Salesforce Developer Security Scanner
https://developer.salesforce.com/page/Secure_Coding_Guideline
https://developer.salesforce.com/page/Security
https://developer.salesforce.com/page/Workbench
https://code.google.com/p/force-dot-com-esapi/
// Salesforce - Developer - Security - Checkmarx (Security Code Scanner):
Checkmarx is a Force.com source code analysis tool. The tool consumes your code
and builds a tree that represents every possible code flow in the application.
A set of rules is then applied to the parsed flow in order to detect possible
quality and security issues.
An example of this functionality is the way in which Checkmarx searches for
cross-site scripting vulnerabilities. The scanner will look for user controlled
input, like in a URL parameter, that is reflected back to a VisualForce page
without being properly encoded. If such a flow is detected, the tool reports
that the codebase is vulnerable to cross-site scripting and lists the chain of
function calls starting with the tainted data (source) and ending with the
vulnerable rendering on the page (sink).
Salesforce.com has made a free version of the Checkmarx, referred to as the
Force.com Security Source Scanner available to developers, for free, to assist
in the development of trusted applications. It is highly recommended that all
developers take advantage of this resource to improve their code with minimal
time commitment!
To be elligible to use the free version of Checkmarx, your org must meet the
following requirements:
1. Your org must contain less than 500,000 lines of code (excluding static
resources and packages which are not scanned).
2. You must have access to the email address associated to the username you
provide to the tool.
3. Your org must have the metadata api enabled.
4. You must have the "Author Apex" permission enabled for the username you
provide to the tool.
You can access the Force.com Security Source Scanner at the following URL:
http://security.force.com/security/tools/forcecom/scanner
Submitting a job to the Force.com Security Source Scanner version of Checkmarx
is fast and simple. Just visit the following URL and provide the Salesforce
username for the org you wish to scan, and choose the rule set you wish to
employ: http://security.force.com/security/tools/forcecom/scanner
Since the scanner is a free resource available to everyone, it works on a
queueing system that prioritizes smaller jobs over larger jobs. A small job
can take a couple of hours, a large job will usually take a day, and extremelely
large jobs can take several days. To keep the system available for all to use
in a reasonable time period, each organization is limited to 3 scans per month.
When submitting a job, you are given a list of rule sets to choose from. Below
we have included the different rule sets and the kind of searches they employ:
1. Security Profile
a. Cross Site Scripting
b. SOQL Injection
c. SOSL Injection
d. Frame Spoofing
d. Access Control Issues
2. Quality Profile
a. DML statements inside loops
b. SOQL/SOSL inside loops
c. Hardcoding Trigger.new[0]
d. Hardcoding Trigger.old[0]
e. Queries with no Where clause or no LIMIT clause
f. Not bulkifying apex methods
g. Async (@future) methods inside loops
h. Hardcoding IDs
i. Multiple triggers on same object
j. Static Resource referencing
3. Salesforce1 Security Profile (Beta)
Designed for applications with lots of client side javaScript:
a. DOM-based Cross Site Scripting
b. Sharing Violations
c. SOQL/SOSL injection
d. Reflected and Stored Cross Site Scripting
When the scanner completes, the email address associated with the username
submitted to the scanner will receive an email with (up to) two attachments:
A PDF report of all the issues identified together and an xml file in which the
same information is provided in a structured format. If no attachments are sent,
no issues were found by the scanner.
1. Go to /apex/Checkmarx_Demo in the Security Tools tab and download the
Checkmarx Report for this training org.
2. Let's walk through the issues found by Checkmarx source code analysis in
this org.
Checkmarx sees an instance of outputText with escape = "false". It traces
down the function where the value is coming from. In the getWelcomeMessage()
function, there is no escaping being performed in Apex as well. Thus, this is
correctly marked as a Reflected XSS isuue.
There is almost the same code in the fixed XSS demo. But in that case, once
it gets to the getSecureWelcomeMessage() function, it sees that there is an
encoding function being called on the message before sending it to the UI,
and thus it is not marked as vulnerable.
In this case, the probability and numerical variables being used to construct
the SOQL query are coming from user input on the page without being escaped.
Thus, it is marked as a SOQL injection vulnerability by Checkmarx.
Checkmarx does not currently possess the ability to detect insecure secret
storage, open redirect, and missing FLS checks.
page revision: 0, last edited: 12 Dec 2016 03:36