Mark Adcock, profile picture
Uploaded byMark Adcock
PPTX, PDF1,828 views

Secure Development on the Salesforce Platform - Part 3

This document outlines the integration of external applications with Salesforce, addressing security measures such as API authentication, OAuth, and mutual TLS. It emphasizes the importance of secret protection through named credentials and managed protected custom settings for safeguarding sensitive data. Various integration methods and best practices for secure communication and data flow between Salesforce and external systems are also discussed.

Software
Related topics:
Salesforce Developer
Downloaded 57 times
December 1, 2015 Lorem Ipsum Dolor
Speakers Swapnil Shinde Product Security Engineer @Swapnil34 Nitin Arya Product Security Analyst @n_arya0
Forward-Looking Statement Statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Agenda • Overview - Integrating your external applications securely with Salesforce • Leveraging JavaScript Remoting with Visualforce - Extend Salesforce functionality with external app intergrations - Map user identities to the external systems - Grant access to Salesforce data without breaking security model • Using Remote Objects with Angular.js - Secrets in named credentials - Secrets in custom settings - Proper usage of secrets
Building Salesforce Integrations • Extend Salesforce funcationality with external app integrations. • Building data flows and interactions between your external app and Salesforce. • Need a way to map Salesforce user identity to your external system. • Need a way to authenticate and secure data flows between the two systems. • Need a way to grant access to Salesforce data without breaking the Salesforce security model or trust in the Salesforce platform.
Integration Methods – Apex Callouts • Use Apex code to access external REST API’s • Can be used to send data out or pull data to/from an external service • Actions must be initiated by a user action from within Salesforce • Partners fail security review here* Salesforce Internet Web service
Integration Methods – API/OAuth • Salesforce has several API’s for developers • To use these API’s authentica via - SOAP API username/password login - OAUTH authentication flow • Delegated authentication - Forward username and password ( sent over internet* ) • Federated Authentication using SAML (Single sign on*) Salesforce Web service REST SOA P
Integration Methods – API - OAuth • Salesforce has several API’s for developers • External services can authenticate with Salesforce via OAuth and receive access tokens • Tokens must be treated with same sensitivity as a password • Utilize public-facing API’s to share data with Salesforce instances • Developers can expose custom Apex REST endpoints • Outbound messaging SOAP RES T
Integration Methods Connected App • Runs on the Salesforce app canvas. • Does not have access to the Salesforce app DOM at any time. • Authenticate via OAuth or SAML using Salesforce credentials. • Easy way to integrate an external application into the Salesforce “skin”. • The OAuth scope for the connected app determines the amount of access this app would have to your Salesforce data. • Make sure to provide least privilege to the OAuth token being created.
Integration User or End User Integration User • Creating an integration user to make callouts from the external app into Salesforce. • Lets you create a least privilege integration user to perform certain operations required by the app. • You don’t have to provide API access to all users. • Only on credential to manage on the external system. • You have to make sure that the Salesforce security model is not broken when the external system accesses Salesforce data.
Integration User or End User End User • Lets your external app make requests as current logged in user with the specified OAuth scope. • Lets the user select if they want to allow or access or not. • Preserves the Salesforce security model in your external requests without any additional measures. • The external app needs to make sure all end user OAuth credentials are stored secureon the external system.
Setting Up A Connected App Go to Setup > Create > Apps > New Connected App
Setting Up A Connected App
Advantages of Connected Apps • No need for custom authentication logic. • Least privilege access control based on the external app use case. • Easy to revoke access for misbehaving apps. • Out of box functionality for standard Auth protocols. • Can provide access without sharing Salesforce username password with the external app.
Credential Handling • External app credentials (consumer key/secret) should be stored securely off the Salesforce platform. • Salesforce OAuth tokens should be stored securely off the platform using the industry best practice for your development platform. • API tokens for the external app should be stored via Protected custom settings inside Salesforce. • All credentials should be secure in transit by using HTTPS (TLS) for all communications.
Transport Security Security Expectations of HTTP • None. • Anyone on the network can eavesdrop traffic. • Anyone on the network can modify content. • Anyone on the network can divert traffic.
Transport Security – What is TLS? • A user visiting a site over HTTP has no assurance that the user is interacting with the legitimate site. • The Transport Layer Security protocol allows for secure communication between applications and users. • Uses PKI (Public Key Infrastructure) to have a Trusted Certificate Authority (CA) vouch for the server’s identity. • Prevents tampering, eavesdropping, and man-in-the- middle attacks against secure communications. Provides authentication and confidentiality.
Mutual TLS • Salesforce supports Mutual TLS for communications between Salesforce and your external server. • This allows you to do a two-way verification, where the client and server can confirm one another’s identity. • Good for server to server authentication, where the client is not prompting a user to log in manually.
Mutual TLS
Salesforce Mutual TLS • Client certificates are uploaded and stored in the Salesforce database, where they are used for verification. • You can also download the Salesforce client certificate to authenticate on your web server, when making Apex callouts, etc. • Salesforce provides a mechanism to prevent falling back to the standard TLS port.
Setting Up Mutual TLS • Have mutual TLS enabled for your organization. • Generate Certificate Signing Request (CSR) and acquire a certificate form a Trusted CA.
Salesforce Mutual TLS • Upload the certificate to Security Controls | Certificate and Key Management. • Enable “Enforce SSL/TLS Mutual Authentication” permission for the API client user. This will force mutual TLS on port 8443 for this user. • This user permission can be added via a PermSet or by adding the permission to the user profile. • Configure the API client to connect on port 8443 and present the client certificate.
Setting Up Mutual TLS
