security boundaries in apex
DESCRIPTION
Many Apex developers ignore security, particularly when doing consulting projects. But security is not difficult if you consider it when designing your code. Join us to learn some simple design patterns to help ensure your code respects configured security settings, and some more sophisticated architectures you can use when your requirements call on you to override configured security settings.TRANSCRIPT
Security Boundaries in ApexDan Appleman
CTO, Full Circle CRM, Author of “Advanced Apex Programming”
@danappleman
Safe Harbor
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
What is a security boundary?
What is security?•A list of things that you can do?
What is security?•A list of things that you can’t do?
Security Boundary•The time and place where a security decision is made•Decisions such as:• Verify identity (authentication)
Security Boundary•The time and place where a security decision is made•Decisions such as:• Verify identity (authentication)• Grant/Block permission (authorization)
Vacation Photos
Vacation Photos
Authentication on the Saleforce Platform
Authorization on the Saleforce Platform•Stops you from:• Accessing records
• (role based security)
• Accessing objects• CRUD (create/read/update/delete)
• Accessing object fields• FLS (field level security)
Security Boundary on the Salesforce Platform•For declarative developers – it’s the user interface
Security Boundaries with Apex•Role based security
DatabaseApex Code
SOQL(with sharing only)
Security Boundaries with Apex•CRUD and FLS
Apex Code
Standard object controllers(VisualForce) only
Security Boundaries with Apex•CRUD and FLS – what you’re “supposed” to do…
Apex Code
Standard object controllers(VisualForce) only
if (Schema.sObjectType.Contact.fields.Email.isUpdateable()) {// Every time you access/update a field
}if (Schema.sObjectType.Contact.isDeletable()) {
// Every time you access/delete an object}
If you worked for Dilbert’s company
Almost everyone is:
• Incompetent (except you)
•Completely self-centered (except you)
•Just a tiny bit malicious
Actual Dilbert Image not shownhere because I don’t feel like getting suedby Scott Adams for Copyright infringement,so use your imagination
Requirement•Lead SLA (Service Level Agreement) for Sales people to try to encourage them to stop ignoring leads
Requirement•Lead SLA (Service Level Agreement) for Sales people to try to encourage them to stop ignoring leads
trigger SLA_Date_Setting on Lead (before insert) {for(Lead ld: trigger.new)
{ // Real version of this would take into account holidays, vacations, etc. ld.AB_SLA_Date__c = DateTime.Now().AddDays(3); }}
Result•All Salespeople always met their SLA!!!!
Solution
•Use Field Level Security to make field readonly for everyone.
Database
Apex Code
VisualForce/UI
Requirement•When lead status changes from default, log SLA status•(find out how responsive your sales team is)
SLA Log Reporting•Salesperson can see only their own data•Sales manager can see detailed sales data•Marketing can see aggregate data, but not individual records!
Implementation•Set Sharing default to private (grant access through hierarchy)•Use report or VisualForce page to access aggregate data
Implementation•Set Sharing default to private (grant access through hierarchy)•Use report or VisualForce page to access aggregate data• Let sales people see results based on data they have access to (but not global
data) – With Sharing• Let marketers see results based on global data (but not individual log data) –
Without sharing
Security Boundary Principles• Don’t expose restricted data (even if you can)• New data (like aggregate data) is NOT necessarily controlled by the security
settings of the source data.• Though Apex lacks impersonation, you can authorize code to perform tasks
(imaginary all-powerful code user)
Closing Hints• For developers and consultants
• Please don’t ignore security, even though it adds cost, is a hassle to build and test, and nobody seems to care (until its too late)
• Use standard patterns by default (with sharing, testing CRUD/FLS) even though you’ll probably bypass them in a panic when things don’t work.
Closing Hints• For developers and consultants
• Please don’t ignore security, even though it adds cost, is a hassle to build and test, and nobody seems to care (until its too late)
• Use standard patterns by default (with sharing, testing CRUD/FLS) even though you’ll probably bypass them in a panic when things don’t work.
• For application developers• Pay attention to security, because the security review team will.• Expect to fail security review first time through, and to justify use of advanced design
patterns.
