Security

Overview
Protecting the privacy of customer data and maintaining trust are salesforce.coms core values. The Force.com platform has numerous built in security features and protections, which can be utilized by our org administrators and developers. In addition, a number of free security resources are available to assist developers with education, design and development of their applications.

Cheat Sheet
ESAPI Functions Force.com
SFDCAccessController Class
ESAPI security library for Force.com available at http://code.google.com/p/force-dot-com-esapi. Provides access control functionality to enforce CRUD/FLS and sharing in the Force.com platform. setSharingMode() Configures the library to operate with sharing, without sharing, or to inherit sharing. Configures the library to require all operations be successful or to omit changes for which the user does not have access. Insert objects while respecting the user's access rights. Update objects while respecting the user's access rights. Delete objects while respecting the user's access rights. Return a list of object fields that are viewable by the current user. Return a list of object fields that are updateable by the current user. Return a list of object fields that are creatable by the current user.

Sharing Keywords Force.com

Controls record-level security to data. with sharing without sharing <unspecified sharing> Operate with the calling users sharing rights. Recommended. Operate without the calling users sharing rights. Generally only recommended for classes doing reporting or data aggregation. Inherit sharing from calling class. Not recommended for Visualforce controllers or web-services.

setOperationMode()

insertAsUser() updateAsUser() deleteAsUser() getViewableFields()

CRUD (Create, Read, Update, Delete) Force.com

Controls object-level security to data. isCreateable() Returns true if instances of this object can be created by the current user, false otherwise. Returns true if the current user can see instances of this object type, false otherwise. Returns true if instances of this object can be updated by the current user, false otherwise. Returns true if instances of this object can be deleted by the current user, false otherwise.

getUpdateableFields()

getCreatableFields()

SFDCEncoder Class
SFDC_JSENCODE

Provides text escaping functions for Force.com. isAccessible() Escapes data for use in JavaScript quoted strings. Escapes data for use in JavaScript quoted strings that will be used in HTML tags. Escapes data for use in HTML tags. Escapes data for use in URLs according to RFC 3986 syntax.

isUpdateable()

SFDC_JSINHTMLENCODE

isDeleteable()

SFDC_HTMLENCODE SFDC_URLENCODE

FLS (Field Level Security) Describe Calls Force.com

Controls access to object fields. isCreateable() Returns true if the field can be created by the current user, false otherwise. Returns true if the current user can see this field, false otherwise. Returns true if the field can be edited by the current user, false otherwise.

Crypto Library Force.com

Provides standard algorithms for creating digests, message authentication codes, and signatures, as well as encrypting and decrypting information using AES. Encryption keys should be stored securely within a Protected Custom Setting. encrypt() Encrypts the blob clearText using the specified algorithm, private key, and initialization vector. Use this method when you want to specify your own initialization vector. Encrypts the blob clearText using the specified algorithm and private key. Use this method when you want salesforce.com to generate the initialization vector for you. Decrypts the blob cipherText using the specified algorithm, private key, and initialization vector. Decrypts the blob IVAndCipherText using the specified algorithm and private key. Use this method to decrypt blobs encrypted using the encryptWithManagedIV method. Generates an AES key of the specified size. Computes a one-way hash digest based on the input string and algorithm. Computes a message authentication code (MAC) for the input string, using the private key and the specified algorithm. Returns a random Integer. Returns a random Long. Computes a unique digital signature for the input string, using the supplied private key and the specified algorithm.

isAccessible() isUpdateable()

encryptWithManagedIV()

decrypt()

VisualForce Escaping Functions Force.com

Server-side functions to escape data to prevent cross-site scripting. Example: <html><head><title> {!HTMLENCODE($Request.title)} </title</head></html> JSENCODE JSINHTMLENCODE Escapes data for use in JavaScript quoted strings. Escapes data for use in JavaScript quoted strings that will be used in HTML tags. Escapes data for use in HTML tags. Escapes data for use in URLs according to RFC 3986 syntax.

decryptWithManagedIV()

generateAesKey() generateDigest()

generateMac()

getRandomInteger() HTMLENCODE URLENCODE getRandomLong() sign()

http://developer.force.com

Custom Setting Methods

getAll() getInstance()

Special objects that support a "protected" mode for storing sensitive information like encryption keys. Returns a map of the data sets defined for the custom setting. List custom settings only. Returns the "lowest level" custom setting data set for the specified dataset name, user ID, Profile ID, or current user (depending on parameters and setting type). Identical to getValues() for List custom settings. Returns only the custom setting data set for the specified dataset name, user ID, Profile ID, or current user (depending on parameters and setting type). Returns the custom setting data set for the organization. Hierarchy custom settings only.

