The AppSecUSA conference held by the venerated OWASP group wrapped up last month and immediately some awesome videos of the presentations were shared on YouTube. Here's the first one that caught my eye. It should give you some great ideas and actual tooling for maintaining a secure ecosystem of plugins or external offerings from other companies. Even if youre ecosystem isn't similar to Salesforce's definitely watch for the tooling descriptions. These tools can make security easy for a number of developers who aren't security experts.
Here's the session description:
One of the biggest challenges in maintaining a cloud application ecosystem with software developed by Independent Software Vendors (ISV's) and Developers is ensuring that data within that ecosystem stays secure. It's impossible for a centralized security team to be responsible for every ISV's product security, code maintenance, etc - yet in the eyes of the public responsibility for the ecosystem lies with that centralized team. With Chimera, we're trying to make that responsibility a little easier to share.
The Salesforce AppExchange has over 2,650 apps available and the majority of them connect to an external web service. Although these external systems are not under our control and are, to us, black boxes, we consider trust in the ecosystem of paramount importance and spend significant time and resources on ensuring the security of these apps. Even with rigorous security auditing and penetration testing by a large security team, that is a huge ecosystem to keep secure.
One of our main goals and missions is to be ambassadors and educators for good security practice to our ISV community as they develop on our platform. Many of these development teams are small groups if not individual developers. While none of them are trying to be insecure, relatively few of them have a security team or security experience.
The goal of Chimera is to make security scanning easier and more accessible for small developers and ISV's who don't have their own security engineers. Learn how we are using the Heroku platform to make ZAP and many other industry-standard tools available through the cloud at scale and at the consumer level with no security expertise required! We'll also discuss some of the tools we are building to make use of data collected by ZAP in the cloud to help predict where future vulnerabilities or exploits may occur within the scanned ecosystem.
Product Security Engineer, Salesforce
Tim Bach is a Product Security Engineer at Salesforce, where he focuses on penetration tests of AppExchange partners and the research/development of security tools and automation. A firm believer that product security is a shared burden for all developers, engineers, and executives much of his work revolves around making security tools and instrumentation available to and consumable by those who do not specialize in security.