Why Use Mutual TLS? • This seems like a lot of work! Why should I do this? • Provides you a good way to authenticate both parties (Salesforce and external app) when building external integrations. • You don’t just have to rely on IP range restrictions and static API keys for client authentication. • Out of the box mutual TLS implementation provides authentication and confidentiality.
Part 2: Secret Protection
Primary Topic Today: Secrets • We will be covering developer-oriented topics on secret storage for the Salesforce Platform. • Specific features to cover include: – Secrets in named credentials – Secrets in custom settings – Proper secret usage – Protected Custom Metadata Types ??????????? • Useful for anyone in the following areas: – Salesforce Developers (primarily) – Salesforce Administrators – Prospective Partners
What is a secret? • Simple Definition: A piece of data that requires higher than normal protection. • For Our Purposes: A secret will be a piece of data that nobody should see, like a password or encryption key.
Who do we secure secrets from? • Attackers • Regular Users • Partners • Administrators (Biggest Challenge) • Basically, everyone… Why? • Theft of data • Impersonation • Privilege Escalation
Secret in Named Credentials
Named Credentials Overview Named crewdentials are a feature for secret storage built into the Salesforce platform. • Available in the “Security” setup menu • Point & click creation • No Code required to store secret
Named Credentials - Usage • Create a new named credential • Add the URL + secret to the named credential • Invoke the named credential in the httpRequest HttpRequest req = new HttpRequest(); req.setEndpoint('callout:NamedCredential'); req.setMethod('GET'); Http http = new Http(); HTTPResponse res = http.send(req); return res.getBody();
Pros • Easy to create. • Easy to invoke. • Secret is not visible in the UI and code to anyone. • Secret is not leaked in the debug logs. Cons • Only works for httpRequests and certain authentication schemes like OAuth 2.0. • URL can be updated in the setup, potentially leaking secret. ??? Named Credentials - Breakdown
Demo: Secrets in Named Credentials
Custom Settings Overview Custom settings are stripped down sObjects exposed to the application cache, enabling efficient access for developers. Protected versus Public: What is the difference? Protected Custom Settings can only be accessed from the namespace they exist in. • In a managed package, the namespace is that of the package. • In an unmanaged package, the namespace is the local namespace (so no effect). What does this mean? • Managed protected Custom Settings – Extra Security Benefits • Managed Public/ Local Public/ Local Protected – No security benefits, worse for secrets than sObjects.
Managed Protected Custom Settings – Storage Method 1. Create a managed package. 2. Create a protected custom setting inside the package. 3. Create a Visualforce page inside the package to create/update the secret. - Transient string (in controller), should not return secret to the view state. 4. Access and use the secret inside the managed package.
Custom Setting Diagram
Pros • Secret only available to Apex code within managed package namespace. • Can store encryption key to scale. Cons • Requires a managed package! • Methods must be well-coded to prevent secret exposure. Managed Protected Custom Setting - Breakdown
Managed Package Architecture
Demo: Secrets in Custom Settings
Using Managed Protected Custom Settings Properly
Overview Using Managed Protected Custom Settings Properly Secret storage solutions with managed protected custom settings are developed in Apex and Visualforce, and because of this there are some best practices that must be followed: • Properly encapsulating secret usage in the managed package • Properly handling secret dependencies • Avoiding secret reflection
Properly Encapsulating Secret Usage What is encapsulation? Keeping functionality inside the managed package. Why encapsulate? Namespace benefits on work INSIDE the managed package. Anything leaving the package loses benefits. Things to consider for encapsulation: • User interaction - Visualforce page/component inside the managed package. • Using the secret – Code must be contained within the managed package. • Invoking secret usage - Done with a global method, secret never returned outside of the managed package.
Managed Package Architecture
Properly Handling Secret Dependencies What are secret dependencies? If a secret is tied to another piece of information, a dependency is created. Examples: • Passwords can be dependent on URLs. • Encryption keys can be dependent on Salts. Secret dependency best practices: • Secrets and dependencies are controlled from the same place • If dependent is updated, secret should be updated. This prevents the attacker from gaining additional information. • Example: If a URL is updated, password should change too!
Avoiding Secret Reflection What is secret reflection? Developers often mistakenly allow a secret to be reflected from the controller (Apex) to the view (Visualforce). Since the view is client side, the risk of secret exposure increases dramatically! Secret reflection Best Practices • Beware hidden inputs – hidden inputs often show secret in clear within source. • Use transient keyword – transient keyword prevents secret from being stored in the Visualforce viewstate.
Demo: Proper Secret Usage
Recap 1. Named Credentials • Pro – Simple. No secret refelcted in UI or debug logs. • Con – URL can be changed and secret leaked, only works with httpRequests. - Works well with: Passwords and OAuth tokens that don’t come with admin privileges. 2. Managed Protected Custom Setting (Secret Storage Best Practice) • Pro – Most secure option. Protects against users with elevated permissions such as Modify all Data. • Con – Requires a managed package. Requires careful attention to code (see below). - Works well with: Passwords, OAuth tokens, Encryption keys. 3. Using Managed Protected Custom Settings Properly • Properly encapsulating secret usage in the managed package. • Properly handling secret dependencies (update password when updating URL). • Avoiding secret reflection (beware hidden inputs use transient keyword).
Additional Resources • Secure Coding Guidelines - https:/ developer.salesforce.com/page/Secure_Coding_Storing_Secrets • Intro to Managed Packages - https://developer.salesforce.com/page/An_Introduction_to_Packaging • Salesforce StackExchange – http://salesforce.stackexchange.com/questions/tagged/security • Developer.Salesforce.com Security Forum - https://developer.salesforce.com/forums (full link hidden) • Security Office Hours (Partners) - http://security.force.com/security/contact/ohours • Security Implementation Guide - https://developer.salesforce.com/././securityImplGuide/ (full link hidden) • Force.com Security Essentials Course - https://trustacademy.salesforce.com
#forcewebinar
Additional Resources • Digging deep into Oauth 2.0 • Salesforce trust academy • Salesforce generate CSR • Salesforce mutual TLS setup • Salesforce connected apps
Q & A Try Trailhead: trailhead.salesforce.com Join the conversation: @salesforcedevs
Thank You

