Stat Tracker

Friday, July 21, 2017

Trailhead Trail for OWASP Top Ten 2017

Trailhead Trail for OWASP Top Ten 2017

The trailmix can be found here.

OWASP Top Ten Item Trailhead Module
A1 – Injection  Injection Vulnerability Prevention
A2 – Broken Authentication and Session Management  Secure Secret Storage
A3 – Cross-Site Scripting (XSS)  Injection Vulnerability Prevention
A4 – Broken Access Control  Data Leak Prevention
A5 – Security Misconfiguration  Security Basics
A6 – Sensitive Data Exposure  Data Security
A7 – Insufficient Attack Protection  Data Security
A8 – Cross-Site Request Forgery (CSRF)  App Logic Vulernabiilty Prevention
A9 – Using Components with Known Vulnerabilities  App Logic Vulernabiilty Prevention
A10 – Underprotected APIs  App Logic Vulernabiilty Prevention

Tuesday, April 11, 2017

Salesforce Security Review - Security Posture & False Positive Template

When a company submits their application for Salesforce Security Review there is often a need to provide documentation. There is a lot of information on the process and security scans here ( but this doesn't have any templates or documentation standards a submission should follow for their application.

This is a sample of a template I have used when submitting to Salesforce Security Review that I have found helpful. I have gone through Salesforce Security Review more than 10 times for large OEM managed packages with hundreds of thousands of lines of code. I have found that the more information you can give the security engineers when they review your application the more successful you will be in passing your security review. Performing this documentation as part of your SDLC also helps bake this into your engineering processes, ensuring future reviews are successful.

Here is the sample template for a fake application with some simple data points. For a true enterprise class application this can be a rather lengthy but important document.
Security Review Considerations and False Positives Template

Want to learn more? Join my engineering organization! I'm looking for new talent to mentor in multiple engineering roles!

Friday, August 26, 2016

Winter 17 Release - Governor Limit Increases You Should Know

Governor Limit Increases in SFDC Winter 17 Release

These updates require no action and are automatically granted in the release. Load more records, relate more objects in formulas, and generally increase the scale of your solutions without doing anything!

1. Process Twice as Many Records with Bulk API

You know what’s better than being able to upload 5,000 batches a day with Bulk API? If you guessed, “being able to upload 10,000 batches a day,” you’re right! The daily batch limit has been increased to 10,000 for all orgs.

2. Create More Spanning Relationships Per Object in Formulas

Sometimes you want more! We’ve increased the number of unique relationships per object from 10 to 15. This increase is available in both Lightning Experience and Salesforce Classic.

3. Daily Org Limits for Sending Emails with the API Have Increased

Using the Salesforce API or Apex, you can now send single emails to 5,000 external email addresses per day based on Greenwich Mean Time (GMT). You can also send mass email to 5,000 external email addresses per day per org. The maximum number of external email addresses is no longer based on your Salesforce edition. You can use your remaining daily balance of external email addresses in as many mass emails as you’d like, regardless of your edition. This feature is available in both Lightning Experience and Salesforce Classic.

4. Get More Days to Schedule Your Quick Deployments

The time window to quick-deploy your validations has expanded from 4 days to 10 days. This larger time window provides you more flexibility for scheduling your quick deployment and helps minimize the impact on your org.

5. Higher Limits for Standard Picklists

Standard, multi-select picklists can be as detailed as you need them to be with a new limit of 255 characters per entry. This feature is available in both Lightning Experience and Salesforce Classic.

6. Make More API Calls and Get Fewer Headaches When Calculating API Limits

We simplified the API request limit calculation and gave everyone more calls per 24-hour period. For Enterprise Edition, Unlimited Edition, Performance Edition, and Professional Edition with API access enabled, the old calculation was based on your number of licenses and the license types, with a guaranteed minimum of 15,000 calls per 24-hour period. We scrapped the minimum and gave everyone 15,000 more calls. The calculation for Developer Edition orgs and sandboxes remains the same.