Security at Dreamforce 2015

The Salesforce Trust team has put together a comprehensive set of developer-oriented talks and booth content for all four days of Dreamforce 2015! Our goal is to educate all developers on the many security features built into the platform and to answer any security-related questions. During all hours that the Developer Zone is open, you can talk to our security engineers at our booth, which is located in the App Cloud area of the Developer Campground.

Below you'll find the full schedule of the 10 DevZone talks and 2 ISV Lightning Talks that Salesforce security engineers are giving during Dreamforce 2015. Feel free to attend any or all of them, as they will each be covering a different set of useful material. Talk abstracts are available here, and as soon as possible after each talk slides and video will be available as well. Resources mentioned in each talk are available beneath the talk's description. If you have any questions about material covered in the talk, feel free to visit our booth!

For any security questions during Dreamforce, including questions as speakers present, tweet @SecureCloudDev


Frequently Mentioned Resources

Security Trailhead

Online security and secure development courses

Chimera

AppExchange ISV Web Integration Security Scanner

Force.com Code Scanner

Code Security Reports



We hope you'll be able to join us for several of our DevZone presentations this year! The full schedule of Trust team presentations is available below, along with a description of each talk and links to any external resources referenced in the talk. As soon as possible after each presentation, slides and video recordings will be posted here.



Tuesday, September 15

ISV Tech Talk: CRUD / FLS / Sharing

4:30-4:50, Park Central Hotel - Stanford Room
Daphne Kao

With sharing or without sharing... is that the question? Join us as we help you better understand how to leverage the best Salesforce security features in code. Learn all the best practices for hardening your application and keeping your data secure. We will cover sharing, FLS, CRUD, and all the most common mistakes and misconceptions about how these features work in Apex and Visualforce.


ISV Tech Talk: Common Security Mistakes

5:00-5:20, Park Central Hotel - Stanford Room
Rachel Black

How safe are your Lightning Components? Join us and learn about the foundations required for a secure application built on Lightning. We'll cover common misconceptions around field-level security, CRUD, content security policy (CSP), as well as other common mistakes with Lightning. You'll walk away with all the best practices for hardening your application and keeping your data secure.



Wednesday, September 16

CRUD / FLS / Sharing

12:00-12:40, Moscone West Rm. 2009
Daphne Kao and Ryan Flood

With sharing or without sharing... is that the question? Join us as we help you better understand how to leverage the best Salesforce security features in code. Learn all the best practices for hardening your application and keeping your data secure. We will cover sharing, FLS, CRUD, and all the most common mistakes and misconceptions about how these features work in Apex and Visualforce.


Heroku Best Practices

4:00-4:40, Moscone West Rm. 2009
Daed Latrope and Rhys Elsmore

Recent news stories have proved the importance of securing your cloud infrastructure. The flexibility and scalability of the Heroku platform can be very attractive, but what about security? Join us to hear directly from the Heroku security team about the latest and greatest Heroku security features, and how best to secure your Heroku apps.



Thursday, September 17

Org Access Controls

9:30-10:10, Moscone West Rm. 2007
Jorge Caceres and Mikel Otaegi

If you've seen the news lately, you know you need strong security protections for your online systems. Join us as we teach you that access control features like IP range restrictions, identity confirmation, and two-factor authentication are absolutely critical to the protection of your Salesforce instance. Hear from Salesforce security engineers about how these protections work, threats they mitigate, and possible drawbacks. We'll also teach you some tricks to securely using Salesforce alongside these features.


Secret Storage in Your Salesforce Instance

9:30-10:10, Moscone West Rm. 2011
Kyle Tobener and Ian Goldsmith

Preparing to integrate? Join us to better understand how to store sensitive secrets on the Force.com Platform. Learn all the best practices for keeping your passwords, keys, and tokens secure. We will walk you through encrypted fields, protected custom settings, managed packages, and the brand new Named Credentials feature to provide you with all the knowledge you need to store a secret.


External App Integrations

12:00-12:40, Moscone West Rm. 2010
Astha Singhal and Chris Vinecombe

Salesforce is an open and easily extensible platform. However, sometimes it's hard to figure out the best, most secure way to build these integrations. Join us as we help you build secure integrations with Salesforce by understanding the platform authentication and authorization constructs like profile permissions and OAuth scopes. We will demonstrate the importance of leveraging Salesforce security features like mutual SSL, IP range restrictions, and Connected Apps.


Hardened Apps with the Mobile SDK

2:30-3:10, Moscone West Rm. 2008
Max Feldman and Martin Vigo

As frameworks and languages have evolved, creating a mobile app has never been easier. But can an easy mobile app be secure? Join our mobile security experts to discuss the Salesforce Mobile SDK and learn everything you need to know about hardening your mobile apps. We will discuss some common mobile vulnerabilities and mistakes, then dive deep into how the Salesforce Mobile SDK makes following our security best practices easy and painless!


Code Scanning with Checkmarx

3:30-4:10, Moscone West Rm. 2011
Robert Sussland and Igor Matlin (Checkmarx)

Are you a fan of time saving tools? Did you know that Salesforce has teamed up with Checkmarx to offer free security scans of your platform code? Join us to learn how the Checkmarx code scanner will save you time and improve your security by analyzing your code and providing you with a free report. When you leave, you'll know exactly how to submit a scan request, which vulnerabilities will be found, and how to interpret the report.


Lightning Components Best Practices

4:30-5:10, Moscone West Rm. 2011
Sergey Gorbaty and Robert Sussland

How safe are your Lightning Components? Join us and learn about the foundations required for a secure application built on Lightning. We'll cover common misconceptions around field-level security, CRUD, content security policy (CSP), as well as other common mistakes with Lightning. You'll walk away with all the best practices for hardening your application and keeping your data secure.


Common Secure Coding Mistakes

5:00-5:40, Moscone West Rm. 2006
Rachel Black and Alejandro Raigon

Cross-site scripting, SOQL injection, Open Redirect. Even if you've heard of these security vulnerabilities, you might not understand exactly how they work. Join two Salesforce security engineers as they explain how these common web application vulnerabilities manifest in your Force.com code and show you with simple demo code how to banish these flaws for good.


Friday, September 18

External Integration Security with Chimera

10:00-10:40, Moscone West Rm. 2009
Tim Bach and Travis Safford

One of the main goals of the Salesforce AppExchange Security Team is giving developers and partners ownership of their security posture with free education, tools, and resources. Our newest cloud-based security tool, Chimera, actively scans your external web application integrations quickly and comprehensively. With just a few clicks you can receive a detailed security report - results which until now required downloading and installing multiple pieces of software and hours of manual effort. Join us to learn about the technology behind Chimera and how you can use it to streamline security review. We will also touch on how Salesforce uses Chimera behind the scenes to continuously monitor the security of the AppExchange ecosystem.