More Related Content

PDF
Secure Salesforce: External App Integrations
bySalesforce Developers
 
PPTX
Integrating with salesforce
byMark Adcock
 
PDF
Salesforce API Series: Integrating Applications with Force.com Webinar
bySalesforce Developers
 
PPTX
Building apps faster with lightning and winter '17
bySalesforce Developers
 
PDF
Easy REST Integrations with Lightning Components and Salesforce1
bySalesforce Developers
 
PDF
SLDS and Lightning Components
bySalesforce Developers
 
PPTX
Migrating Visualforce Pages to Lightning
bySalesforce Developers
 
PPTX
Build and Package Lightning Components for Lightning Exchange
bySalesforce Developers
 
Secure Salesforce: External App Integrations
bySalesforce Developers
 
Integrating with salesforce
byMark Adcock
 
Salesforce API Series: Integrating Applications with Force.com Webinar
bySalesforce Developers
 
Building apps faster with lightning and winter '17
bySalesforce Developers
 
Easy REST Integrations with Lightning Components and Salesforce1
bySalesforce Developers
 
SLDS and Lightning Components
bySalesforce Developers
 
Migrating Visualforce Pages to Lightning
bySalesforce Developers
 
Build and Package Lightning Components for Lightning Exchange
bySalesforce Developers
 

What's hot

PPTX
Coding in the App Cloud
bySalesforce Developers
 
PPTX
Best Practices for Lightning Apps
byMark Adcock
 
PPTX
Diving Into Heroku Private Spaces
bySalesforce Developers
 
PDF
Lightning web components episode 2- work with salesforce data
bySalesforce Developers
 
