Stat Tracker

Friday, July 21, 2017

Trailhead Trail for OWASP Top Ten 2017

Trailhead Trail for OWASP Top Ten 2017


The trailmix can be found here.

OWASP Top Ten Item Trailhead Module
A1 – Injection  Injection Vulnerability Prevention
A2 – Broken Authentication and Session Management  Secure Secret Storage
A3 – Cross-Site Scripting (XSS)  Injection Vulnerability Prevention
A4 – Broken Access Control  Data Leak Prevention
A5 – Security Misconfiguration  Security Basics
A6 – Sensitive Data Exposure  Data Security
A7 – Insufficient Attack Protection  Data Security
A8 – Cross-Site Request Forgery (CSRF)  App Logic Vulernabiilty Prevention
A9 – Using Components with Known Vulnerabilities  App Logic Vulernabiilty Prevention
A10 – Underprotected APIs  App Logic Vulernabiilty Prevention

Tuesday, April 11, 2017

Salesforce Security Review - Security Posture & False Positive Template

When a company submits their application for Salesforce Security Review there is often a need to provide documentation. There is a lot of information on the process and security scans here (https://developer.salesforce.com/page/Security_Review) but this doesn't have any templates or documentation standards a submission should follow for their application.


This is a sample of a template I have used when submitting to Salesforce Security Review that I have found helpful. I have gone through Salesforce Security Review more than 10 times for large OEM managed packages with hundreds of thousands of lines of code. I have found that the more information you can give the security engineers when they review your application the more successful you will be in passing your security review. Performing this documentation as part of your SDLC also helps bake this into your engineering processes, ensuring future reviews are successful.

Here is the sample template for a fake application with some simple data points. For a true enterprise class application this can be a rather lengthy but important document.
Security Review Considerations and False Positives Template

Want to learn more? Join my engineering organization! I'm looking for new talent to mentor in multiple engineering roles! http://www.fusionrm.com/careers