function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
kosmitevkosmitev 

Security Review - Am I Ready?

Hi Guys,

 

I need some help. We developed a Composite (Hosted) application that integrates with Salesforce. It's time for security review submission. We went through the requirements - http://wiki.developerforce.com/index.php/Security_Review. OWASP Top Ten Checklist and Requirements Checklist evaluated. We have followd the policies described on the page as closely as possible but we do not meet all of them a 100 %. For example we do not have a company wide security policy.

We have also run the Burp scanner.

 

Is there anything else that we should do?

 

Does Salesforce require a minimum unit tests code coverage for Composite (Hosted) applications? Does Salesforce require any information about our security policies prior to security review and if so, what kind of information?

 

Thank you in advance!

Best Answer chosen by Admin (Salesforce Developers) 
vbadhwarvbadhwar

Hi,

 

We understand that our partners are of varying sizes and may not necessarily have all the organizational security processes and policies in place. As long as your application and network security is solid and you've address issues flagged by Checkmarx and Burp, you should be in good shape.

 

Regards,

Varun

 

All Answers

vbadhwarvbadhwar

Hi,

 

We understand that our partners are of varying sizes and may not necessarily have all the organizational security processes and policies in place. As long as your application and network security is solid and you've address issues flagged by Checkmarx and Burp, you should be in good shape.

 

Regards,

Varun

 

This was selected as the best answer
kosmitevkosmitev

Thanks for your reply.

Checkmarx just returned half a red circle with Spoofing identity for which I have asked in another question in this forum.

 

I would appreciate if you could shed some light on that one.

 

Kos
vbadhwarvbadhwar

Please email me a copy of the report to vbadhwar at salesforce dot com
Santosh Saha 9Santosh Saha 9
Hello,

I am facing a similar problem, my package doesnot contain any VF page and has 02 apex class (where the isUpdateable() is used) for updating the values in the Custom fields in custom object
and 01 Trigger (to Create Task and email notification)
(Also the Test classes for the two apex classes and Trigger;   so total of 05 Apex Classes)

On submission to the Force.com Scanner, my a report is returning "Problems by Impact" as half red for "Spoofing Identity" and other half "Tampering with Data"
and on the "Problems by Files" it is indicating the 01 Test Class


Please help