PPTX
Unleash the Power of Apex Realtime Debugger
bySalesforce Developers
 
PPTX
Building a Single Page App with Lightning Components
bySalesforce Developers
 
PPTX
Building BOTS on App Cloud
bySalesforce Developers
 
PPTX
Build, Manage, and Deploy Mobile Apps Faster with App Cloud Mobile
bySalesforce Developers
 
PPTX
Build Better Communities with Lightning
bySalesforce Developers
 
PPTX
Lightning components performance best practices
bySalesforce Developers
 
PPTX
Coding Apps in the Cloud with Force.com - Part 2
bySalesforce Developers
 
PPTX
TrailheaDX India : Developer Highlights
bySalesforce Developers
 
PPTX
Secure Development on the Salesforce Platform - Part 2
bySalesforce Developers
 
PPTX
Introduction to the Wave Platform API
bySalesforce Developers
 
PPTX
Introduction to Apex for Developers
bySalesforce Developers
 
PDF
Lightning Out: Components for the Rest of the World
bySalesforce Developers
 
PPTX
Secure Development on the Salesforce Platform - Part I
bySalesforce Developers
 
PDF
Advanced Lightning Components
bySalesforce Developers
 
PDF
Javascript Security and Lightning Locker Service
bySalesforce Developers
 
PPTX
Mds cloud saturday 2015 salesforce intro
byDavid Scruggs
 
Coding in the App Cloud
bySalesforce Developers
 
Best Practices for Lightning Apps
byMark Adcock
 
Diving Into Heroku Private Spaces
bySalesforce Developers
 
Lightning web components episode 2- work with salesforce data
bySalesforce Developers
 
Unleash the Power of Apex Realtime Debugger
bySalesforce Developers
 
Building a Single Page App with Lightning Components
bySalesforce Developers
 
Building BOTS on App Cloud
bySalesforce Developers
 
Build, Manage, and Deploy Mobile Apps Faster with App Cloud Mobile
bySalesforce Developers
 
Build Better Communities with Lightning
bySalesforce Developers
 
Lightning components performance best practices
bySalesforce Developers
 
Coding Apps in the Cloud with Force.com - Part 2
bySalesforce Developers
 
TrailheaDX India : Developer Highlights
bySalesforce Developers
 
Secure Development on the Salesforce Platform - Part 2
bySalesforce Developers
 
Introduction to the Wave Platform API
bySalesforce Developers
 
Introduction to Apex for Developers
bySalesforce Developers
 
Lightning Out: Components for the Rest of the World
bySalesforce Developers
 
Secure Development on the Salesforce Platform - Part I
bySalesforce Developers
 
Advanced Lightning Components
bySalesforce Developers
 
Javascript Security and Lightning Locker Service
bySalesforce Developers
 
Mds cloud saturday 2015 salesforce intro
byDavid Scruggs
 

Similar to Secure Development on the Salesforce Platform - Part 3

PPTX
Ladies Be Architects: Integration Study Group: Security & State Management
bygemziebeth
 
PPTX
The Power of Salesforce APIs World Tour Edition
byPeter Chittum
 
PDF
Secure Salesforce: Hardened Apps with the Mobile SDK
bySalesforce Developers
 
PPTX
Using Apex for REST Integration
bySalesforce Developers
 
PDF
Secure Salesforce: Hardened Apps with the Mobile SDK
byMartin Vigo
 
PDF
Designing Custom REST and SOAP Interfaces on Force.com
bySalesforce Developers
 
PPTX
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
bygemziebeth
 
PDF
Easy No-Code Integrations with External Services and Visual Flow
bySalesforce Developers
 
PDF
Cutting Edge Mobile Development in the App Cloud
bySalesforce Developers
 
POTX
Using the Google SOAP API
bySalesforce Developers
 
PPTX
[MBF2] Plate-forme Salesforce par Peter Chittum
byBeMyApp
 
PDF
Enterprise and Social Integration Using Force.com
bySalesforce Developers
 
PPTX
Secure Coding: SSL, SOAP, and REST
bySalesforce Developers
 
PDF
External Client Apps vs Connected Apps - Salesforce’s Next-Gen Integration Ev...
byNSIQINFOTECH
 
PPTX
February 2020 Salesforce API Review
byLydon Bergin
 
PPTX
Navi Mumbai Salesforce DUG meetup on integration
byRakesh Gupta
 
PDF
Developer Tour on the Salesforce1 Platform
bySalesforce Deutschland
 
PPTX
Salesforce Campus Tour - Developer Advanced
byJames Ward
 
PPTX
Salesforce Developer Group Toronto - Winter'19
byJaswinder Rattanpal
 
PPT
Developers guide to the Salesforce1 Platform
byJohn Stevenson
 
Ladies Be Architects: Integration Study Group: Security & State Management
bygemziebeth
 
