how to publish & certify your app aarti kumar & shay casey
DESCRIPTION
3 What is AppExchange Certification? To list your commercial application on the AppExchange, we must certify that your application meets our requirements and best practices around security. This helps: CustomersHave trust in third party solutions that work with salesforce.com PartnersBe successful in selling solutions that span multiple systems to salesforce.com customers salesforce.comBuild a trust-worthy AppExchange ecosystemTRANSCRIPT
How to Publish & Certify your App
Aarti Kumar & Shay [email protected]
AppExchange Partner Lifecycle
There are 3 steps in the process:
http://www.appexchange.com/abc
3
What is AppExchange Certification?
To list your commercial application on the AppExchange, we must certify that your application meets our requirements and best practices around security. This helps:
Customers Have trust in third party solutions that work with salesforce.com
Partners Be successful in selling solutions that span multiple systems to salesforce.com customers
salesforce.com Build a trust-worthy AppExchange ecosystem
AppExchange Certification – What, When, Who?
A review of: Qualitative Security: Policies and practices review Quantitative Security: Penetration testing
When is certification required? From March 15th, 2007 security certification is required for all new
commercial applications Existing commercial applications that were not previously security
certified must do so within this year
Who should be involved? Technical resources – architect, developer, IT resource, operations
resource, information security resource etc
Application Elements
Native
No code, no external systems
AJAX
AJAX S-control code
onlyExcludes S-controls that communicate
with external systems
Software
On premise desktop or
server software
Includes browser plugins delivered as
S-controls
On Demand
Other Host
External service,
unmanaged host
On Demand Cert HostExt. service, managed
host(Opsource, Rackspace)
Approved hosting providers using pre-
certified configurations
A given AppExchange application can have multiple components, each of which has its own certification requirements:
Runs entirely on Apex Platform; Certification not
applicableDepends on services or software outside
of Apex; Certification available
Security Review Matrix
Software On Demand (Certified Host)
On Demand
Network
Host
App
Ops
Questionnaire System Tests
Certification/Re-certification Process
Prepare Test Pass
Execute agreement and PO for $5K
Determine relevant questionnaire and tests for your app
Software, On Demand (Cert Host), On Demand
Execute dry run tests
Attend interview conducted by Symantec or KPMG
Organize resources / teams for appropriate tests
Network vs App, etc
Conduct testing with salesforce.com Certification Contact
Receive Certification badge on listing
Receive Client ID for deploying to Professional Edition users
1 2 3
Certification Process
Pass All Qualitative question areas
• No Medium or High warnings
All Quantitative tests• No Medium or High warnings
Fail Repeat specific area of assessment (at additional cost) Or repeat entire assessment if remediation has broad
impact
Sample Report
Risk Ease of Exploit Business Impact Recommendation
Shared Encryption Key Stored In Compiled Application
The key used to decrypt the Salesforce.com password is compiled into the application. In addition, the same encryption key is used for all customer installations.
Sophisticated.
An attacker would need to gain access to the target application servlet in order to decompile the servlet and compromise the encryption key. Note that existing clients could access their servlet to compromise the encryption key, but would need to gain access to another client’s application servlet to compromise that client’s Salesforce.com credentials
High.
It is possible that Salesforce.com authentication credentials could be compromised.
The encryption key used to decrypt Salesforce.com authentication credentials should be stored in a Java KeyStore (JKS). A JKS would provide defense-in-depth in case the application servlet is compromised. In addition, different encryption keys should be used for each customer installation.
Outdated Apache VersionThe web server appears to be running versions of Apache that is not up to date
Trivial. There is at least one publicly available proof of concept. Please refer to:http://seclists.org/fulldisclosure/2004/Nov/0022.htmlCVE-2004-0942
High. A remote attacker may be able to cause a Denial of Service to the server.Apache version: 2.0.52The tested configuration was not compromised during testing. The server should be upgraded to ensure those future configurations are not vulnerable.
