Blog

With Salesforce.com continuing to expand its Force.com platform, it will become increasingly important to educate developers on possible security vulnerabilities as well as tools and methods available to help avoid falling victim to those vulnerabilities. Force.com recently introduced a new Secure Cloud Development section to its Developerforce site that attempts to alert developers to these issues as well as offer suggestions and tools for correcting them.

Previously, development on the Force.com platform meant your applications would be applied only by authenticated users in your organization. Obviously, security was still very important, but without the general public accessing your applications, a lot of the concerns that go with building a public facing application weren’t there. Threats like Cross-Site Scripting and S(O)QL Injection weren’t a large concern because the code you wrote was generally running behind the scenes and didn’t really have a user facing component. That all changed with the introduction of Visualforce, and even more so with Sites. Visualforce opened up a front end to your code, and Sites opened it to the public. Now, the security concerns that affect all web applications will affect your Force.com applications too.

With the Force.com Security Resources section of Developerforce, developers now have an excellent resource for learning, testing, and correcting security concerns in their applications. One of the most interesting components of this site is the Force.com Security Source Code Scanner. This scanner is a free tool that will look at all the code in your organization and email a report that contains all the vulnerabilities it detects. It searches for vulnerabilities like XSS, SOQL/SOSL Injection, Frame Spoofing, and Access Control Issues. If you are an ISV Partner, you may also sign up for a free license for an external web application testing suite called Burp Suite Professional, so you can test external web applications that may connect to your Salesforce.com applications. Other useful resources included in the site are:

• Design Resources
• A Self Assessment Tool
• Secure Coding Guidelines and Library
• Security Review Process documentation for AppExchange submissions

As Force.com applications move further and further into the public realm, security will become more and more a part of the application design and development process. If you are a developer, or are interested in developing on the Force.com platform at all, I highly recommend you take a look at the Force.com Security Resources on the Developerforce website.