SlideShare a Scribd company logo

Secure Salesforce: External Integration Security with Chimera

Salesforce Developers
Salesforce Developers

One of the main goals of the Salesforce AppExchange Security Team is giving developers and partners ownership of their security posture with free education, tools, and resources. Our newest cloud-based security tool, Chimera, actively scans your external web application integrations quickly and comprehensively. With just a few clicks you can receive a detailed security report - results which until now required downloading and installing multiple pieces of software and hours of manual effort. Join us to learn about the technology behind Chimera and how you can use it to streamline security review. We will also touch on how Salesforce uses Chimera behind the scenes to continuously monitor the security of the AppExchange ecosystem.

Technology
1 of 24
Download to read offline
Secure Salesforce Chimera External Integration Security ​ Tim Bach ​ Product Security Engineer ​ Salesforce ​ Travis Safford ​ Product Security Engineer ​ Salesforce
Tim Bach Product Security Engineer
Travis Safford Product Security Engineer
Secure Salesforce Dreamforce 2015
Overview ​  What is the AppExchange Security Review process? ​  Why does external application security matter? ​  Goals for Chimera ​  What can Chimera do for you? ​  Demo! ​  Chimera technical overview ​  What’s coming next [week / month / quarter / year]? ​  Q&A
Security Review Process Overview
The AppExchange 1-slide primer ​  The Salesforce App Marketplace ​  Independent Software Vendors (ISV’s) build and list apps for customers to install & expand the platform’s capabilities ​  Apps may be platform-only or interface with external web systems, mobile apps, and desktop software ​  Currently, 2,800+ apps available for free or for purchase ​  Apps may have scoped or total access to users and/or data within the Salesforce org they are installed in or authenticated against ​  Apps listed on the AppExchange must undergo a rigorous Security Review by the Product Security team and regular re- reviews
AppExchange Security Review ​  Managed by the Salesforce Product Security team ​  Comprehensive security audit and penetration test of the application ​  Partner/ISV provides automated code and application security scans – repeat this process until automated scanners find nothing or only false positives ​  Partners are provided with ZAP (previously Burp Suite), which they must install and configure before using to run a web application security test against their application ​  Product Security reviews scan results and application code ​  In the case of external systems/software connecting to the platform, full penetration test
AppExchange Security Review
External Threats Why is Security Review Important?
ZAP What is it? How do partners use it?
Introducing Chimera
Chimera What and why? ​ Chimera (mythology): ​  …a monstrous fire-breathing hybrid creature composed of the parts… ​ Chimera (genetics): …a single organism composed of genetically distinct cells… ​ Chimera (Salesforce): A web security scanner composed of parts of the best open-source scanning, analysis, and fingerprinting tools available today. Consolidated and analyzed by purpose-built code and powered on the Heroku platform for massive scalability. “ ”
Chimera ​  A fully featured, cloud-based security scanner ​  Fire-and-forget scanning – just give it a target ​  Made up of multiple industry-standard security tools ​  Free for all AppExchange ISV’s for the life of their AppExchange offering
Chimera Goals ​  Give partners and ISV’s better tools that make it easier to become secure ​  Reduce confusion and delay in the Security Review process ​  Use our resources to make security easier for our AppExchange partners ​  Drive down the number of tests it takes a partner to pass Security Review and allow them to get to market faster on the AppExchange ​  Promote the security of the AppExchange ecosystem
Let’s start a scan…
What are we scanning with? ​  A variety of open-source tools as well as some internally developed ones ​  ZAP – general web application security scanner ​  Nikto – web application vulnerability scanner ​  SSLyze – SSL vulnerability scanner ​  nmap – port scanner ​  Plus: SSL fingerprinting, web application fingerprinting
Background Magic ​  Chimera isn’t just running scans and sending you raw results files ​  After all scans complete on your target, Chimera correlates all results into a single report ​  Report includes remediation steps for you to resolve issues between scans ​  Chimera will remove duplicate issues as much as possible to provide you with an accurate and actionable report ​  Thanks to Heroku, Chimera scales based on activity ​  Even around the Dreamforce AppExchange spike, you won’t be waiting long
Chimera Technology ​  Chimera’s scanners are entirely Heroku-based ​  Architecture allows for massive scaling ​  Portal to submit scans and receive results is Force platform-based, allowing for integration with existing Partner portal and AppExchange accounts ​  Chimera core code + internal components are written in mostly Python
Get Started! ​  Chimera will be live on October 1st, 2015 ​  Links will be live on DeveloperForce - Security
What’s Next? Future Work
We’re not done yet! ​  Chimera will become the primary means of preparing for Security Review ​  We want to go one step further towards promoting partner security ​  As Chimera becomes more stable, we’ll start to experiment with automatic, periodic scans of live offerings to ensure continuous security for partners and customers ​  Threat intelligence and proactive vulnerability notification will become possible for our partners at no cost or burden to them – ensuring partner success on the platform
Demo Scan Complete ​  Let’s take a look at that scan that we kicked off earlier…
Thank you http://sforce.co/1HHrjRL