The Power of Salesforce APIs World Tour Edition
byPeter Chittum
 
Secure Salesforce: Hardened Apps with the Mobile SDK
bySalesforce Developers
 
Using Apex for REST Integration
bySalesforce Developers
 
Secure Salesforce: Hardened Apps with the Mobile SDK
byMartin Vigo
 
Designing Custom REST and SOAP Interfaces on Force.com
bySalesforce Developers
 
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
bygemziebeth
 
Easy No-Code Integrations with External Services and Visual Flow
bySalesforce Developers
 
Cutting Edge Mobile Development in the App Cloud
bySalesforce Developers
 
Using the Google SOAP API
bySalesforce Developers
 
[MBF2] Plate-forme Salesforce par Peter Chittum
byBeMyApp
 
Enterprise and Social Integration Using Force.com
bySalesforce Developers
 
Secure Coding: SSL, SOAP, and REST
bySalesforce Developers
 
External Client Apps vs Connected Apps - Salesforce’s Next-Gen Integration Ev...
byNSIQINFOTECH
 
February 2020 Salesforce API Review
byLydon Bergin
 
Navi Mumbai Salesforce DUG meetup on integration
byRakesh Gupta
 
Developer Tour on the Salesforce1 Platform
bySalesforce Deutschland
 
Salesforce Campus Tour - Developer Advanced
byJames Ward
 
Salesforce Developer Group Toronto - Winter'19
byJaswinder Rattanpal
 
Developers guide to the Salesforce1 Platform
byJohn Stevenson
 

Recently uploaded

PPTX
Streamline Your Business with BUSY Software.pptx
byMoving Cloud
 
PDF
The Future of School Management in Kenya_ Why Automation Is the Next Big Leap
byChandru
 
PDF
Evolution and Examples of Java Features, from Java 1.7 to Java 25
byYann-Gaël Guéhéneuc
 
PDF
Guidewire Connections 2025 PT 6 Unleash the Power of Agentic AI with Guidewire
byBrian Petrini
 
PDF
School Attendance Tracking Insights | Swipe Solutions
byinfoswipesolutionsin
 
PDF
Enterprise Data Sync via Navision Integration Service Provider
byNavision India
 
PPTX
Lifecycle of Automated Testing: A Step-by-Step Journey from Planning to Repor...
bySophie Lane
 
PPTX
College Management System.pptx
bygehlotyash2005
 
DOCX
The Ultimate Guide to Modern Intranet & Digital Workplace Success
bySharepoint Designs
 
PPTX
Advanced Risk Assessment Module for Enhanced Workplace Safety
byEHA Soft Solutions
 
PDF
Hiring Dedicated Laravel Developers: Cost Breakdown
byShiv Technolabs Pvt. Ltd.
 
PDF
Salesforce Data Migration Services.pdf
byRobert Mark
 
PDF
12 Simple Ways to Attract Direct Bookings.pdf
byHotelogix
 
DOCX
Ethereum News: ETH Dominates DeFi and Smart Contracts
byCoinography Coionography
 
DOCX
What Tools Can Replace Tableau for Interactive Dashboards.docx
byVarsha Nayak
 
PPTX
Future-Proofing the PMO - Strategic Portfolio Management for 2026 and Beyond
byOnePlan Solutions
 
PDF
PyData Paris keynote: Big ideas shaping scientific Python: the quest for perf...
byRalf Gommers
 
PPTX
B2B Marketing Attribution Solutions - VALiNTRY360
byVALiNTRY360
 
PPTX
Hall-Pass-Management-Software-Transforming-School-Safety-and-Efficiency.pptx
byinfoswipesolutionsin
 
PPTX
How John started to like TDD (instead of hating it) (Devcon, October'25)
byNacho Cougil
 
Streamline Your Business with BUSY Software.pptx
byMoving Cloud
 
The Future of School Management in Kenya_ Why Automation Is the Next Big Leap
byChandru
 
Evolution and Examples of Java Features, from Java 1.7 to Java 25
byYann-Gaël Guéhéneuc
 
Guidewire Connections 2025 PT 6 Unleash the Power of Agentic AI with Guidewire
byBrian Petrini
 
School Attendance Tracking Insights | Swipe Solutions
byinfoswipesolutionsin
 
Enterprise Data Sync via Navision Integration Service Provider
byNavision India
 
Lifecycle of Automated Testing: A Step-by-Step Journey from Planning to Repor...
bySophie Lane
 
College Management System.pptx
bygehlotyash2005
 
The Ultimate Guide to Modern Intranet & Digital Workplace Success
bySharepoint Designs
 
Advanced Risk Assessment Module for Enhanced Workplace Safety
byEHA Soft Solutions
 
Hiring Dedicated Laravel Developers: Cost Breakdown
byShiv Technolabs Pvt. Ltd.
 
