Requirements Checklist


Assumptions:

  • This article assumes that you are an IT/ Security Professional who understands security best practices.
  • For detailed information, please refer to the Detailed Security Guidance document.
  • Please note that it is not required to have all of the below mentioned items in place in order to pass the security review. The review is a slightly subjective process whereby the organization size, application architecture, data handling, etc. are taken into consideration.
edit

Native Applications Built on the Force.com Platform

No minimum requirements since the application is built and hosted entirely on the Force.com platform with no external data transmission or storage

edit

Client (Desktop) and Composite (Hosted) Applications

edit

Policies

  • Implement an Information Security Policy that is periodically reviewed, approved by Senior Management, and communicated to all employees.
edit

Standards & Procedures

  • System Configuration
  • Application Development
  • Application Configuration
  • Database Configuration
  • Network Configuration (Including Firewall/IDS)
  • Patching Process
  • Logging Process/Log Review
  • Physical Security
  • Incident Management Process
  • Authentication & Authorization
  • Encryption Standard
edit

Host/Platform Security

  • Disable unnecessary services on key servers (web application, database, etc.)
  • Implement robust patch management
  • Remove/Rename default accounts and change default passwords
  • Encrypt all passwords
  • Create unique usernames for all users
  • Implement a robust password policy (organizational and application)
    • Minimum 8 characters
    • Combination (3 out of 4) of numbers, letters (lower and upper) and special characters
    • Enable lock outs for bad attempts (3-5)
    • Enable password expiration (90-180 days)
    • Enable password history (don’t allow reuse of last 5 passwords)
  • Implement system logging and enforce periodic review of logs
  • Implement host based firewalls on critical systems
  • Implement secure remote access (VPN – SSHv2, SSL, IPSEC 3DES, or AES)
    • Persistent tunnels configured with appropriate ACLs
  • Implement an enterprise-wide anti-virus solution with daily updates
edit

Application Development Security

  • Implement a strong SDLC with security being a core component
    • Implement code reviews
    • Implement a testing/QA methodology
    • Implement a methodology for rolling code to production
  • Implement appropriate segregation of duties within the test, development and production environments
  • Unless necessary, do not store salesforce.com credentials (leverage the Session IDs)
    • If necessary, have a clear rationale and communicate this to salesforce.com
  • Implement encryption in transmission and storage (login credentials and critical data)
    • Support SSLv3 and newer versions
    • Do not store encryption keys in source code
    • Implement encryption key management
  • Avoid Dynamic SQL
    • If Using Dynamic SQL, prepare appropriate rationale for salesforce.com
    • Implement appropriate compensating controls
  • Implement appropriate input validation and URL cleansing to prevent SQL Injection and Cross-Site Scripting (XSS) attacks
edit

Operational Security

  • Actively monitor your network
  • Implement and periodically test Disaster Recovery and Business Continuity Plans
  • Implement an Employee Training and Security Awareness Program
  • Implement Encryption Key and Privileged User Password Rotation
  • Implement a robust change management process which includes documentation and approval of all changes
  • Perform security review of third-party organizations
edit

Network Security (Hosted Applications Only)

  • Stateful Packet Inspection Firewall
  • Segregation of Web/Application and database servers servers
  • Network IDS/IPS implemented (required if critical Salesforce data is stored in external servers)
  • Log aggregation, alerting and daily review for key network devices, application and database servers
  • Wireless Networking
    • No wireless in collocation facilities
    • WPA2 and wireless IDS implemented at corporate
  • E-mail Spam filter and Anti-virus (required if e-mail is used by your product)
edit

Physical Security (Hosted Applications Only)

  • Restrict data center access to authorized personnel
  • Maintain physical access logs at the data center
  • Implement security cameras, motion detectors and alarms at data centers that are monitored on a 24/7/265 basis
  • Implement controls to to prevent the infrastructure against external threats and hazards (fire, earthquake, flooding, etc.)


Updated: May 8, 2008

Retrieved from "http://wiki.apexdevnet.com/index.php/Requirements_Checklist"