Recommended

Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2Salesforce Developers
 
Deep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDeep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDhanik Sahni
 
Real Time Integration with Salesforce Platform Events
Real Time Integration with Salesforce Platform EventsReal Time Integration with Salesforce Platform Events
Real Time Integration with Salesforce Platform EventsSalesforce Developers
 
Security and Your Salesforce Org
Security and Your Salesforce OrgSecurity and Your Salesforce Org
Security and Your Salesforce OrgSalesforce Admins
 
Salesforce Integration Pattern Overview
Salesforce Integration Pattern OverviewSalesforce Integration Pattern Overview
Salesforce Integration Pattern OverviewDhanik Sahni
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSalesforce Developers
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksRyan Flood
 
10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)
10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)
10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)CodeScience
 

Recommended

Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2Secure Development on the Salesforce Platform - Part 2
Secure Development on the Salesforce Platform - Part 2Salesforce Developers
 
Deep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDeep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDhanik Sahni
 
Real Time Integration with Salesforce Platform Events
Real Time Integration with Salesforce Platform EventsReal Time Integration with Salesforce Platform Events
Real Time Integration with Salesforce Platform EventsSalesforce Developers
 
Security and Your Salesforce Org
Security and Your Salesforce OrgSecurity and Your Salesforce Org
Security and Your Salesforce OrgSalesforce Admins
 
Salesforce Integration Pattern Overview
Salesforce Integration Pattern OverviewSalesforce Integration Pattern Overview
Salesforce Integration Pattern OverviewDhanik Sahni
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSalesforce Developers
 
Salesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksSalesforce Security Review Tips and Tricks
Salesforce Security Review Tips and TricksRyan Flood
 
10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)
10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)
10 Tips to Pass Salesforce Security Review (and Steps to Take If You Don’t!)CodeScience
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceSalesforce Developers
 
Salesforce Integration Patterns
Salesforce Integration PatternsSalesforce Integration Patterns
Salesforce Integration Patternsusolutions
 
Introduction to Salesforce | Salesforce Tutorial for Beginners | Salesforce T...
Introduction to Salesforce | Salesforce Tutorial for Beginners | Salesforce T...Introduction to Salesforce | Salesforce Tutorial for Beginners | Salesforce T...
Introduction to Salesforce | Salesforce Tutorial for Beginners | Salesforce T...Edureka!
 
Introduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorIntroduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorSalesforce Developers
 
Planning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperiencePlanning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperienceShell Black
 
Decluttering your Salesfroce org
Decluttering your Salesfroce orgDecluttering your Salesfroce org
Decluttering your Salesfroce orgRoy Gilad
 
Setting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSetting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSalesforce Developers
 
DevOps Center_ArchitectGroup
DevOps Center_ArchitectGroup DevOps Center_ArchitectGroup
DevOps Center_ArchitectGroup AmeyKulkarni84
 
Understanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoUnderstanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoSalesforce Developers
 
Episode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in SalesforceEpisode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in SalesforceJitendra Zaa
 
Performing a successful technical debt assessment in Salesforce
Performing a successful technical debt assessment in SalesforcePerforming a successful technical debt assessment in Salesforce
Performing a successful technical debt assessment in SalesforceCoforge (Erstwhile WHISHWORKS)
 
Salesforce Development Best Practices
Salesforce Development Best PracticesSalesforce Development Best Practices
Salesforce Development Best PracticesVivek Chawla
 
Two-Way Integration with Writable External Objects
Two-Way Integration with Writable External ObjectsTwo-Way Integration with Writable External Objects
Two-Way Integration with Writable External ObjectsSalesforce Developers
 
