One of the main goals of the Salesforce AppExchange Security Team is giving developers and partners ownership of their security posture with free education, tools, and resources. Our newest cloud-based security tool, Chimera, actively scans your external web application integrations quickly and comprehensively. With just a few clicks you can receive a detailed security report - results which until now required downloading and installing multiple pieces of software and hours of manual effort. Join us to learn about the technology behind Chimera and how you can use it to streamline security review. We will also touch on how Salesforce uses Chimera behind the scenes to continuously monitor the security of the AppExchange ecosystem.

1. Secure Salesforce
Chimera
External Integration Security
​ Tim Bach
​ Product Security Engineer
​ Salesforce
​ Travis Safford
​ Product Security Engineer
​ Salesforce

2. Tim Bach
Product Security Engineer

3. Travis Safford
Product Security Engineer

4. Secure Salesforce
Dreamforce 2015

5. Overview
​ What is the AppExchange Security Review process?
​ Why does external application security matter?
​ Goals for Chimera
​ What can Chimera do for you?
​ Demo!
​ Chimera technical overview
​ What’s coming next [week / month / quarter / year]?
​ Q&A

6. Security Review Process Overview

7. The AppExchange
1-slide primer
​ The Salesforce App Marketplace
​ Independent Software Vendors (ISV’s) build and list apps for
customers to install & expand the platform’s capabilities
​ Apps may be platform-only or interface with external web
systems, mobile apps, and desktop software
​ Currently, 2,800+ apps available for free or for purchase
​ Apps may have scoped or total access to users and/or data
within the Salesforce org they are installed in or
authenticated against
​ Apps listed on the AppExchange must undergo a rigorous
Security Review by the Product Security team and regular re-
reviews

8. AppExchange Security Review
​ Managed by the Salesforce Product Security team
​ Comprehensive security audit and penetration test of the application
​ Partner/ISV provides automated code and application security scans – repeat this process until
automated scanners find nothing or only false positives
​ Partners are provided with ZAP (previously Burp Suite), which they must install and configure
before using to run a web application security test against their application
​ Product Security reviews scan results and application code
​ In the case of external systems/software connecting to the platform, full penetration test

9. AppExchange Security Review

10. External Threats
Why is Security Review Important?

11. ZAP
What is it? How do partners use it?

12. Introducing Chimera

13. Chimera
What and why?
​ Chimera (mythology):
​ …a monstrous fire-breathing hybrid creature composed of the parts…
​ Chimera (genetics):
…a single organism composed of genetically distinct cells…
​ Chimera (Salesforce): A web security scanner composed of parts of the best open-source scanning,
analysis, and fingerprinting tools available today. Consolidated and analyzed by purpose-built code and
powered on the Heroku platform for massive scalability.
“
”

14. Chimera
​ A fully featured, cloud-based security scanner
​ Fire-and-forget scanning – just give it a target
​ Made up of multiple industry-standard security tools
​ Free for all AppExchange ISV’s for the life of their AppExchange offering

15. Chimera Goals
​ Give partners and ISV’s better tools that make it easier to become secure
​ Reduce confusion and delay in the Security Review process
​ Use our resources to make security easier for our AppExchange partners
​ Drive down the number of tests it takes a partner to pass Security Review and allow them to
get to market faster on the AppExchange
​ Promote the security of the AppExchange ecosystem

16. Let’s start a scan…

17. What are we scanning with?
​ A variety of open-source tools as well as some internally developed ones
​ ZAP – general web application security scanner
​ Nikto – web application vulnerability scanner
​ SSLyze – SSL vulnerability scanner
​ nmap – port scanner
​ Plus: SSL fingerprinting, web application fingerprinting

18. Background Magic
​ Chimera isn’t just running scans and sending you raw results files
​ After all scans complete on your target, Chimera correlates all results into a single report
​ Report includes remediation steps for you to resolve issues between scans
​ Chimera will remove duplicate issues as much as possible to provide you with an accurate and
actionable report
​ Thanks to Heroku, Chimera scales based on activity
​ Even around the Dreamforce AppExchange spike, you won’t be waiting long

19. Chimera Technology
​ Chimera’s scanners are entirely Heroku-based
​ Architecture allows for massive scaling
​ Portal to submit scans and receive results is Force platform-based, allowing for integration with
existing Partner portal and AppExchange accounts
​ Chimera core code + internal components are written in mostly Python

20. Get Started!
​ Chimera will be live on October 1st, 2015
​ Links will be live on DeveloperForce - Security

21. What’s Next?
Future Work

22. We’re not done yet!
​ Chimera will become the primary means of preparing for Security Review
​ We want to go one step further towards promoting partner security
​ As Chimera becomes more stable, we’ll start to experiment with automatic, periodic scans of
live offerings to ensure continuous security for partners and customers
​ Threat intelligence and proactive vulnerability notification will become possible for our
partners at no cost or burden to them – ensuring partner success on the platform

23. Demo Scan Complete
​ Let’s take a look at that scan that we kicked off earlier…

24. Thank you
http://sforce.co/1HHrjRL