One of the main goals of the Salesforce AppExchange Security Team is giving developers and partners ownership of their security posture with free education, tools, and resources. Our newest cloud-based security tool, Chimera, actively scans your external web application integrations quickly and comprehensively. With just a few clicks you can receive a detailed security report - results which until now required downloading and installing multiple pieces of software and hours of manual effort. Join us to learn about the technology behind Chimera and how you can use it to streamline security review. We will also touch on how Salesforce uses Chimera behind the scenes to continuously monitor the security of the AppExchange ecosystem.
5. Overview
What is the AppExchange Security Review process?
Why does external application security matter?
Goals for Chimera
What can Chimera do for you?
Demo!
Chimera technical overview
What’s coming next [week / month / quarter / year]?
Q&A
7. The AppExchange
1-slide primer
The Salesforce App Marketplace
Independent Software Vendors (ISV’s) build and list apps for
customers to install & expand the platform’s capabilities
Apps may be platform-only or interface with external web
systems, mobile apps, and desktop software
Currently, 2,800+ apps available for free or for purchase
Apps may have scoped or total access to users and/or data
within the Salesforce org they are installed in or
authenticated against
Apps listed on the AppExchange must undergo a rigorous
Security Review by the Product Security team and regular re-
reviews
8. AppExchange Security Review
Managed by the Salesforce Product Security team
Comprehensive security audit and penetration test of the application
Partner/ISV provides automated code and application security scans – repeat this process until
automated scanners find nothing or only false positives
Partners are provided with ZAP (previously Burp Suite), which they must install and configure
before using to run a web application security test against their application
Product Security reviews scan results and application code
In the case of external systems/software connecting to the platform, full penetration test
13. Chimera
What and why?
Chimera (mythology):
…a monstrous fire-breathing hybrid creature composed of the parts…
Chimera (genetics):
…a single organism composed of genetically distinct cells…
Chimera (Salesforce): A web security scanner composed of parts of the best open-source scanning,
analysis, and fingerprinting tools available today. Consolidated and analyzed by purpose-built code and
powered on the Heroku platform for massive scalability.
“
”
14. Chimera
A fully featured, cloud-based security scanner
Fire-and-forget scanning – just give it a target
Made up of multiple industry-standard security tools
Free for all AppExchange ISV’s for the life of their AppExchange offering
15. Chimera Goals
Give partners and ISV’s better tools that make it easier to become secure
Reduce confusion and delay in the Security Review process
Use our resources to make security easier for our AppExchange partners
Drive down the number of tests it takes a partner to pass Security Review and allow them to
get to market faster on the AppExchange
Promote the security of the AppExchange ecosystem
17. What are we scanning with?
A variety of open-source tools as well as some internally developed ones
ZAP – general web application security scanner
Nikto – web application vulnerability scanner
SSLyze – SSL vulnerability scanner
nmap – port scanner
Plus: SSL fingerprinting, web application fingerprinting
18. Background Magic
Chimera isn’t just running scans and sending you raw results files
After all scans complete on your target, Chimera correlates all results into a single report
Report includes remediation steps for you to resolve issues between scans
Chimera will remove duplicate issues as much as possible to provide you with an accurate and
actionable report
Thanks to Heroku, Chimera scales based on activity
Even around the Dreamforce AppExchange spike, you won’t be waiting long
19. Chimera Technology
Chimera’s scanners are entirely Heroku-based
Architecture allows for massive scaling
Portal to submit scans and receive results is Force platform-based, allowing for integration with
existing Partner portal and AppExchange accounts
Chimera core code + internal components are written in mostly Python
20. Get Started!
Chimera will be live on October 1st, 2015
Links will be live on DeveloperForce - Security
22. We’re not done yet!
Chimera will become the primary means of preparing for Security Review
We want to go one step further towards promoting partner security
As Chimera becomes more stable, we’ll start to experiment with automatic, periodic scans of
live offerings to ensure continuous security for partners and customers
Threat intelligence and proactive vulnerability notification will become possible for our
partners at no cost or burden to them – ensuring partner success on the platform