What is Force.com Secure Cloud Development?
Force.com Secure Cloud Development is a set of tools, processes and training that can be used during different stages of a standard development cycle. Force.com developers can leverage our online training, secure coding libraries, and on-demand security source code scanner to build more secure applications while reducing development time.
Force.com Secure Cloud Development borrows from several other secure development methodologies and models such as Microsoft SDL, BSIMM, OpenSAMM, CLASP, and others. We commend their respective authors for their outstanding work. Force.com Secure Cloud Development though takes a slightly different approach when compared to the others. First, its primary focus is on the Force.com platform. Second, there is a major focus on areas which we've seen help most in improving code quality. Security methodologies can be quite prescriptive and often are only really possible for large companies. Salesforce.com has aimed to deliver something that focuses on the most ‘bang for the buck’, while still delivering good security coverage. Depending on your sensitivity around security you can and probably should add to the resources we’ve provided. Third, while we do outline where in the development lifecycle the resources should be used, there’s nothing set in stone. Reasonable companies should adopt the resources that make the most sense to them at the time in the development lifecycle that makes the most sense. Some companies will find that certain aspects of Force.com Secure Cloud Development Resources don’t apply to them or add that much value. That’s perfectly fine too. You should use it in the way that adds the most value to your organization.
Check out our Force.com Secure Cloud Development Resources page for more information on what specific resources are available and how you can use them.
Why have a security lifecycle for Force.com?
Significant security breaches due to software security vulnerabilities are in the news almost daily. Unfortunately though, it’s a sad state of the industry that most developers lack the training, expertise, and tools to build software securely. The goal of Force.com is a platform that is not only fast and easy to develop on, but a security conscious community in which all developers and partners value trust as their top priority. Together, our entire network of developers can help build a trusted Force.com ecosystem.
Additionally, by adopting these approaches, companies will reduce the number of security issues in their applications and lower their total development cost. The National Institute of Standard and Technology states that eliminating vulnerabilities early in the development process can cost 30 times less than if you fixed them after the software has been released.
Who is the Force.com Secure Cloud Development aimed at?
Force.com Secure Cloud Development is primarily aimed at members of development organizations, but can be used to help drive improved security by anyone helping build and support applications and services. Some large or security sensitive organizations may find that they need to augment Force.com Secure Cloud Development to include further requirements.
What’s the future for Force.com Secure Cloud Development look like?
The salesforce.com team wants our community to be very open with feedback. If there are areas you’d like more information on, better tools, more resources, whatever the case is, let us know. We want to help you be successful and only through feedback and transparency from our community will we be able to achieve this. Feedback can be sent to us at securecloud [at] salesforce [dot] com.
By following Force.com Secure Cloud Development will I be 100% secure?
There is no framework, lifecycle, methodology or model that will guarantee something to be completely secure. The resources available here will help though in improving the security of your Force.com applications.