• Article
|
• Edit
|
• History

AppExchange Security Review

Overview

As part of the security review process your solution will be subjected to certain tests based on the type of solution. Depending on the solution type we will perform a range of network and application tests.

Goals

The goal of the validation testing is to enumerate vulnerabilities within the partner’s solution and validate the information provided within the security questionnaire

Tasks

The following tasks will be performed if a penetration test is deemed necessary by Salesforce or it's Third Party Vendors:

1. Confirm the set of tests to be performed based on partner type:
   • Network Scan
   • Application Scan
2. For network scans the following tasks are performed
   • Partner will confirm scan time including notification of hosting provider
   • Partner will need to provide IP address range
   • Partner will need to provide primary contact during testing
   • Salesforce.com will provide a primary contact during testing
   • Salesforce.com will conduct an NMAP scan of all server specified in IP address range
   • Salesforce.com will conduct a Nessus scan of up to five (5) IP addresses within the environment.
3. For web application scans the following tasks are performed
   • Partner will confirm scan time including notification of hosting provider
   • Partner will need to provide URLs/IP addresses of servers
   • Partner will provide two test accounts with passwords for each role within the application
   • Partner will need to provide primary contact during testing
   • Salesforce.com will provide a primary contact during testing
   • Salesforce.com will conduct a vulnerability assessment of the web application using the tools listed below
4. Disclosure of test results to salesforce.com security review team and partner The results of the scan results will be shared with the partner once testing has been completed. Vulnerabilities will be ranked based on risk to Salesforce.com and partners will be asked to remediate high and medium risk vulnerabilities before approval can be conferred.
5. Partner submits remediation plan.

Tools Used

Network Scans

• NMap
• Nessus
• Wireshark (formerly known as Ethereal)

Web Application Scans

• Paros Proxy
• Nikto
• AppScan
• WebInspect

Application (Client Premise) Scans

• IDA Pro
• .NET Reflector
• JAD (Java Decompiler)
• Ethereal

Storage and Transfer of Data

Results of the scans will be stored on a secured file server within Salesforce.com. Access to the file share is restricted to the security review team and the Salesforce Information Security team. When security scan data is stored outside of the file system, it will be stored on PGP encrypted volumes or in a similarly encrypted format. Any correspondence that is sent via email will be sent using PGP encrypted files. The Salesforce.com PGP public key is available on request. Partners are advised to submit their public PGP key to us at the earliest convenience. If the Partner doesn’t use PGP we have a secure file share that can be used for the exchange of sensitive data. Some scan data will be stored in an encrypted format within the scanning service. This data will only be accessible by those conducting the assessment.

Test Scenarios

As part of security scans we will be looking for the following classes of vulnerabilities:

• Networks Scans
  • Open ports
  • Known vulnerabilities
  • Server configuration issues
• Web Application Scans
  • Injection flaws such as SQL or XSS
  • Authentication and authorization controls
  • Error handling and information disclosure
  • Password policy controls
• Application Scan (Client Premise)
  • Storage of encryption keys and credentials
  • Storage of sensitive data
  • Transmission of sensitive data

None of the testing will include deliberate attempts to conduct DoS attacks on servers or applications within the test environment. When Nessus scans are conducted, all dangerous plug-ins will be disabled. Network scans will also be scheduled to limit network bandwidth usage. The partner is advised to backup all systems prior to scanning commencing. If possible we would prefer to use non-production environments for web application scanning to minimize risk to production environments.