DevSecOps: an introduction for Salesforce developers

DevSecOps: an introduction for Salesforce developers

A quick tour of 4 fundamental concepts every Salesforce developer and architect needs to understand to add security and secure development to a DevOps operating model.


Lorenzo Frattini

July 21, 2020


  1. DevSecOps: an introduction for Salesforce developers and architects Lorenzo Frattini

  2. Before we start ✓ Not your typical Salesforce developer talk

    ✓ We’ll tour of some key questions and concepts every architect must understand ✓ I’ll share some of my work on DevSecOps for Salesforce My assumptions: ✓ You are a Salesforce developer or architect ✓ You have some awareness of secure development concepts
  3. My story About me ✓ 15 years in Professional Services

    Delivery (8 on Salesforce) ✓ Salesforce Certified Technical Architect since 2016 ✓ Formerly CTO of a Salesforce Platinum Consulting Partner ✓ Founded Clayton in 2018 Why I started Clayton ✓ Thought SAST for Salesforce was broken (inaccurate, clunky) ✓ I wanted a developer-centric, modern way to do security
  4. My work What we do at Clayton? ✓ Automated code

    reviews for Salesforce ✓ We help Salesforce teams ship faster and worry less ✓ 500 million lines of code processed on a typical day How are we different from other static analysis? ✓ High-precision ✓ Scan anything (Apex, LWC, Aura, Visualforce, Flows, etc.) ✓ Source-driven
  5. Why should I care about security?

  6. The Equifax Breach (2017) The breach ✓ 147,000 credit card

    numbers compromised ✓ $1.4 B estimated damage How it happened ✓ Attackers exploited a known vulnerability in Apache Struts (CVE-2017-5638) ✓ The vulnerability was already fixed upstream ✓ The application was using a vulnerable version of the library
  7. Our research Security in the Salesforce Ecosystem 20% professionals with

    no recent security training 33% teams don’t check security before release 66% Salesforce orgs have critical security problems 68% experts who believe security risks are underestimated
  8. What most people think ✓ AppExchange Security Review What I

    believe ✓ Cyber-attacks are in top 10 global risks according to World Economic Forum ✓ More information in the cloud = more valuable assets to acquire ✓ Apex is not secure by default ✓ More breaches will eventually happen Arguments for promoting security
  9. What is DevSecOps?

  10. Target Operating Model Key Ideas ✓ Release continuously ✓ Automate,

    automate, automate ✓ Repository-centric Adding Security to DevOps ✓ Plan (threat modelling) ✓ Code, Build (SAST) ✓ Test (Pentests, IAST) ✓ Monitor (Crowdsourced Security)
  11. What is a security vulnerability?

  12. Security Vulnerability An unintended flaw in software code that leaves

    it open to the potential for exploitation (unauthorized access or malicious behavior).
  13. Salesforce-related vulnerabilities ✓ SOQL/SOSL Injections ✓ Cross-Site Scripting (XSS) ✓

    Cross-Site Request Forgery (CSRF) ✓ Insecure DOR ✓ CRUD/FLS Violations ✓ ...
  14. Sources and sinks How to catch a vulnerability?

  15. Sources and sinks Source ✓ Any entry point for data

    that is not trustworthy ✓ Any user-controlled input ✓ Data from the database Sink ✓ A place in your code where untrusted data could do something bad ✓ Dangerous functions ✓ Exploitable targets ✓ E.g. Database.query()
  16. Spot the deadly bug!

  17. Sources and sinks: pro tips ✓ You should code review

    during code, build and before release ✓ If at least one path connects any source to any sink → security vulnerability ✓ Sources/Sinks may be found in separate source files → call traversal ✓ Paths are invisible to linters (PMD, Eslint, etc.) → they can’t “follow” your code
  18. Vulnerable third-party components Is open source secure?

  19. Using Open Source The good part ✓ There are countless

    reasons to love open source ✓ 100 million open source projects on GitHub in 2018 The risky part ✓ On the average project, 60% of the code is from open source components ✓ Attackers like exploiting open source vulnerabilities ✓ Most teams don’t keep components up-to-date with security patches ✓ Using components with known vulnerabilities is now an “OWASP Top 10”
  20. Vulnerable components and Salesforce ✓ Third-party JS components typically used

    in Visualforce, Aura ✓ Using third-party components is discouraged, but still possible with LWC / Lightning Locker ✓ Most likely exploitability via JS code injection (XSS) ✓ Not picked up by the Security Scanner (Checkmarx) ✓ Static Resource Bundles may not be picked up by Retire.js, Snyk, etc.
  21. Demo What we are building

  22. Confusion Matrix How good is your bug detection?

  23. Confusion Matrix ✓ Concept used in machine learning and classification

    tasks ✓ Useful way to compare predicted values to actual values ✓ Easy way to understand effectiveness of a classifier, SAST, etc. ✓ Accuracy, Precision, False Positive Rates can be calculated from Confusion Matrix
  24. Example Accuracy How often is the algorithm correct? (TP +

    TN) / Total = (100 + 50) / 165 = 0.91 = 91% Precision When it predicts yes, how often is correct? TP / predicted yes = 100/110 = 0.91 = 91% False Positive Rate When it’s actually no, how often does it predict yes? FP / actual no = 10/60 = 0.17 = 17%
  25. Pro-tips ✓ Don’t be fooled by number of rules ✓

    Consider accuracy and precision when evaluating static analysis ✓ Low accuracy / low precision are typically acceptable with small teams and low complexity ✓ Higher accuracy and precision let you automate more
  26. Threat modelling Are all vulnerabilities equally bad?

  27. Threat Modelling Threat modeling is a process by which potential

    threats can be identified and mitigations can be prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what defenses need to be included, given the most likely attack vectors, and the assets most desired by an attacker.
  28. Threat Modelling 101 1. Entry Points What are the entry

    points available to attackers? 2. Asset Targets What are the assets in which an attacker may be interested? What is the business impact if they are compromised? 3. Rank and Prioritise Rank the entry points in order of value for an attacker.
  29. A simple example Entry Points • Custom Feature A (Internal

    Org) • Custom Feature B (Partner Community) • Custom Feature C (Customer Community • Custom Feature D (Knowledge Base) Assets Targets • Personal Data (PII) • Transaction History • Confidential Information Entry Point Assets Score Feature A - 1 Feature B Confidential Information 2 Feature C PII, Transaction History 3 Feature D - 1 → We can ignore any vulnerabilities in features A, D
  30. Thank you Feel free to connect @lofrattini

  31. Resources Useful Tools ✓ Clayton: AI-powered code reviews for Salesforce

    ✓ Retire.js Good Reads ✓ World Economic Forum’s Global Risk Report ✓ Equifax's Data Breach Costs Hit $1.4 Billion ✓ The State of the Octoverse Learning Resources ✓ Threat Modeling (OWASP) ✓ Threat Modeling 101 (Video) ✓ Sources and Sinks (Video) ✓ Trailhead: Security for Lighting Components ✓ Trailhead: Threat Prevention and Response ✓ Trailhead: Get Started with App Security