Salesforce Security - Chimera

Salesforce Product Security is excited to announce our newest tool to help AppExchange ISV Partners complete the AppExchange Security Review Process - Chimera! Chimera is completely free to AppExchange ISV Partners, and is available now. Chimera has been demoed and discussed at Dreamforce 2015 and AppSec USA 2015.

Chimera Announcements and Status Updates

No status updates at this time - Chimera operating normally

About Chimera

The Chimera web scanner is named after the mythical beast made up of the strongest parts of many animals. Like that myth, this scanner is made up of the strongest parts of multiple open-source web application scanning tools and powered by the Heroku and Salesforce cloud infrastructures. It will be provided to our partners free of charge to help secure future AppExchange-listed web applications before they undergo a rigorous final security review by the salesforce Product Security team.

Using Chimera during or after development of an external service to connect with a Salesforce app couldn't be simpler. Once your web-based application is ready to be scanned, simply create a test account on the application and provide Chimera with a URL and those test credentials. Chimera will take care of figuring out how to log in to your application and run a battery of different tests and scans. A consolidated report with all issues, warnings, and informational notes will be generated and emailed to you when the scan is complete.

Using Chimera

Please log in to the Chimera Portal using your partner credentials (the ones you use to edit and publish your AppExchange listings and offerings) to get started.

Before starting a scan, you must configure your site to prove that you are the owner. Chimera can only be used to scan web applications that you own or develop. To do this, click on "Download Token" to download your abuse prevention token. Follow the directions on that page to upload the token to your domain. If you are absolutely unable to upload the token to your server, please contact us using the address on the download token page. We will grant exceptions in very rare circumstances.

Once you have completed the abuse prevention token steps, you may start a scan using the "New Scan" button. Simply input the target for your scan (the index page of your web application) and (optionally, but recommended) a testing account with login privileges, then start the scan. You will receive an email when the scan is complete, and you may log back into the portal to download results

Abuse Prevention Token

In order to verify that you are the owner of the site(s) that you use Chimera to scan, you are required to upload an abuse prevention token to the root of the site. This token is a unique alphanumeric key for your user profile. Only the user account whos token is uploaded to a site will be able to initiate Chimera scans.

The abuse prevention token can be downloaded from the new scan popup window in the Chimera portal. The file is called ChimeraToken.txt and contains only your unique token code. The file should be uploaded to the root of the target site as-is.

You must upload the token to the root of the target site or its parent domain. For instance, if your scan target was https://chimera.salesforce.com, you could upload the token file to either https://chimera.salesforce.com/ChimeraToken.txt or https://salesforce.com/ChimeraToken.txt.

It is possible to manually override this requirement on a scan-by-scan basis, but this will only be done by our team in exceptionally rare cases and will substantially delay your scan queue time. To request this, please email chimerascanner@salesforce.com.

Frequently Asked Questions

How does Chimera work?
Chimera is a cloud-based security scanning service that combines several open-source security scanning tools into one service. Chimera is powered by and scans from the Heroku cloud platform. Custom-built code then combines and analyzes the results from all scanning tools used and provides a single, actionable security report to you.


What does Chimera scan with?
Chimera makes use of multiple powerful open-source scanning tools. These tools, as well as some of our own, are run against the targets that you own and specify. Chimera then collates, analyzes, and parses all of their results into a cohesive report for analysis by you and your development team. No changes have been made to the source code or behavior of these tools, and if you are interested in doing so you may download any of these scanners as stand-alone tools and run them against your projects internally. Downloading and running tools individually may be required for mobile or client applications, as well as web applications not accessible to the public internet.

A full listing and description of the tools used by Chimera is available on the Chimera Portal homepage


Should I scan my Salesforce org or Force.com site with Chimera?
No, Chimera should only be used to scan external integrations that you own/develop and are planning to connect to an AppExchange offering. To scan on-platform code (Visualforce, Apex, etc.) you should use the free Force.com Security Code Scanner.


Can I scan my mobile or client app with Chimera?
At this time, Chimera is only able to scan web applications that are reachable from the public internet. In order to run a ZAP security scan against a mobile or client app, please see the instructions we have put together here.


Can I email you questions about how to fix my security issues?
Due to the volume of security scans provided by Chimera, we cannot answer technical security questions (which tend to be quite in-depth discussions) on an ad-hoc basis. If you have questions about technical aspects of Chimera (how to use it, errors you have encountered, etc.) please feel free to email us at chimerascanner@salesforce.com. If you have questions about the issues found on your site, please schedule an office hours appointment with the Salesforce Product Security team.


Should I use Chimera on my Production service?
While Chimera will run correctly against your Production service, we recommend you provide a representative staging or development environment so as to mitigate the risk of data loss or corruption. The environment provided to Chimera must be accessible from the public internet.


How long does a scan usually take?
Scan times vary widely due to factors such as volume, queue size, application size, and network speed/connectivity of the application servers. In general, we see scans complete anywhere from 4-16 hours after starting. Time in queue varies greatly and we cannot provide estimates at this time.


Can you give me the IP address/range that you will scan from?
Due to the cloud-based nature of Chimera (we use Heroku for scalability), we are unable to give you an IP address or range that the scanner engines will use. At this time we have no plans to convert to a static IP address or range for Chimera to use. If we do implement this, we will update this page with the IP ranges you can expect to see traffic from.


Do I have to fix every issue on the report?
Chimera reports endeavor to give you all information about all issues or potential issues discovered on your site with as much documentation as it is possible for us to provide. Some of these issues may be false positives, or may not be valid security issues. We ask that you carefully review the report and provided documentation and reference. If you have any questions, we are happy to help. Please schedule an office hours appointment with the Salesforce Product Security team.


My Chimera report says it was unable to login, but I provided test credentials.
Chimera does its best to identify how to login to your web application automatically, but this service is not perfect. We are constantly working on improving this service and hope to have a significantly more powerful auto-login engine online soon. We log every failed attempt to determine how to login for jobs that credentials were provided for and investigate to learn from it, so there is no need to email us about every failure. In cases where Chimera was unable to login to your site automatically, we recommend that you download ZAP and run a security scan locally. We will periodically post announcements on this page relating to new releases, including new auto-login engine releases.


Can I use Chimera if I am not an ISV Partner?
At this time, Chimera is only available to ISV Partners developing external integrations for the AppExchange. We are constantly working on Chimera, and a near-future roadmap item is to open source the platform and provide it as a Heroku slug for use with Heroku Spaces to allow for private network scanning as an internal security component. We'll post links here as soon as we've made progress on this front. Thank you for your interest!