secure salesforce: external integration security with chimera
TRANSCRIPT
![Page 1: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/1.jpg)
Secure Salesforce Chimera External Integration Security
Tim Bach Product Security Engineer Salesforce
Travis Safford Product Security Engineer Salesforce
![Page 2: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/2.jpg)
Tim Bach Product Security Engineer
![Page 3: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/3.jpg)
Travis Safford Product Security Engineer
![Page 4: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/4.jpg)
Secure Salesforce Dreamforce 2015
![Page 5: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/5.jpg)
Overview
What is the AppExchange Security Review process?
Why does external application security matter?
Goals for Chimera
What can Chimera do for you?
Demo!
Chimera technical overview
What’s coming next [week / month / quarter / year]?
Q&A
![Page 6: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/6.jpg)
Security Review Process Overview
![Page 7: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/7.jpg)
The AppExchange 1-slide primer
The Salesforce App Marketplace
Independent Software Vendors (ISV’s) build and list apps for customers to install & expand the platform’s capabilities
Apps may be platform-only or interface with external web systems, mobile apps, and desktop software
Currently, 2,800+ apps available for free or for purchase
Apps may have scoped or total access to users and/or data within the Salesforce org they are installed in or authenticated against
Apps listed on the AppExchange must undergo a rigorous Security Review by the Product Security team and regular re-reviews
![Page 8: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/8.jpg)
AppExchange Security Review
Managed by the Salesforce Product Security team
Comprehensive security audit and penetration test of the application
Partner/ISV provides automated code and application security scans – repeat this process until automated scanners find nothing or only false positives
Partners are provided with ZAP (previously Burp Suite), which they must install and configure before using to run a web application security test against their application
Product Security reviews scan results and application code
In the case of external systems/software connecting to the platform, full penetration test
![Page 9: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/9.jpg)
AppExchange Security Review
![Page 10: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/10.jpg)
External Threats Why is Security Review Important?
![Page 11: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/11.jpg)
ZAP What is it? How do partners use it?
![Page 12: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/12.jpg)
Introducing Chimera
![Page 13: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/13.jpg)
Chimera What and why?
Chimera (mythology): …a monstrous fire-breathing hybrid creature composed of the parts… Chimera (genetics): …a single organism composed of genetically distinct cells…
Chimera (Salesforce): A web security scanner composed of parts of the best open-source scanning, analysis, and fingerprinting tools available today. Consolidated and analyzed by purpose-built code and powered on the Heroku platform for massive scalability.
“ ”
![Page 14: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/14.jpg)
Chimera
A fully featured, cloud-based security scanner
Fire-and-forget scanning – just give it a target
Made up of multiple industry-standard security tools
Free for all AppExchange ISV’s for the life of their AppExchange offering
![Page 15: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/15.jpg)
Chimera Goals
Give partners and ISV’s better tools that make it easier to become secure
Reduce confusion and delay in the Security Review process
Use our resources to make security easier for our AppExchange partners
Drive down the number of tests it takes a partner to pass Security Review and allow them to get to market faster on the AppExchange
Promote the security of the AppExchange ecosystem
![Page 16: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/16.jpg)
Let’s start a scan…
![Page 17: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/17.jpg)
What are we scanning with?
A variety of open-source tools as well as some internally developed ones
ZAP – general web application security scanner
Nikto – web application vulnerability scanner
SSLyze – SSL vulnerability scanner
nmap – port scanner
Plus: SSL fingerprinting, web application fingerprinting
![Page 18: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/18.jpg)
Background Magic
Chimera isn’t just running scans and sending you raw results files
After all scans complete on your target, Chimera correlates all results into a single report
Report includes remediation steps for you to resolve issues between scans
Chimera will remove duplicate issues as much as possible to provide you with an accurate and actionable report
Thanks to Heroku, Chimera scales based on activity
Even around the Dreamforce AppExchange spike, you won’t be waiting long
![Page 19: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/19.jpg)
Chimera Technology
Chimera’s scanners are entirely Heroku-based
Architecture allows for massive scaling
Portal to submit scans and receive results is Force platform-based, allowing for integration with existing Partner portal and AppExchange accounts
Chimera core code + internal components are written in mostly Python
![Page 20: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/20.jpg)
Get Started!
Chimera will be live on October 1st, 2015
Links will be live on DeveloperForce - Security
![Page 21: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/21.jpg)
What’s Next? Future Work
![Page 22: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/22.jpg)
We’re not done yet!
Chimera will become the primary means of preparing for Security Review
We want to go one step further towards promoting partner security
As Chimera becomes more stable, we’ll start to experiment with automatic, periodic scans of live offerings to ensure continuous security for partners and customers
Threat intelligence and proactive vulnerability notification will become possible for our partners at no cost or burden to them – ensuring partner success on the platform
![Page 23: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/23.jpg)
Demo Scan Complete
Let’s take a look at that scan that we kicked off earlier…
![Page 24: Secure Salesforce: External Integration Security with Chimera](https://reader031.vdocuments.net/reader031/viewer/2022021923/5a6d00887f8b9ad6418b48e5/html5/thumbnails/24.jpg)
Thank you
http://sforce.co/1HHrjRL