Salesforce Data Migration Services.pdf
byRobert Mark
 
12 Simple Ways to Attract Direct Bookings.pdf
byHotelogix
 
Ethereum News: ETH Dominates DeFi and Smart Contracts
byCoinography Coionography
 
What Tools Can Replace Tableau for Interactive Dashboards.docx
byVarsha Nayak
 
Future-Proofing the PMO - Strategic Portfolio Management for 2026 and Beyond
byOnePlan Solutions
 
PyData Paris keynote: Big ideas shaping scientific Python: the quest for perf...
byRalf Gommers
 
B2B Marketing Attribution Solutions - VALiNTRY360
byVALiNTRY360
 
Hall-Pass-Management-Software-Transforming-School-Safety-and-Efficiency.pptx
byinfoswipesolutionsin
 
How John started to like TDD (instead of hating it) (Devcon, October'25)
byNacho Cougil
 

Secure Development on the Salesforce Platform - Part 3

  • 1.
  • 2.
    Speakers Swapnil Shinde Product SecurityEngineer @Swapnil34 Nitin Arya Product Security Analyst @n_arya0
  • 3.
    Forward-Looking Statement Statement underthe Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  • 4.
    Agenda • Overview - Integratingyour external applications securely with Salesforce • Leveraging JavaScript Remoting with Visualforce - Extend Salesforce functionality with external app intergrations - Map user identities to the external systems - Grant access to Salesforce data without breaking security model • Using Remote Objects with Angular.js - Secrets in named credentials - Secrets in custom settings - Proper usage of secrets
  • 5.
    Building Salesforce Integrations •Extend Salesforce funcationality with external app integrations. • Building data flows and interactions between your external app and Salesforce. • Need a way to map Salesforce user identity to your external system. • Need a way to authenticate and secure data flows between the two systems. • Need a way to grant access to Salesforce data without breaking the Salesforce security model or trust in the Salesforce platform.
  • 6.
    Integration Methods –Apex Callouts • Use Apex code to access external REST API’s • Can be used to send data out or pull data to/from an external service • Actions must be initiated by a user action from within Salesforce • Partners fail security review here* Salesforce Internet Web service
  • 7.
    Integration Methods –API/OAuth • Salesforce has several API’s for developers • To use these API’s authentica via - SOAP API username/password login - OAUTH authentication flow • Delegated authentication - Forward username and password ( sent over internet* ) • Federated Authentication using SAML (Single sign on*) Salesforce Web service REST SOA P
  • 8.
    Integration Methods –API - OAuth • Salesforce has several API’s for developers • External services can authenticate with Salesforce via OAuth and receive access tokens • Tokens must be treated with same sensitivity as a password • Utilize public-facing API’s to share data with Salesforce instances • Developers can expose custom Apex REST endpoints • Outbound messaging SOAP RES T
  • 9.
    Integration Methods Connected App •Runs on the Salesforce app canvas. • Does not have access to the Salesforce app DOM at any time. • Authenticate via OAuth or SAML using Salesforce credentials. • Easy way to integrate an external application into the Salesforce “skin”. • The OAuth scope for the connected app determines the amount of access this app would have to your Salesforce data. • Make sure to provide least privilege to the OAuth token being created.
  • 10.
    Integration User orEnd User Integration User • Creating an integration user to make callouts from the external app into Salesforce. • Lets you create a least privilege integration user to perform certain operations required by the app. • You don’t have to provide API access to all users. • Only on credential to manage on the external system. • You have to make sure that the Salesforce security model is not broken when the external system accesses Salesforce data.
  • 11.
    Integration User orEnd User End User • Lets your external app make requests as current logged in user with the specified OAuth scope. • Lets the user select if they want to allow or access or not. • Preserves the Salesforce security model in your external requests without any additional measures. • The external app needs to make sure all end user OAuth credentials are stored secureon the external system.
  • 12.
    Setting Up AConnected App Go to Setup > Create > Apps > New Connected App
  • 13.
    Setting Up AConnected App
  • 14.
    Advantages of ConnectedApps • No need for custom authentication logic. • Least privilege access control based on the external app use case. • Easy to revoke access for misbehaving apps. • Out of box functionality for standard Auth protocols. • Can provide access without sharing Salesforce username password with the external app.
  • 15.
