DevSecOps: an introduction for Salesforce developers and architects Lorenzo Frattini @lofrattini getclayton.com 

Before we start ✓ Not your typical Salesforce developer talk ✓ We’ll tour of some key questions and concepts every architect must understand ✓ I’ll share some of my work on DevSecOps for Salesforce My assumptions: ✓ You are a Salesforce developer or architect ✓ You have some awareness of secure development concepts 

My story About me ✓ 15 years in Professional Services Delivery (8 on Salesforce) ✓ Salesforce Certified Technical Architect since 2016 ✓ Formerly CTO of a Salesforce Platinum Consulting Partner ✓ Founded Clayton in 2018 Why I started Clayton ✓ Thought SAST for Salesforce was broken (inaccurate, clunky) ✓ I wanted a developer-centric, modern way to do security 

My work What we do at Clayton? ✓ Automated code reviews for Salesforce ✓ We help Salesforce teams ship faster and worry less ✓ 500 million lines of code processed on a typical day How are we different from other static analysis? ✓ High-precision ✓ Scan anything (Apex, LWC, Aura, Visualforce, Flows, etc.) ✓ Source-driven 

Why should I care about security? 

The Equifax Breach (2017) The breach ✓ 147,000 credit card numbers compromised ✓ $1.4 B estimated damage How it happened ✓ Attackers exploited a known vulnerability in Apache Struts (CVE-2017-5638) ✓ The vulnerability was already fixed upstream ✓ The application was using a vulnerable version of the library 

Our research Security in the Salesforce Ecosystem 20% professionals with no recent security training 33% teams don’t check security before release 66% Salesforce orgs have critical security problems 68% experts who believe security risks are underestimated 

What most people think ✓ AppExchange Security Review What I believe ✓ Cyber-attacks are in top 10 global risks according to World Economic Forum ✓ More information in the cloud = more valuable assets to acquire ✓ Apex is not secure by default ✓ More breaches will eventually happen Arguments for promoting security 

What is DevSecOps? 

Target Operating Model Key Ideas ✓ Release continuously ✓ Automate, automate, automate ✓ Repository-centric Adding Security to DevOps ✓ Plan (threat modelling) ✓ Code, Build (SAST) ✓ Test (Pentests, IAST) ✓ Monitor (Crowdsourced Security) 

What is a security vulnerability? 

Security Vulnerability An unintended flaw in software code that leaves it open to the potential for exploitation (unauthorized access or malicious behavior). 

Salesforce-related vulnerabilities ✓ SOQL/SOSL Injections ✓ Cross-Site Scripting (XSS) ✓ Cross-Site Request Forgery (CSRF) ✓ Insecure DOR ✓ CRUD/FLS Violations ✓ ... 

Sources and sinks How to catch a vulnerability? 

Sources and sinks Source ✓ Any entry point for data that is not trustworthy ✓ Any user-controlled input ✓ Data from the database Sink ✓ A place in your code where untrusted data could do something bad ✓ Dangerous functions ✓ Exploitable targets ✓ E.g. Database.query() 

Spot the deadly bug! 

Sources and sinks: pro tips ✓ You should code review during code, build and before release ✓ If at least one path connects any source to any sink → security vulnerability ✓ Sources/Sinks may be found in separate source files → call traversal ✓ Paths are invisible to linters (PMD, Eslint, etc.) → they can’t “follow” your code 

Vulnerable third-party components Is open source secure? 

Using Open Source The good part ✓ There are countless reasons to love open source ✓ 100 million open source projects on GitHub in 2018 The risky part ✓ On the average project, 60% of the code is from open source components ✓ Attackers like exploiting open source vulnerabilities ✓ Most teams don’t keep components up-to-date with security patches ✓ Using components with known vulnerabilities is now an “OWASP Top 10” 

Vulnerable components and Salesforce ✓ Third-party JS components typically used in Visualforce, Aura ✓ Using third-party components is discouraged, but still possible with LWC / Lightning Locker ✓ Most likely exploitability via JS code injection (XSS) ✓ Not picked up by the Force.com Security Scanner (Checkmarx) ✓ Static Resource Bundles may not be picked up by Retire.js, Snyk, etc. 

Demo What we are building getclayton.com 

Confusion Matrix How good is your bug detection? 

Confusion Matrix ✓ Concept used in machine learning and classification tasks ✓ Useful way to compare predicted values to actual values ✓ Easy way to understand effectiveness of a classifier, SAST, etc. ✓ Accuracy, Precision, False Positive Rates can be calculated from Confusion Matrix 

Example Accuracy How often is the algorithm correct? (TP + TN) / Total = (100 + 50) / 165 = 0.91 = 91% Precision When it predicts yes, how often is correct? TP / predicted yes = 100/110 = 0.91 = 91% False Positive Rate When it’s actually no, how often does it predict yes? FP / actual no = 10/60 = 0.17 = 17% 

Pro-tips ✓ Don’t be fooled by number of rules ✓ Consider accuracy and precision when evaluating static analysis ✓ Low accuracy / low precision are typically acceptable with small teams and low complexity ✓ Higher accuracy and precision let you automate more 

Threat modelling Are all vulnerabilities equally bad? 

Threat Modelling Threat modeling is a process by which potential threats can be identified and mitigations can be prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what defenses need to be included, given the most likely attack vectors, and the assets most desired by an attacker. 

Threat Modelling 101 1. Entry Points What are the entry points available to attackers? 2. Asset Targets What are the assets in which an attacker may be interested? What is the business impact if they are compromised? 3. Rank and Prioritise Rank the entry points in order of value for an attacker. 

A simple example Entry Points ● Custom Feature A (Internal Org) ● Custom Feature B (Partner Community) ● Custom Feature C (Customer Community ● Custom Feature D (Knowledge Base) Assets Targets ● Personal Data (PII) ● Transaction History ● Confidential Information Entry Point Assets Score Feature A - 1 Feature B Confidential Information 2 Feature C PII, Transaction History 3 Feature D - 1 → We can ignore any vulnerabilities in features A, D 

Thank you Feel free to connect @lofrattini getclayton.com 

Resources Useful Tools ✓ Clayton: AI-powered code reviews for Salesforce ✓ Retire.js Good Reads ✓ World Economic Forum’s Global Risk Report ✓ Equifax's Data Breach Costs Hit $1.4 Billion ✓ The State of the Octoverse Learning Resources ✓ Threat Modeling (OWASP) ✓ Threat Modeling 101 (Video) ✓ Sources and Sinks (Video) ✓ Trailhead: Security for Lighting Components ✓ Trailhead: Threat Prevention and Response ✓ Trailhead: Get Started with App Security