How to Publish & Certify your App

Aarti Kumar & Shay CaseyAppExchangePartners@salesforce.com

AppExchange Partner Lifecycle

There are 3 steps in the process:

http://www.appexchange.com/abc

3

What is AppExchange Certification?

To list your commercial application on the AppExchange, we must certify that your application meets our requirements and best practices around security. This helps:

Customers Have trust in third party solutions that work with salesforce.com

Partners Be successful in selling solutions that span multiple systems to salesforce.com customers

salesforce.com Build a trust-worthy AppExchange ecosystem

AppExchange Certification – What, When, Who?

A review of: Qualitative Security: Policies and practices review Quantitative Security: Penetration testing

When is certification required? From March 15th, 2007 security certification is required for all new

commercial applications Existing commercial applications that were not previously security

certified must do so within this year

Who should be involved? Technical resources – architect, developer, IT resource, operations

resource, information security resource etc

Application Elements

Native

No code, no external systems

AJAX

AJAX S-control code

onlyExcludes S-controls that communicate

with external systems

Software

On premise desktop or

server software

Includes browser plugins delivered as

S-controls

On Demand

Other Host

External service,

unmanaged host

On Demand Cert HostExt. service, managed

host(Opsource, Rackspace)

Approved hosting providers using pre-

certified configurations

A given AppExchange application can have multiple components, each of which has its own certification requirements:

Runs entirely on Apex Platform; Certification not

applicableDepends on services or software outside

of Apex; Certification available

Security Review Matrix

Software On Demand (Certified Host)

On Demand

Network

Host

App

Ops

Questionnaire System Tests

Certification/Re-certification Process

Prepare Test Pass

Execute agreement and PO for $5K

Determine relevant questionnaire and tests for your app

Software, On Demand (Cert Host), On Demand

Execute dry run tests

Attend interview conducted by Symantec or KPMG

Organize resources / teams for appropriate tests

Network vs App, etc

Conduct testing with salesforce.com Certification Contact

Receive Certification badge on listing

Receive Client ID for deploying to Professional Edition users

1 2 3

Certification Process

Pass All Qualitative question areas

• No Medium or High warnings

All Quantitative tests• No Medium or High warnings

Fail Repeat specific area of assessment (at additional cost) Or repeat entire assessment if remediation has broad

impact

Sample Report

Risk Ease of Exploit Business Impact Recommendation

Shared Encryption Key Stored In Compiled Application

The key used to decrypt the Salesforce.com password is compiled into the application. In addition, the same encryption key is used for all customer installations.

Sophisticated.

An attacker would need to gain access to the target application servlet in order to decompile the servlet and compromise the encryption key. Note that existing clients could access their servlet to compromise the encryption key, but would need to gain access to another client’s application servlet to compromise that client’s Salesforce.com credentials

High.

It is possible that Salesforce.com authentication credentials could be compromised.

The encryption key used to decrypt Salesforce.com authentication credentials should be stored in a Java KeyStore (JKS). A JKS would provide defense-in-depth in case the application servlet is compromised. In addition, different encryption keys should be used for each customer installation.

Outdated Apache VersionThe web server appears to be running versions of Apache that is not up to date

Trivial. There is at least one publicly available proof of concept. Please refer to:http://seclists.org/fulldisclosure/2004/Nov/0022.htmlCVE-2004-0942

High. A remote attacker may be able to cause a Denial of Service to the server.Apache version: 2.0.52The tested configuration was not compromised during testing. The server should be upgraded to ensure those future configurations are not vulnerable.

Upgrade to latest version of Apache available from the Apache Foundation

Test Detail: Network

Questionnaire Firewall, IDS and NAT configuration Network access policies & procedures Log monitoring

System Test Must pass Nessus with no medium or high warnings Test for open ports, known vulnerabilities, SSL config, etc Conduct dry run test with Nessus or Qualys

Test Detail: Host

Questionnaire Host configuration Access & password policies Patching & maintenance policies Physical Security

System Test None

Test Detail: App

Questionnaire Software development processes Common vulnerabilities (buffer overflow, cross site scripting,

SQL injection, etc) App user & password management Salesforce user & password management

System Test Application Penetration Testing tools Authentication mechanism (i.e. password length) Injection attacks (XSS, SQL)

Test Detail: Operations

Questionnaire HR (employee security policies & security training) Business Continuity Incident Response Procedure documentation & change management