Upgrade to latest version of Apache available from the Apache Foundation
Test Detail: Network
Questionnaire Firewall, IDS and NAT configuration Network access policies & procedures Log monitoring
System Test Must pass Nessus with no medium or high warnings Test for open ports, known vulnerabilities, SSL config, etc Conduct dry run test with Nessus or Qualys
Test Detail: Host
Questionnaire Host configuration Access & password policies Patching & maintenance policies Physical Security
System Test None
Test Detail: App
Questionnaire Software development processes Common vulnerabilities (buffer overflow, cross site scripting,
SQL injection, etc) App user & password management Salesforce user & password management
System Test Application Penetration Testing tools Authentication mechanism (i.e. password length) Injection attacks (XSS, SQL)
Test Detail: Operations
Questionnaire HR (employee security policies & security training) Business Continuity Incident Response Procedure documentation & change management
System Test None
Building your listing
Get to know the AppExchange Listing
Select the Setup for your Application listing
Build Your Application Listing
Frequently Asked Questions
Get to know the AppExchange ListingTitle
Abstract
TD/ GIN
Thumbnail
Additional Resources
Logo
Building your listing: Agenda
Get to know the AppExchange Listing
Select the Setup for your Application listing
Build Your Application Listing
Frequently Asked Questions
Select the Setup for your Application
Demonstrate your application using:
Distribute your application through:
or or
or
Select the Setup for your Application
Demonstrate your application using:
Distribute your application through:
or or
or
Demonstrate your Application through:
Fully functional read only version of the application Allow customers to “kick the tires” Present data in a dynamic working environment Appropriate for all Native applications and some
Composite applications
For applications that are too complicated to demonstrate through a Test Drive
Demonstrates the functionality of the application Walkthrough of the application- “A day in the life” Appropriate for some Composite applications and
all Client applications
Demonstrate your Application through:
Demo- Suggested Format
1. Overview- Quick introduction to the demo and a discussion of the value proposition.
2. Step by Step – Show everyday use of the application Outline the functionality a user will see- show it in action! How does your application interact with Salesforce.com-
do you create data in a custom object? Do you import leads? What are the steps that make this happen?
3. Additional info and conclusion
Additional Considerations in Building a
Market your demo toward Salesforce.com users Stay away from marketing your company Screenshots are a must! Remember: you only have 60 seconds to grab a
customer’s attention.
Select the Setup for your Application
Demonstrate your application using:
Distribute your application through:
or or
or
Distribute your Application Through:
Deploy your custom salesforce.com application at the click of a button
Automatically install various elements ranging from Custom Tabs to Pre-Made dashboards
Appropriate for all Native and Composite applications
Distribute your Application Through: For applications where an immediate installation is
not available: Hardware Appliances Integration services Applications that require contact with direct sales or consulting
services
The Learn More landing page provides: Additional information about the application Sales contact information Marketing directed towards a salesforce.com customer
The “Get It Now” should be packaged and left private
Distribute your Application Through:
For applications that install directly to the users desktop or external services that do not use the salesforce.com interface
Links to a landing page with more information about the download (not just a direct link to the file)
How do I enable these buttons?
By default only Get It Now and Test Drive are available for your listing
Other buttons – Demo, Learn More, Download- need to be enabled by salesforce.com
Email [email protected] for an evaluation of your application
Building your listing: Agenda
Get to know the AppExchange Listing
Select the Setup for your Application listing
Build Your Application Listing –Tips and Tricks!
Frequently Asked Questions
Use the Listing Form as a Guide
Use the form when writing your copy for the listing. Log into www.appexchange.com and click on edit for your listing
You can now see the text limitations for each item
Title and Logo
Title- the name of your product - should not include “for AppExchange”
Logo- Your 60x60 record cover
Thumbnail and Screenshot
Two separate files Thumbnail is 160x115
Datasheet and Customization Guide
Datasheet- Two page summary of key information
Customization Guide- For applications that require additional setup or customization to function
Step by Step walkthrough for System AdminsAdding page layouts for standard salesforce.com
objects and tabsAny steps that are needed to activate the application
Presentation
Excellent supplement to a Test Drive Give the business value of your application Use any format
Building your listing: Agenda
Get to know the AppExchange Listing
Select the Setup for your Application listing
Build Your Application Listing
Frequently Asked Questions
FAQ: I don’t have a listing!
Log into the publisher area of https://www.salesforce.com/appexchange/publishing.jsp
Native/ Composite application- After you package and register your first version you will see your listing in the manage my apps area.
Client Application- you will need to request a listing from support Log in to the publisher area of www.appexchange.com Click Manage My Publisher Profile and create a profile Click “Request Assistance” and log a case for a new listing
FAQ: My publisher tab is blank!
Your publisher profile needs to match the username associated with the profile you created.
It will always be in the format of an email address e.g. [email protected]
Tip: When in doubt – after clicking Assign Publisher Profile just click My Publisher Profile
FAQ: My Publisher Tab is Blank!