✓ We’ll tour of some key questions and concepts every architect must understand ✓ I’ll share some of my work on DevSecOps for Salesforce My assumptions: ✓ You are a Salesforce developer or architect ✓ You have some awareness of secure development concepts
Delivery (8 on Salesforce) ✓ Salesforce Certiﬁed Technical Architect since 2016 ✓ Formerly CTO of a Salesforce Platinum Consulting Partner ✓ Founded Clayton in 2018 Why I started Clayton ✓ Thought SAST for Salesforce was broken (inaccurate, clunky) ✓ I wanted a developer-centric, modern way to do security
reviews for Salesforce ✓ We help Salesforce teams ship faster and worry less ✓ 500 million lines of code processed on a typical day How are we diﬀerent from other static analysis? ✓ High-precision ✓ Scan anything (Apex, LWC, Aura, Visualforce, Flows, etc.) ✓ Source-driven
numbers compromised ✓ $1.4 B estimated damage How it happened ✓ Attackers exploited a known vulnerability in Apache Struts (CVE-2017-5638) ✓ The vulnerability was already ﬁxed upstream ✓ The application was using a vulnerable version of the library
believe ✓ Cyber-attacks are in top 10 global risks according to World Economic Forum ✓ More information in the cloud = more valuable assets to acquire ✓ Apex is not secure by default ✓ More breaches will eventually happen Arguments for promoting security
that is not trustworthy ✓ Any user-controlled input ✓ Data from the database Sink ✓ A place in your code where untrusted data could do something bad ✓ Dangerous functions ✓ Exploitable targets ✓ E.g. Database.query()
during code, build and before release ✓ If at least one path connects any source to any sink → security vulnerability ✓ Sources/Sinks may be found in separate source ﬁles → call traversal ✓ Paths are invisible to linters (PMD, Eslint, etc.) → they can’t “follow” your code
reasons to love open source ✓ 100 million open source projects on GitHub in 2018 The risky part ✓ On the average project, 60% of the code is from open source components ✓ Attackers like exploiting open source vulnerabilities ✓ Most teams don’t keep components up-to-date with security patches ✓ Using components with known vulnerabilities is now an “OWASP Top 10”
in Visualforce, Aura ✓ Using third-party components is discouraged, but still possible with LWC / Lightning Locker ✓ Most likely exploitability via JS code injection (XSS) ✓ Not picked up by the Force.com Security Scanner (Checkmarx) ✓ Static Resource Bundles may not be picked up by Retire.js, Snyk, etc.
tasks ✓ Useful way to compare predicted values to actual values ✓ Easy way to understand effectiveness of a classiﬁer, SAST, etc. ✓ Accuracy, Precision, False Positive Rates can be calculated from Confusion Matrix
TN) / Total = (100 + 50) / 165 = 0.91 = 91% Precision When it predicts yes, how often is correct? TP / predicted yes = 100/110 = 0.91 = 91% False Positive Rate When it’s actually no, how often does it predict yes? FP / actual no = 10/60 = 0.17 = 17%
Consider accuracy and precision when evaluating static analysis ✓ Low accuracy / low precision are typically acceptable with small teams and low complexity ✓ Higher accuracy and precision let you automate more
threats can be identiﬁed and mitigations can be prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what defenses need to be included, given the most likely attack vectors, and the assets most desired by an attacker.
points available to attackers? 2. Asset Targets What are the assets in which an attacker may be interested? What is the business impact if they are compromised? 3. Rank and Prioritise Rank the entry points in order of value for an attacker.
Org) • Custom Feature B (Partner Community) • Custom Feature C (Customer Community • Custom Feature D (Knowledge Base) Assets Targets • Personal Data (PII) • Transaction History • Conﬁdential Information Entry Point Assets Score Feature A - 1 Feature B Conﬁdential Information 2 Feature C PII, Transaction History 3 Feature D - 1 → We can ignore any vulnerabilities in features A, D
✓ Retire.js Good Reads ✓ World Economic Forum’s Global Risk Report ✓ Equifax's Data Breach Costs Hit $1.4 Billion ✓ The State of the Octoverse Learning Resources ✓ Threat Modeling (OWASP) ✓ Threat Modeling 101 (Video) ✓ Sources and Sinks (Video) ✓ Trailhead: Security for Lighting Components ✓ Trailhead: Threat Prevention and Response ✓ Trailhead: Get Started with App Security