System Test None

Building your listing

Get to know the AppExchange Listing

Select the Setup for your Application listing

Build Your Application Listing

Frequently Asked Questions

Get to know the AppExchange ListingTitle

Abstract

TD/ GIN

Thumbnail

Additional Resources

Logo

Building your listing: Agenda

Get to know the AppExchange Listing

Select the Setup for your Application listing

Build Your Application Listing

Frequently Asked Questions

Select the Setup for your Application

Demonstrate your application using:

Distribute your application through:

or or

or

Select the Setup for your Application

Demonstrate your application using:

Distribute your application through:

or or

or

Demonstrate your Application through:

Fully functional read only version of the application Allow customers to “kick the tires” Present data in a dynamic working environment Appropriate for all Native applications and some

Composite applications

For applications that are too complicated to demonstrate through a Test Drive

Demonstrates the functionality of the application Walkthrough of the application- “A day in the life” Appropriate for some Composite applications and

all Client applications

Demonstrate your Application through:

Demo- Suggested Format

1. Overview- Quick introduction to the demo and a discussion of the value proposition. 

2. Step by Step – Show everyday use of the application Outline the functionality a user will see- show it in action! How does your application interact with Salesforce.com-

do you create data in a custom object?  Do you import leads?  What are the steps that make this happen?

3. Additional info and conclusion

Additional Considerations in Building a

Market your demo toward Salesforce.com users Stay away from marketing your company Screenshots are a must! Remember: you only have 60 seconds to grab a

customer’s attention.  

Select the Setup for your Application

Demonstrate your application using:

Distribute your application through:

or or

or

Distribute your Application Through:

Deploy your custom salesforce.com application at the click of a button

Automatically install various elements ranging from Custom Tabs to Pre-Made dashboards

Appropriate for all Native and Composite applications

Distribute your Application Through: For applications where an immediate installation is

not available: Hardware Appliances Integration services Applications that require contact with direct sales or consulting

services

The Learn More landing page provides: Additional information about the application Sales contact information Marketing directed towards a salesforce.com customer

The “Get It Now” should be packaged and left private

Distribute your Application Through:

For applications that install directly to the users desktop or external services that do not use the salesforce.com interface

Links to a landing page with more information about the download (not just a direct link to the file)

How do I enable these buttons?

By default only Get It Now and Test Drive are available for your listing

Other buttons – Demo, Learn More, Download- need to be enabled by salesforce.com

Email AppExchangePartners@salesforce.com for an evaluation of your application

Building your listing: Agenda

Get to know the AppExchange Listing

Select the Setup for your Application listing

Build Your Application Listing –Tips and Tricks!

Frequently Asked Questions

Use the Listing Form as a Guide

Use the form when writing your copy for the listing. Log into www.appexchange.com and click on edit for your listing

You can now see the text limitations for each item

Title and Logo

Title- the name of your product - should not include “for AppExchange”

Logo- Your 60x60 record cover

Thumbnail and Screenshot

Two separate files Thumbnail is 160x115

Datasheet and Customization Guide

Datasheet- Two page summary of key information

Customization Guide- For applications that require additional setup or customization to function

Step by Step walkthrough for System AdminsAdding page layouts for standard salesforce.com

objects and tabsAny steps that are needed to activate the application

Presentation

Excellent supplement to a Test Drive Give the business value of your application Use any format

Building your listing: Agenda

Get to know the AppExchange Listing

Select the Setup for your Application listing

Build Your Application Listing

Frequently Asked Questions

FAQ: I don’t have a listing!

Log into the publisher area of https://www.salesforce.com/appexchange/publishing.jsp

Native/ Composite application- After you package and register your first version you will see your listing in the manage my apps area.

Client Application- you will need to request a listing from support Log in to the publisher area of www.appexchange.com Click Manage My Publisher Profile and create a profile Click “Request Assistance” and log a case for a new listing

FAQ: My publisher tab is blank!

Your publisher profile needs to match the username associated with the profile you created.

It will always be in the format of an email address e.g. jdailey@salesforce.com

Tip: When in doubt – after clicking Assign Publisher Profile just click My Publisher Profile

FAQ: My Publisher Tab is Blank!

Questions?

Send email to AppExchangePartners@salesforce.com

Click on request assistance under Manage My Apps