5 Must-Know Tools for Salesforce ISVs to Ace AppExchange Security Reviews
Building secure solutions on the Salesforce platform is crucial for Independent Software Vendors (ISVs) and developers. An unsecured product can face rejection during the security review process or lead to significant issues if not addressed properly. With numerous security and vulnerability tools available, choosing the right one can be challenging.
In our latest podcast, Abhinav, a Salesforce expert and founder of Concret.io, and Harting Harris, a founding member of Concret.io and a seasoned Salesforce architect, discussed five essential tools for the Salesforce security review process. This blog summarizes their discussion, providing a comprehensive guide to help ISVs choose the right tool for their security needs.
Best Tools for Salesforce Security and Vulnerability Checks
# 1. Checkmarx
Checkmarx is a tool used for application security and vulnerability checks, specifically designed to scan Salesforce native code such as Apex, Visualforce (VF), Lightning Web Components (LWC), and triggers. It is one of the oldest and most mature tools used in the Salesforce ecosystem for security review.
Use Case:
Ideal for applications with native Salesforce codes.
Checkmarx scan reports are mandatory for Salesforce security review submissions if your solution includes any native code like Apex, VF, or LWC components.
Quick points:
Installations: Requires submission through the partner security portal.
CI/CD compatible: The paid version supports CI/CD, allowing ISVs to integrate it into their CLI, while the free version does not.
Cost: Free for Salesforce ISV providers with limits; paid versions are available for extended use.
Scan Limits: Checkmarx is limited to 3 scans per review, with a maximum of 2 million lines of code for ISVs and 360,000 lines of code for Salesforce customers.
Extended Use: To scan unpackaged code or exceed the three-scan limit, a Checkmarx license must be purchased.
# 2. Salesforce Code Analyzer
Salesforce Code Analyzer is a more advanced tool provided by Salesforce, designed to support various code types, including Apex, Visualforce (VF), JavaScript, Lightning Web Components (LWC), and TypeScript. This versatile tool ensures both security and code quality.
Use Case:
Code Analyzer is more suitable for frequent and comprehensive scans of native Salesforce codes and beyond.
This tool is Ideal for maintaining both security and code quality standards.
Quick points:
Compatibility: CI/CD compatible CLI-based tool that can be installed locally.
Installation: Not hosted on partner security portal and requires local installation.
Technology Integration: Combines ESLint, JavaScript PMD, RetireJS, Salesforce Graph Engine, and more to provide extensive scanning capabilities.
Real-Time Development Support: Seamlessly integrates with Integrated Development Environment (IDE) for real-time code analysis and development assistance.
Unlimited Scans: There is no limit on the number of scans, making it ideal for regular quality checks.
Accepted and Recommended by Salesforce: The security review team accepts results from Code Analyzer and recommends using it on top of Checkmarx.
# 3. OWASP ZAP
OWASP ZAP (Zed Attack Proxy) is a free and open-source tool primarily used for scanning external API integrations to ensure they are free from vulnerabilities. Unlike other tools, OWASP ZAP does not have a direct tie-up with Salesforce.
Use Case:
ZAP is best for checking external API endpoints, particularly those not controlled by the organization, to ensure they are free from vulnerabilities.
Quick points:
Cost: Free and open-source.
Installation: Not hosted on the partner portal; installable as a desktop application or browser extension.
Compatibility: Works well with CI/CD and QA automated testing tools like Selenium.
Functionality: Ensures comprehensive security checks for external API integrations.
Request and Response Monitoring: Shows all requests made and responses received, including AJAX calls.
# 4. Burp Suite
Developed by Portswigger, Burp Suite is a security testing app, similar to OWASP ZAP. Burp is used for external API endpoint scans and web app vulnerability checks. However, its free version has fewer capabilities, making the paid version a better option for comprehensive scans.
Use Case:
The paid version is more suitable for complex API integrations requiring detailed vulnerability checks
Supports automated vulnerability scanning and testing using specialized tools like Intruder and Sniper, available in the paid version.
Quick points:
Cost: Offers both free and paid versions.
Hosting: Not hosted on the partner security portal and requires installation
Results Accepted with Submission: The security review team accepts results from Burp Suite.
CI/CD Compatibility: The free version is not CI/CD compatible, while the paid version supports CI/CD integration.
# 5. Chimera
Chimera is a cloud-based security scanning tool used for scanning owned servers and endpoints, ensuring they meet Salesforce's security standards. Unlike OWASP ZAP and Burp Suite, which are ideal for scanning external systems not owned by you, Chimera is best suited for endpoints you own.
Use Case:
Chimera is best for organizations that maintain their own servers and API endpoints, ensuring they meet Salesforce's security standards.
Quick points:
Cost: Free and open-source tool with a tie-up with Salesforce.
Hosting: Requires initiation through the partner portal.
Authentication: Scans are performed from a Salesforce IP address, necessitating token-based authentication from the server.
CI/CD: This tool does not support CI/CD integration.
Scan Limitations: It cannot be used with endpoints on domains you don’t own; it requires token upload to the root of the external server.
Tips from Harting
In the podcast, Harting shared some insightful tips for effectively using these tools:
Regular Scans with Code Analyzer:
Use Salesforce Code Analyzer for each release or deliverable. Frequent scans help in identifying and fixing issues early, reducing the burden on Checkmarx scans.
Final Check with Checkmarx:
After completing the development process, use Checkmarx for a final security review. It acts as a checkpoint to ensure no major vulnerabilities are left unchecked.
Initial API Checks with Chimera:
For owned endpoints, use Chimera as soon as you identify the need for integration. Early scans help in catching issues that might affect the entire application.
Use OWASP ZAP for External APIs:
For external API integrations, OWASP ZAP is a reliable and free tool. It helps in ensuring that external dependencies do not introduce vulnerabilities.
Consider Burp Suite for Complex Integrations:
If dealing with complex API integrations, consider using the paid version of Burp Suite. Its advanced features provide a more thorough vulnerability assessment.
The tools mentioned above are used to check for vulnerabilities in your solution, but none guarantee that all occurrences will be caught. Once you receive the report, it is crucial to manually check all the occurrences in the code to ensure comprehensive security. This manual review complements the automated scans, providing a more thorough evaluation of potential vulnerabilities.
Conclusion
Building a secure Salesforce app requires the right tools and practices. By leveraging Checkmarx, Salesforce Code Analyzer, OWASP ZAP, Burp Suite, and Chimera, ISVs can ensure their applications meet the highest security standards. Regular scans, understanding tool limitations, and integrating security checks into the development process are crucial to achieving a successful security review.
At Concretio, our AppExchange experts specialize in helping ISVs navigate the Salesforce security review process, ensuring that your applications are robust and compliant with industry standards. Partner with us to optimize your security practices and achieve a successful review.
References
Related Salesforce AppExchange Readings
Cost Questions Answered: Salesforce AppExchange Security Review Fees FAQs
Mastering the AppExchange Security Review: Your Strategic Guide to Approval