklist

 

I have few questions on that.

 

  1. Is there really security audit from salesforce team?
  2. Is it automatical process or manual process?
  3. In Which point they perform this audit?
  4. How long they take for that process?
  5. What is the output of security audit?
  6. What if we fail the audit?
  7. Can we request for re-audit?

Thanks in Advance

 

SOLVED
3 replies

Sending Session Id to Third Party

I need to develop SSO solution to work with Google App application. So I thought of calling Salesforce Webservice and get Currently logged user. For that i have to send Session Id.

 

But Requirment Checklist says we shouldn't

 

Implement controls to protect the Salesforce Session Id. Specifically:

  • Session ID should always be encrypted in transmission
  • Session ID should not be sent to third parties (Example: Google Analytics)

http://wiki.developerforce.com/index.php/Requirements_Checklist

 

Is there anyway of doing this without sending Session Id?