    Credential Handling • Externalapp credentials (consumer key/secret) should be stored securely off the Salesforce platform. • Salesforce OAuth tokens should be stored securely off the platform using the industry best practice for your development platform. • API tokens for the external app should be stored via Protected custom settings inside Salesforce. • All credentials should be secure in transit by using HTTPS (TLS) for all communications.
  • 16.
    Transport Security Security Expectationsof HTTP • None. • Anyone on the network can eavesdrop traffic. • Anyone on the network can modify content. • Anyone on the network can divert traffic.
  • 17.
    Transport Security –What is TLS? • A user visiting a site over HTTP has no assurance that the user is interacting with the legitimate site. • The Transport Layer Security protocol allows for secure communication between applications and users. • Uses PKI (Public Key Infrastructure) to have a Trusted Certificate Authority (CA) vouch for the server’s identity. • Prevents tampering, eavesdropping, and man-in-the- middle attacks against secure communications. Provides authentication and confidentiality.
  • 18.
    Mutual TLS • Salesforcesupports Mutual TLS for communications between Salesforce and your external server. • This allows you to do a two-way verification, where the client and server can confirm one another’s identity. • Good for server to server authentication, where the client is not prompting a user to log in manually.
  • 19.
  • 20.
    Salesforce Mutual TLS •Client certificates are uploaded and stored in the Salesforce database, where they are used for verification. • You can also download the Salesforce client certificate to authenticate on your web server, when making Apex callouts, etc. • Salesforce provides a mechanism to prevent falling back to the standard TLS port.
  • 21.
    Setting Up MutualTLS • Have mutual TLS enabled for your organization. • Generate Certificate Signing Request (CSR) and acquire a certificate form a Trusted CA.
  • 22.
    Salesforce Mutual TLS •Upload the certificate to Security Controls | Certificate and Key Management. • Enable “Enforce SSL/TLS Mutual Authentication” permission for the API client user. This will force mutual TLS on port 8443 for this user. • This user permission can be added via a PermSet or by adding the permission to the user profile. • Configure the API client to connect on port 8443 and present the client certificate.
  • 23.
  • 24.
    Why Use MutualTLS? • This seems like a lot of work! Why should I do this? • Provides you a good way to authenticate both parties (Salesforce and external app) when building external integrations. • You don’t just have to rely on IP range restrictions and static API keys for client authentication. • Out of the box mutual TLS implementation provides authentication and confidentiality.
  • 25.
  • 26.
    Primary Topic Today:Secrets • We will be covering developer-oriented topics on secret storage for the Salesforce Platform. • Specific features to cover include: – Secrets in named credentials – Secrets in custom settings – Proper secret usage – Protected Custom Metadata Types ??????????? • Useful for anyone in the following areas: – Salesforce Developers (primarily) – Salesforce Administrators – Prospective Partners
  • 27.
    What is asecret? • Simple Definition: A piece of data that requires higher than normal protection. • For Our Purposes: A secret will be a piece of data that nobody should see, like a password or encryption key.
  • 28.
    Who do wesecure secrets from? • Attackers • Regular Users • Partners • Administrators (Biggest Challenge) • Basically, everyone… Why? • Theft of data • Impersonation • Privilege Escalation
  • 29.
    Secret in NamedCredentials
  • 30.
    Named Credentials Overview Namedcrewdentials are a feature for secret storage built into the Salesforce platform. • Available in the “Security” setup menu • Point & click creation • No Code required to store secret
  • 31.
    Named Credentials -Usage • Create a new named credential • Add the URL + secret to the named credential • Invoke the named credential in the httpRequest HttpRequest req = new HttpRequest(); req.setEndpoint('callout:NamedCredential'); req.setMethod('GET'); Http http = new Http(); HTTPResponse res = http.send(req); return res.getBody();
  • 32.
    Pros • Easy tocreate. • Easy to invoke. • Secret is not visible in the UI and code to anyone. • Secret is not leaked in the debug logs. Cons • Only works for httpRequests and certain authentication schemes like OAuth 2.0. • URL can be updated in the setup, potentially leaking secret. ??? Named Credentials - Breakdown
  • 33.
  • 34.
