Force.com: Secure Cloud Development. Varun Badhwar Force.com Security Manager

Transcription

1 Force.com: Secure Cloud Development Varun Badhwar Force.com Security Manager

2 Safe Harbor Statement Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forwardlooking statements including but not limited to statements concerning the potential market for our existing service offerings and future offerings. All of our forward looking statements involve risks, uncertainties and assumptions. If any such risks or uncertainties materialize or if any of the assumptions proves incorrect, our results could differ materially from the results expressed or implied by the forward-looking statements we make. The risks and uncertainties referred to above include - but are not limited to - risks associated with possible fluctuations in our operating results and cash flows, rate of growth and anticipated revenue run rate, errors, interruptions or delays in our service or our Web hosting, our new business model, our history of operating losses, the possibility that we will not remain profitable, breach of our security measures, the emerging market in which we operate, our relatively limited operating history, our ability to hire, retain and motivate our employees and manage our growth, competition, our ability to continue to release and gain customer acceptance of new and improved versions of our service, customer and partner acceptance of the AppExchange, successful customer deployment and utilization of our services, unanticipated changes in our effective tax rate, fluctuations in the number of shares outstanding, the price of such shares, foreign currency exchange rates and interest rates. Further information on these and other factors that could affect our financial results is included in the reports on Forms 10- K, 10-Q and 8-K and in other filings we make with the Securities and Exchange Commission from time to time. These documents are available on the SEC Filings section of the Investor Information section of our website at Salesforce.com, inc. assumes no obligation and does not intend to update these forwardlooking statements, except as required by law.

3 Agenda Salesforce.com s Philosophy Vision Secure Cloud Development: Education Secure Design Secure Development Secure Testing Secure Release Resources Q&A

4 Salesforce.com Philosophy Success of cloud computing dependant on earning and maintaining customer trust Protecting the privacy of customer data is salesforce.com s core value Details available at:

5 Vision Value Trust as a Top Priority Create a security conscious community encompassing developers / ISVs Enabling Success Provide free educational resources, tools and processes that help deliver trusted Force.com applications Reduce Development Costs According to NIST*, eliminating vulnerabilities in the design stage can cost 30 times less than fixing them post-release * NIST The National Institute of Standard and Technology

6 Force.com Secure Cloud Development Education Release Design Test Develop Seamless integration of security into your existing SDLC

7 Secure Education Overview of Force.com Security Learn about the sharing model and various security controls available to org administrators Developer Training Get educated on writing secure code on Force.com Developer Quiz Assess your security awareness and learn to identify vulnerabilities within Force.com code

8 Secure Design Security Resources Generic Force.com articles and resources. Topics include SAML, sharing, etc. Security Self-Assessment Receive a customized report with links to security articles and resources specific to your application architecture Office Hours Receive free consultation from a member of the salesforce.com security team Security Discussion Board

9 Secure Development Secure Coding Guidelines Obtain platform-specific (Force.com, Java,.Net, etc.) recommendations on mitigating security vulnerabilities such as XSS, Injection, Session Management, etc. Secure Coding Library Open source library for implementing additional security features (CRUD/FLS, input validation, output encoding, etc.) Part of OWASP Enterprise Security API

10 Secure Testing Force.com Security Source Scanner On-demand static source code analysis tool to help identify potential vulnerabilities within your Apex and Visualforce code Web Application Security Scanner Integrating a web-application with Force.com? AppExchange partners are entitled to receive a free license for Burp Suite Professional

11 Secure Release Salesforce.com Security Review Periodic security review of AppExchange and OEM applications Details published at: Security_Review Incident Response (Coming Soon) Guidance on engaging with customers and salesforce.com in case of a security incident

12 Conclusion Free, ready to consume resources Secure Force.com ecosystem Reduced development costs Streamlined AppExchange security process Education Release Design Test Develop

13 Key Resources Secure Cloud Development Home Page On-Demand Security Source Code Scanner Security Discussion Board AppExchange Security Review OWASP

14 Q&A Security Discussion Board: