The Salesforce Independent Software Vendor (ISV) team conducts thorough security reviews for every app listed on the Salesforce AppExchange. As a result, PDO partners and teams building Salesforce apps need to conduct intensive security reviews of their own before submitting apps to the Salesforce ISV team.
Here’s how to test Salesforce apps for compliance with industry security standards before submitting the apps to the ISV team. Conducting thorough security checks before submitting apps to the ISV team ensures the apps make it to the AppExchange in a timely manner.
Three Tools to Check for Salesforce AppExchange Security Compliance
When preparing to submit an app to the Salesforce AppExchange Security Review process, developer teams need to ensure all systems, both Salesforce and any non-Salesforce systems involved in the app, adhere to development and security best practices. Luckily, Salesforce provides three tools to partners that make this double check a lot simpler.
1. Checkmarx
Checkmarx is a strong multi-platform system that can check a number of different styles of applications for security vulnerabilities. In this case, Salesforce has made arrangements with Checkmarx to provide scans on Salesforce orgs without charge. Doing so is simple; all you need to do is go to here.
You’ll see:
Enter the username of any Salesforce org that contains your app’s source code (note: not an org with the package installed). Then enter a description (not your password) and select Security and Quality Rules for the scan profile. Finally, click Scan at the bottom of the page and wait.
You will receive an email confirmation when you’re in the queue for a scan. In most cases, you’ll get the scan results within a day, and many times, you’ll get the results within an hour.
The resulting report provides you with a number of issues your code might have ranging from unchecked Field Level Security to Cross-Site Scripting vulnerabilities. For the security scan, you will need to correct all issues or create a false-positive document to explain that cited issues are not actually issues as the automated scan has indicated.
If your application is fully native to Salesforce, then that scan is the only one you need to run. However, if you have any off-Salesforce resources (APIs, webpages shown in Canvas apps, etc.), then you will need to scan that site and use either of the other two tools recommended by Salesforce.
The ZAP (Zeta Attack Proxy) scanning tool is one you install on your local machine and use to attempt penetration scans on your server. If you’d like more information on installing ZAP and running it locally, Salesforce has fantastic resources available in the Salesforce Cloud Security Manual.
We’re going to focus more on the Salesforce-provided option, Chimera, which includes running a ZAP scan rather than focus on ZAP in isolation.
3. Chimera Web Scanner
The Chimera Web Scanner is a cloud-based tool that consists of various open-source tools running on Heroku and Salesforce infrastructure. It can be used when non-Salesforce system(s) that need to be scanned are publicly open.
Requirements
Register as an AppExchange Partner.
Make sure the remote system is a publicly accessible web application. This means it should be accessible via the public internet and doesn’t require additional network configuration (proxies, behind firewall, etc.).
Configure and provide a test account prior to invoking a scan if the remote system requires authentication.
Anticipate the scan requiring 4-16 hours before a findings report is provided.
Make sure you have access to the web server root to upload an "Abuse Prevention Token" .txt file (or have access to the right team members to do this for you).
Procedure
1. Go to the Partner Security Portal and click on the “Login” link in the upper-right hand corner.
2. If prompted, enter the credentials of your AppExchange Partner account.
3. If this is the first time using Chimera with this AppExchange Partner account, you’ll be prompted to allow SourceScanner access to your Salesforce org. Review the required permissions and click on the blue “Allow” button.
4. On the following screen, you may be asked whether you would like to use Chimera or Source Code Scanner. Select the Chimera option.
5. You’ll now see the Chimera dashboard and any scans that have been previously run or requested.
6. Click on the New Chimera Scan button and it will present you with an abuse prevention token and the form to configure your scan request.
7. Before configuring a new scan, you’re going to need to take that token (available via the “down your abuse prevention token” link) above and upload it as a .txt file to the root of the service being tested. This is done to ensure you are the owner of the site and to prevent other parties from scanning your servers without permission (a generally impolite thing to do).
8. If you have access to do so, upload the file to the server’s root; otherwise, provide the file and instructions to the necessary individual(s) to have this step completed for you.
9. Once the file is uploaded and in place, make sure you can access the file by going to <yourDomain>.com/ChimeraToken.txt. If you can download the file, great! If not, then the Chimera tool will not be able to either, preventing your scan from running.
10. Assuming the above step is ok, make your way back to the Chimera Portal and click the “New Chimera Scan” link again (unless you’ve kept it open all this time in another window).
11. You'll be presented with a form to complete the following details. Once provided, click on the blue “Submit Scan” button - Target: The URL of the service needing scanning - Do Not Scan: URI paths to omit in the scan - Testing Username: The username of a dedicated user for these scans - Testing Password: The password for the above username
12. You’ll be taken back to the Chimera Portal’s dashboard where you’ll see your new request as well as its processing status.
13. Give it patience. Eventually, it will shift from “Queued” to “Working,” then “Ready to Generate,” and, finally, “Completed.” You will also receive an email when the report is ready and the scan status is completed.
14. If you’ve been staring at the tool’s dashboard like I do, then you’ll notice the “Status” of your run is now “Completed” long before you notice the email. Now you can click the blue “Download Results” text. The download will be a standard HTML page you can view in whatever browser you prefer.
Results
Below are two examples of sample results reports. The first is when the endpoint can’t be accessed by Chimera (such as when the service is behind a firewall, down altogether, or the Chimera request was misconfigured). The second is a report with some example findings in it. Your results will likely be very different from what you see here, depending on services used and functionalities you’re exposing on the server.
Contact CRM Science Salesforce Consultants
CRM Science is an official Salesforce PDO partner that can solve unique business challenges by bringing specialized Salesforce applications to life. The CRM Science Salesforce consulting team builds Salesforce apps and navigates the challenging Salesforce AppExchange security review process. Contact us to chat about your Salesforce projects.
Matt Scheer
Technical Lead
CRM Science