    Custom Settings Overview Customsettings are stripped down sObjects exposed to the application cache, enabling efficient access for developers. Protected versus Public: What is the difference? Protected Custom Settings can only be accessed from the namespace they exist in. • In a managed package, the namespace is that of the package. • In an unmanaged package, the namespace is the local namespace (so no effect). What does this mean? • Managed protected Custom Settings – Extra Security Benefits • Managed Public/ Local Public/ Local Protected – No security benefits, worse for secrets than sObjects.
  • 35.
    Managed Protected CustomSettings – Storage Method 1. Create a managed package. 2. Create a protected custom setting inside the package. 3. Create a Visualforce page inside the package to create/update the secret. - Transient string (in controller), should not return secret to the view state. 4. Access and use the secret inside the managed package.
  • 36.
  • 37.
    Pros • Secret onlyavailable to Apex code within managed package namespace. • Can store encryption key to scale. Cons • Requires a managed package! • Methods must be well-coded to prevent secret exposure. Managed Protected Custom Setting - Breakdown
  • 38.
  • 39.
    Demo: Secrets inCustom Settings
  • 40.
    Using Managed ProtectedCustom Settings Properly
  • 41.
    Overview Using Managed ProtectedCustom Settings Properly Secret storage solutions with managed protected custom settings are developed in Apex and Visualforce, and because of this there are some best practices that must be followed: • Properly encapsulating secret usage in the managed package • Properly handling secret dependencies • Avoiding secret reflection
  • 42.
    Properly Encapsulating SecretUsage What is encapsulation? Keeping functionality inside the managed package. Why encapsulate? Namespace benefits on work INSIDE the managed package. Anything leaving the package loses benefits. Things to consider for encapsulation: • User interaction - Visualforce page/component inside the managed package. • Using the secret – Code must be contained within the managed package. • Invoking secret usage - Done with a global method, secret never returned outside of the managed package.
  • 43.
  • 44.
    Properly Handling SecretDependencies What are secret dependencies? If a secret is tied to another piece of information, a dependency is created. Examples: • Passwords can be dependent on URLs. • Encryption keys can be dependent on Salts. Secret dependency best practices: • Secrets and dependencies are controlled from the same place • If dependent is updated, secret should be updated. This prevents the attacker from gaining additional information. • Example: If a URL is updated, password should change too!
  • 45.
    Avoiding Secret Reflection Whatis secret reflection? Developers often mistakenly allow a secret to be reflected from the controller (Apex) to the view (Visualforce). Since the view is client side, the risk of secret exposure increases dramatically! Secret reflection Best Practices • Beware hidden inputs – hidden inputs often show secret in clear within source. • Use transient keyword – transient keyword prevents secret from being stored in the Visualforce viewstate.
  • 46.
  • 47.
    Recap 1. Named Credentials •Pro – Simple. No secret refelcted in UI or debug logs. • Con – URL can be changed and secret leaked, only works with httpRequests. - Works well with: Passwords and OAuth tokens that don’t come with admin privileges. 2. Managed Protected Custom Setting (Secret Storage Best Practice) • Pro – Most secure option. Protects against users with elevated permissions such as Modify all Data. • Con – Requires a managed package. Requires careful attention to code (see below). - Works well with: Passwords, OAuth tokens, Encryption keys. 3. Using Managed Protected Custom Settings Properly • Properly encapsulating secret usage in the managed package. • Properly handling secret dependencies (update password when updating URL). • Avoiding secret reflection (beware hidden inputs use transient keyword).
  • 48.
    Additional Resources • SecureCoding Guidelines - https:/ developer.salesforce.com/page/Secure_Coding_Storing_Secrets • Intro to Managed Packages - https://developer.salesforce.com/page/An_Introduction_to_Packaging • Salesforce StackExchange – http://salesforce.stackexchange.com/questions/tagged/security • Developer.Salesforce.com Security Forum - https://developer.salesforce.com/forums (full link hidden) • Security Office Hours (Partners) - http://security.force.com/security/contact/ohours • Security Implementation Guide - https://developer.salesforce.com/././securityImplGuide/ (full link hidden) • Force.com Security Essentials Course - https://trustacademy.salesforce.com
  • 49.
  • 51.
    Additional Resources • Diggingdeep into Oauth 2.0 • Salesforce trust academy • Salesforce generate CSR • Salesforce mutual TLS setup • Salesforce connected apps
  • 52.
    Q & A TryTrailhead: trailhead.salesforce.com Join the conversation: @salesforcedevs
  • 53.