I was ridiculously excited when I discovered Security.Force.Com at Dreamforce 2009. My favorite feature? The source scanner. If you haven't discovered it yet, you should run your code through it early and often, even if you aren't distributing it as an app.
Before I forget, there's a Force.com Labs webinar coming up which you should join. Sara Varni and I will be discussing bad jokes and great apps. Click here to register now.
Here's how the source code scanner works. You give it a username and it scans your code for security issues and several coding best practices. You can find full details on the help page, but in short the scanner checks for the following issue types:
* Cross Site Scripting
* SOQL Injection
* SOSL Injection
* Frame Spoofing
* Access Control Issues
Apex Best Practices
* DML statements inside loops
* SOQL/SOSL inside loops
* Hardcoding Trigger.new
* Hardcoding Trigger.old
* Queries with no Where clause or no LIMIT clause
* Not bulkifying apex methods
* Async (@future) methods inside loops
* Hardcoding IDs
* Multiple triggers on same object
* Static Resource referencing
If it finds an issue, it then gives you instructions on how to correct it. It's like an Apex coach at your disposal — for free. Very cool.
I should probably update the title to say that this is my best friend since I use it fairly heavily. All Chatter Labs apps have gone through it and I've (almost) completed security and s-control remediation on another 20 Force.com Labs apps, all with the help of this tool. (I'll be publishing details on the packages I've updated in a future post — stay tuned and attend the webinar.)
In the mean time, use Security.Force.Com. Make sure your devs and consultants use it. Scan your code early and often to make sure you aren't surprised at the very end of a project. You'll be glad you did.