Security.Force.Com is Your App’s Best Friend. | Salesforce Developers Blog

I was ridiculously excited when I discovered Security.Force.Com at Dreamforce 2009.  My favorite feature?  The source scanner.  If you haven't discovered it yet, you should run your code through it early and often, even if you aren't distributing it as an app.

Before I forget, there's a Labs webinar coming up which you should join.  Sara Varni and I will be discussing bad jokes and great apps.  Click here to register now.

Here's how the source code scanner works.  You give it a username and it scans your code for security issues and several coding best practices.  You can find full details on the help page, but in short the scanner checks for the following issue types:


    * Cross Site Scripting
    * SOQL Injection
    * SOSL Injection
    * Frame Spoofing
    * Access Control Issues

Apex Best Practices

    * DML statements inside loops
    * SOQL/SOSL inside loops
    * Hardcoding[0]
    * Hardcoding Trigger.old[0]
    * Queries with no Where clause or no LIMIT clause
    * Not bulkifying apex methods
    * Async (@future) methods inside loops
    * Hardcoding IDs
    * Multiple triggers on same object
    * Static Resource referencing

If it finds an issue, it then gives you instructions on how to correct it.  It's like an Apex coach at your disposal — for free.  Very cool.

I should probably update the title to say that this is my best friend since I use it fairly heavily.  All Chatter Labs apps have gone through it and I've (almost) completed security and s-control remediation on another 20 Labs apps, all with the help of this tool.  (I'll be publishing details on the packages I've updated in a future post — stay tuned and attend the webinar.)

In the mean time, use Security.Force.ComMake sure your devs and consultants use it.  Scan your code early and often to make sure you aren't surprised at the very end of a project.  You'll be glad you did.

Stay up to date with the latest news from the Salesforce Developers Blog