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...Sam Garforth
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manishManish Thaduri
 
Integrating with salesforce
Integrating with salesforceIntegrating with salesforce
Integrating with salesforceMark Adcock
 
Introduction to Salesforce Connected Apps
Introduction to Salesforce Connected AppsIntroduction to Salesforce Connected Apps
Introduction to Salesforce Connected AppsCloud Analogy
 
Adminとうまく共存するためのApex開発Tips
Adminとうまく共存するためのApex開発TipsAdminとうまく共存するためのApex開発Tips
Adminとうまく共存するためのApex開発TipsTakashi Hatamoto
 
Secure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSecure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSalesforce Developers
 
ApExchange Security Review and Compliance
ApExchange Security Review and ComplianceApExchange Security Review and Compliance
ApExchange Security Review and ComplianceCEPTES Software Inc
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Salesforce Partners
 

More Related Content

What's hot

Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceSalesforce Developers
 
Salesforce Integration Patterns
Salesforce Integration PatternsSalesforce Integration Patterns
Salesforce Integration Patternsusolutions
 
Introduction to Salesforce | Salesforce Tutorial for Beginners | Salesforce T...
Introduction to Salesforce | Salesforce Tutorial for Beginners | Salesforce T...Introduction to Salesforce | Salesforce Tutorial for Beginners | Salesforce T...
Introduction to Salesforce | Salesforce Tutorial for Beginners | Salesforce T...Edureka!
 
Introduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorIntroduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorSalesforce Developers
 
Planning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperiencePlanning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperienceShell Black
 
Decluttering your Salesfroce org
Decluttering your Salesfroce orgDecluttering your Salesfroce org
Decluttering your Salesfroce orgRoy Gilad
 
Setting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSetting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSalesforce Developers
 
DevOps Center_ArchitectGroup
DevOps Center_ArchitectGroup DevOps Center_ArchitectGroup
DevOps Center_ArchitectGroup AmeyKulkarni84
 
Understanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoUnderstanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoSalesforce Developers
 
Episode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in SalesforceEpisode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in SalesforceJitendra Zaa
 
Performing a successful technical debt assessment in Salesforce
Performing a successful technical debt assessment in SalesforcePerforming a successful technical debt assessment in Salesforce
Performing a successful technical debt assessment in SalesforceCoforge (Erstwhile WHISHWORKS)
 
Salesforce Development Best Practices
Salesforce Development Best PracticesSalesforce Development Best Practices
Salesforce Development Best PracticesVivek Chawla
 
Two-Way Integration with Writable External Objects
Two-Way Integration with Writable External ObjectsTwo-Way Integration with Writable External Objects
Two-Way Integration with Writable External ObjectsSalesforce Developers
 
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...Sam Garforth
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manishManish Thaduri
 
Integrating with salesforce
Integrating with salesforceIntegrating with salesforce
Integrating with salesforceMark Adcock
 
Introduction to Salesforce Connected Apps
Introduction to Salesforce Connected AppsIntroduction to Salesforce Connected Apps
Introduction to Salesforce Connected AppsCloud Analogy
 
Adminとうまく共存するためのApex開発Tips
Adminとうまく共存するためのApex開発TipsAdminとうまく共存するためのApex開発Tips
Adminとうまく共存するためのApex開発TipsTakashi Hatamoto
 
Secure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSecure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSalesforce Developers
 

What's hot (20)

Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security Model
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component Performance
 
Salesforce Integration Patterns
Salesforce Integration PatternsSalesforce Integration Patterns
Salesforce Integration Patterns
 
Introduction to Salesforce | Salesforce Tutorial for Beginners | Salesforce T...
Introduction to Salesforce | Salesforce Tutorial for Beginners | Salesforce T...Introduction to Salesforce | Salesforce Tutorial for Beginners | Salesforce T...
Introduction to Salesforce | Salesforce Tutorial for Beginners | Salesforce T...
 
Introduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorIntroduction to External Objects and the OData Connector
Introduction to External Objects and the OData Connector
 
Planning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning ExperiencePlanning Your Migration to the Lightning Experience
Planning Your Migration to the Lightning Experience
 
Decluttering your Salesfroce org
Decluttering your Salesfroce orgDecluttering your Salesfroce org
Decluttering your Salesfroce org
 
Setting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSetting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce Instance
 
DevOps Center_ArchitectGroup
DevOps Center_ArchitectGroup DevOps Center_ArchitectGroup
DevOps Center_ArchitectGroup
 
Understanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We DoUnderstanding the Salesforce Architecture: How We Do the Magic We Do
Understanding the Salesforce Architecture: How We Do the Magic We Do
 
Episode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in SalesforceEpisode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in Salesforce
 
Performing a successful technical debt assessment in Salesforce
Performing a successful technical debt assessment in SalesforcePerforming a successful technical debt assessment in Salesforce
Performing a successful technical debt assessment in Salesforce
 
Salesforce Development Best Practices
Salesforce Development Best PracticesSalesforce Development Best Practices
Salesforce Development Best Practices
 
Two-Way Integration with Writable External Objects
Two-Way Integration with Writable External ObjectsTwo-Way Integration with Writable External Objects
Two-Way Integration with Writable External Objects
 
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manish
 
Integrating with salesforce
Integrating with salesforceIntegrating with salesforce
Integrating with salesforce
 
Introduction to Salesforce Connected Apps
Introduction to Salesforce Connected AppsIntroduction to Salesforce Connected Apps
Introduction to Salesforce Connected Apps
 
Adminとうまく共存するためのApex開発Tips
Adminとうまく共存するためのApex開発TipsAdminとうまく共存するためのApex開発Tips
Adminとうまく共存するためのApex開発Tips
 
Secure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSecure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with Checkmarx
 

Similar to Secure Salesforce: External Integration Security with Chimera

ApExchange Security Review and Compliance
ApExchange Security Review and ComplianceApExchange Security Review and Compliance
ApExchange Security Review and ComplianceCEPTES Software Inc
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Salesforce Partners
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)Salesforce Partners
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideHCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerHCLSoftware
 
Prancer Enterprise announces today the release of the Zero Trust Security Val...
Prancer Enterprise announces today the release of the Zero Trust Security Val...Prancer Enterprise announces today the release of the Zero Trust Security Val...
Prancer Enterprise announces today the release of the Zero Trust Security Val...Prancer Io
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security StrategySmartBear
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
How automation can help boost security
How automation can help boost securityHow automation can help boost security
How automation can help boost securityTestingXperts
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveApigee | Google Cloud
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 
Security Validation
Security ValidationSecurity Validation
Security ValidationPrancer Io
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile DevelopmentCheckmarx
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 

Similar to Secure Salesforce: External Integration Security with Chimera (20)

ApExchange Security Review and Compliance
ApExchange Security Review and ComplianceApExchange Security Review and Compliance
ApExchange Security Review and Compliance
 
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
Insider's Guide to the AppExchange Security Review (Dreamforce 2015)
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Prancer Enterprise announces today the release of the Zero Trust Security Val...
Prancer Enterprise announces today the release of the Zero Trust Security Val...Prancer Enterprise announces today the release of the Zero Trust Security Val...
Prancer Enterprise announces today the release of the Zero Trust Security Val...
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
How automation can help boost security
How automation can help boost securityHow automation can help boost security
How automation can help boost security
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Security Validation
Security ValidationSecurity Validation
Security Validation
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 

More from Salesforce Developers

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSalesforce Developers
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base ComponentsSalesforce Developers
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsSalesforce Developers
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaSalesforce Developers
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentSalesforce Developers
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsSalesforce Developers
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsSalesforce Developers
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsSalesforce Developers
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingSalesforce Developers
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilitySalesforce Developers
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataSalesforce Developers
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionSalesforce Developers
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPSalesforce Developers
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceSalesforce Developers
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureSalesforce Developers
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DXSalesforce Developers
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectSalesforce Developers
 

More from Salesforce Developers (20)

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base Components
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer Highlights
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX India
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local Development
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web Components
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web Components
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer Highlights
 
Live coding with LWC
Live coding with LWCLive coding with LWC
Live coding with LWC
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and Testing
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura Interoperability
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce data
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An Introduction
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCP
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in Salesforce
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data Capture
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DX
 
Get Into Lightning Flow Development
Get Into Lightning Flow DevelopmentGet Into Lightning Flow Development
Get Into Lightning Flow Development
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS Connect
 
Introduction to MuleSoft
Introduction to MuleSoftIntroduction to MuleSoft
Introduction to MuleSoft
 

Recently uploaded

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 

Recently uploaded (20)