Session Settings
Setting Name Timeout value Disable session timeout warning popup Lock sessions to the IP address from which they originate Require secure connections (https) Enable caching and autocomplate on login page

Controls available for general session handling settings, including session timeout. These settings can be found under Setup | Security Controls | Session Settings. Description Idle session time to automatically log user out of Salesforce. Disable the warning browser pop-up when a user is about to be logged out from the idle session timeout. Force the user session to remain locked to the IP address from which the user authenticated. May impact AppExchange installations. Require HTTPS on all page requests. Allow the users browser to store and auto-complete usernames or passwords after first login. Recommended 30 minutes Yes

getValues()

Yes (if possible)

getOrgDefaults()

Yes No

Password Policies
Setting Name User passwords expire in Enforce password history Minimum password length Password complexity requirement Password question requirement Maximum invalid login attempts Lockout effective period

Controls available for enabling password restrictions and account lockout settings. These settings can be found under Setup | Security Controls | Password Policies. Description Frequency to automatically expire passwords. How many previous passwords to save to prevent password re-use. Minimum length of a password. Should the password contain a mix of letters and numbers. Require the users password hint to not contain the password. How many invalid logins are allowed before locking out the account. How long should an account remain locked out. Recommended 90 days 5 passwords remembered 8 characters Must mix alpha and numeric Cannot contain password 5 30 minutes

Auditing and Logging

Name User Login History Setup Audit Trail Object History Tracking Description

Salesforce provides several types of audit logs for monitoring logins and changes to your organization. Location Setup | Manage Users | Login History Setup | Security Controls | View Setup Audit Trail Setup | Customize | [object type] | Fields | Set History Tracking

All successful and failed login attempts are recorded and saved for 180 days. Every configuration (Setup) change is logged and archived for 180 days. Selected standard and custom fields can be enabled to track the change history.

Sensitive Permissions
Permission Author Apex Customize Application Download AppExchange packages Manage Users Modify All Data Description

When using profiles, we recommend reviewing profiles for these sensitive permissions. Permissions per profile can be viewed at Setup | Manage users | Profiles.

Login and Authentication Settings

Setting Name IP Address Restrictions Description User logins can be restricted to a specific IP address or a range of IP addresses. User logins can be restricted to specified times of the day. Enable delegated authentication or Federated authentication via SAML.

Login and Authentication features and restrictions. These settings should be enabled as appropriate for your company. Location Setup | Security Controls | Network Access (everyone) Setup | Manage Users | Profiles (individual profiles) Setup | Manage Users | Profiles

Can modify and deploy Apex. By default, Apex code runs with full administrative privileges. Make configuration changes to the organizational settings. Install or uninstall packages from the AppExchange.

Time of Day Restrictions Single Sign-On Options

The ability to create or modify user accounts, including logins, sharing rules, and login restrictions. This permission gives the user the ability to create, edit, or delete all data in Salesforce. Prevent the password from expiring. View all data owned by other users.

Delegated Authentication: Contact Support Federated Authentication: Setup | Security Controls | Single Sign-On Settings

Password Never Expires View All Data

Secure Cloud Development Lifecycle:

Education
Introduction to Force.com Security Writing Secure Apps Training Developer Security Quiz Force.com Security Blog

Design
Self Assessment Tool Book Office Hours

Development
Secure Coding Guidelines Security Coding Library (ESAPI)

Testing
Force.com Security Source Scanner Web Application Security Scanner

Release
AppExchange & OEM Security Review Process Incident Response

Follow us on Twitter for latest security updates: @SecureCloudDev

11/8/10