Security at Dreamforce 2016

The Salesforce Trust team has put together a comprehensive set of developer-oriented breakout sessions, demos, and hands on training for all four days of Dreamforce 2016! Our goal is to educate all developers on the many security features built into the platform and to answer any security-related questions. During all hours that the Developer Forest is open you can talk to our security engineers at our booth, which is located near the Tree of Code.

Below you'll find the full schedule breakout sessions, tech talks, and trainings that Salesforce security engineers are giving during Dreamforce 2016. Attend any or all of them, as they will each be covering a different set of useful material. Talk abstracts are available here, and as soon as possible after each talk slides and video will be available as well. Resources mentioned in each talk are available beneath the talk's description. If you have any questions about material covered in the talk, feel free to visit our booth and discuss them in depth with security engineers!

For any security questions during Dreamforce, including questions as speakers present, tweet @SecureCloudDev


Frequently Mentioned Resources

Trailhead Modules

Practice preventing vulnerabilities

Force.com Code Scanner

Code Security Reports

Secure Code Guidelines

Best practices for secure coding



We hope you'll be able to join us for several of our breakout sessions and trainings this year! The full schedule of Trust team presentations is available below, along with a description of each talk and links to any external resources referenced in the talk. As soon as possible after each presentation, slides and video recordings will be posted here.


Tuesday, October 4

Why is Trust our #1 Value

1:00pm, Palace Hotel, Pacific Heights Room
Zachary Powers

The Trust of our customers is paramount at Salesforce. To further our values of customer Trust, the information security team at Salesforce is officially named the Trust Team. Come hear from Zachary Powers, VP of Enterprise Engineering, about how it differs from a traditional information security practice. We'll also discuss how Trust is instilled in every employee, the programs we support to further Trust internally, and why your company might benefit from having a Trust team.

Hands-On Workshop: Build Secure Apps for Force.com

2:15pm, Moscone West Rm. 2020
Rachel Black and Astha Singhal

Application security is an important skill for every web app developer. Join us as we introduce you to some fundamentals of secure development on the Salesforce platform, and give you skills you'll need to write bulletproof code on the platform. In this hands-on workshop, you'll go deep with our security engineers on Cross-Site Scripting, one of the most widely encountered web app vulnerability. We'll teach you about how the vulnerability occurs, the impact to users, and how to fix it through a series of hands on demos ranging from simple to complex!

Best Practices for using Force.com Security Source and Cloud Scanners

3:00pm, Franciscan Ballroom
Robert Sussland and Joshua Clark

Building secure applications begins with your code and the tools that organizations use as part of their test and release process. Join us as we discuss two of the most popular free tools (Checkmarx & Zap) to automatically find security vulnerabilities in your App. In this session we will cover these two tools in detail and discuss new features now available.

Data Access for Visualforce and Apex

5:00pm, Moscone West, Rm. 2000
Jorge Caceres and Nitin Arya

With sharing or without sharing... is that the question? Join us as we demonstrate the best practices for hardening the code for your Salesforce app and keeping your data secure. We will cover sharing, FLS, CRUD, and the common mistakes and misconceptions about how these features work in Visualforce and Apex.


Wednesday, October 5

Hands-On Workshop: Build Secure Apps for Force.com

11:45am, Moscone West Rm. 2020
Rachel Black and Astha Singhal

Application security is an important skill for every web app developer. Join us as we introduce you to some fundamentals of secure development on the Salesforce platform, and give you skills you'll need to write bulletproof code on the platform. In this hands-on workshop, you'll go deep with our security engineers on Cross-Site Scripting, one of the most widely encountered web app vulnerability. We'll teach you about how the vulnerability occurs, the impact to users, and how to fix it through a series of hands on demos ranging from simple to complex!

ISV Tech Talk: Security Best Practices for Lightning Components

12:00pm, Partner Lodge Theater
Ryan Flood

How secure are your Lightning components? Learn the foundations required for a secure Lightning application. We'll cover common mistakes and misconceptions around field-level security (FLS), CRUD, content security policy (CSP). You'll walk away with the best practices for hardening your application and keeping your data secure.

Org Security Fundamentals

12:15pm, Mobile Theater
Vinayendra Nataraja and Swapnil Shinde

If you've read the news lately, you know you need strong security protections for your online systems. Join us as we teach you how to leverage access control features such as IP range restrictions, identity confirmation, and two-factor authentication to protect your Salesforce instance. Hear from Salesforce security engineers about how these protections work and the threats they mitigate.

ISV Tech Talk: Data Access for Visualforce and Apex (CRUD/FLS/Sharing)

12:30pm, Partner Lodge Theater
Jorge Caceres and Nitin Arya

With sharing or without sharing... is that the question? This session will help you better understand how to leverage the best Salesforce security features in code. Join us and learn all the best practices for hardening your application and keeping your data secure. We will cover sharing, FLS, CRUD, and all the most common mistakes and misconceptions about how these features work in Apex and Visualforce.

Securing Your Heroku Apps

4:30pm, Moscone West Rm. 2024
Mikel Otaegi and Sergey Gorbaty

With sharing or without sharing... is that the question? This session will help you better understand how to leverage the best Salesforce security features in code. Join us and learn all the best practices for hardening your application and keeping your data secure. We will cover sharing, FLS, CRUD, and all the most common mistakes and misconceptions about how these features work in Apex and Visualforce.


Thursday, October 6

Hands-On Workshop: Build Secure Apps for Force.com

1:00pm, Moscone West Rm. 2020
Rachel Black and Astha Singhal

Application security is an important skill for every web app developer. Join us as we introduce you to some fundamentals of secure development on the Salesforce platform, and give you skills you'll need to write bulletproof code on the platform. In this hands-on workshop, you'll go deep with our security engineers on Cross-Site Scripting, one of the most widely encountered web app vulnerability. We'll teach you about how the vulnerability occurs, the impact to users, and how to fix it through a series of hands on demos ranging from simple to complex!

Security Best Practices for Lightning

2:30pm, Moscone West Rm. 2024
Ryan Flood and Hormazd Billimoria

How secure are your Lightning components? Learn the foundations required for a secure Lightning application. We'll cover common mistakes and misconceptions around field-level security (FLS), CRUD, content security policy (CSP). You'll walk away with the best practices for hardening your application and keeping your data secure.

Avoiding Common Security Mistakes

3:30pm, Developer Lightning Theater
Travis Safford and Jeff Jarmoc

Cross-site scripting, SOQL injection, Open Redirect. Even if you've heard of these security vulnerabilities, how exactly do they work? Hear from Salesforce security engineers as they explain how these common web application vulnerabilities manifest in your Force.com code and how to banish these flaws in your code for good!


Friday, October 7

Quick Security Fixes with the Force.com Security Source Scanner

11:30am, Developer Theater
Ahmed Khan and Chris Hale

Did you know that Salesforce offers free security scans of your Force.com code? Learn how to use the Checkmarx code scanner to scan your code and generate a vulnerability report. We'll demonstrate how to submit a scan request, understand vulnerabilities, and interpret the report. You'll walk away with knowledge on this time-saving tool and catch your security bugs before you send your app out for review to the Salesforce AppExchange Security Team.

2-Factor Authentication: What Is It and Why Do You Want It?

12:15pm, Developer Theater
Alastair Thomson and George Hill

How do you know that only trusted devices are connecting to your Salesforce org? Join us to learn about two-factor authentication and how to set it up in Salesforce. We'll also talk about common malware campaigns and teach you how to protect your org by leveraging the security tools available in Salesforce.