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 

Secure Salesforce: External Integration Security with Chimera

  • 1. Secure Salesforce Chimera External Integration Security ​ Tim Bach ​ Product Security Engineer ​ Salesforce ​ Travis Safford ​ Product Security Engineer ​ Salesforce
  • 5. Overview ​  What is the AppExchange Security Review process? ​  Why does external application security matter? ​  Goals for Chimera ​  What can Chimera do for you? ​  Demo! ​  Chimera technical overview ​  What’s coming next [week / month / quarter / year]? ​  Q&A
  • 7. The AppExchange 1-slide primer ​  The Salesforce App Marketplace ​  Independent Software Vendors (ISV’s) build and list apps for customers to install & expand the platform’s capabilities ​  Apps may be platform-only or interface with external web systems, mobile apps, and desktop software ​  Currently, 2,800+ apps available for free or for purchase ​  Apps may have scoped or total access to users and/or data within the Salesforce org they are installed in or authenticated against ​  Apps listed on the AppExchange must undergo a rigorous Security Review by the Product Security team and regular re- reviews
  • 8. AppExchange Security Review ​  Managed by the Salesforce Product Security team ​  Comprehensive security audit and penetration test of the application ​  Partner/ISV provides automated code and application security scans – repeat this process until automated scanners find nothing or only false positives ​  Partners are provided with ZAP (previously Burp Suite), which they must install and configure before using to run a web application security test against their application ​  Product Security reviews scan results and application code ​  In the case of external systems/software connecting to the platform, full penetration test
  • 10. External Threats Why is Security Review Important?
  • 11. ZAP What is it? How do partners use it?
  • 13. Chimera What and why? ​ Chimera (mythology): ​  …a monstrous fire-breathing hybrid creature composed of the parts… ​ Chimera (genetics): …a single organism composed of genetically distinct cells… ​ Chimera (Salesforce): A web security scanner composed of parts of the best open-source scanning, analysis, and fingerprinting tools available today. Consolidated and analyzed by purpose-built code and powered on the Heroku platform for massive scalability. “ ”
  • 14. Chimera ​  A fully featured, cloud-based security scanner ​  Fire-and-forget scanning – just give it a target ​  Made up of multiple industry-standard security tools ​  Free for all AppExchange ISV’s for the life of their AppExchange offering
  • 15. Chimera Goals ​  Give partners and ISV’s better tools that make it easier to become secure ​  Reduce confusion and delay in the Security Review process ​  Use our resources to make security easier for our AppExchange partners ​  Drive down the number of tests it takes a partner to pass Security Review and allow them to get to market faster on the AppExchange ​  Promote the security of the AppExchange ecosystem
  • 16. Let’s start a scan…
  • 17. What are we scanning with? ​  A variety of open-source tools as well as some internally developed ones ​  ZAP – general web application security scanner ​  Nikto – web application vulnerability scanner ​  SSLyze – SSL vulnerability scanner ​  nmap – port scanner ​  Plus: SSL fingerprinting, web application fingerprinting
  • 18. Background Magic ​  Chimera isn’t just running scans and sending you raw results files ​  After all scans complete on your target, Chimera correlates all results into a single report ​  Report includes remediation steps for you to resolve issues between scans ​  Chimera will remove duplicate issues as much as possible to provide you with an accurate and actionable report ​  Thanks to Heroku, Chimera scales based on activity ​  Even around the Dreamforce AppExchange spike, you won’t be waiting long
  • 19. Chimera Technology ​  Chimera’s scanners are entirely Heroku-based ​  Architecture allows for massive scaling ​  Portal to submit scans and receive results is Force platform-based, allowing for integration with existing Partner portal and AppExchange accounts ​  Chimera core code + internal components are written in mostly Python
  • 20. Get Started! ​  Chimera will be live on October 1st, 2015 ​  Links will be live on DeveloperForce - Security
  • 22. We’re not done yet! ​  Chimera will become the primary means of preparing for Security Review ​  We want to go one step further towards promoting partner security ​  As Chimera becomes more stable, we’ll start to experiment with automatic, periodic scans of live offerings to ensure continuous security for partners and customers ​  Threat intelligence and proactive vulnerability notification will become possible for our partners at no cost or burden to them – ensuring partner success on the platform
  • 23. Demo Scan Complete ​  Let’s take a look at that scan that we kicked off earlier…