All applications enrolled in the ISVForce or Force.com Embedded Partner Programs must go through a mandatory periodic security review. The Security Review has been developed to assess the security posture of partner offerings, to ensure that applications published on the AppExchange follow industry ...
4
votes
1answer
100 views
Direct API Calls from Visualforce Page
I am finding it pretty exciting to make webservice calls directly from visualforce + javascript. Specially with frameworks like Angular, you can directly consume JSON and render HTML templates pretty ...
1
vote
1answer
58 views
Tooling API and Scheduled Batch Apex - How to access
Without storing a users credentials to salesforce how can one access the tooling API during a daily scheduled batch?
Currently we are storing the users username and password in encrypted fields but ...
2
votes
1answer
31 views
How do I fix this Stored XSS?
The CheckMarx security scanner says that this line is a Stored XSS vulnerability
<apex:column style="background-color:#{!trade.bgcolor};color:{!trade.fgcolor};">
is this HTMLENCODE the ...
1
vote
1answer
49 views
How do I fix this Reflected XSS vulnerability?
The CheckMarx security scanner says that this line is a Reflected XSS vulnerability.
<apex:outputText value="0,number,#,##0.00}" style="color:!nost.balColor};">
However this page
...
4
votes
1answer
74 views
Get a FIRST-CLASS SessionID for API Calls (looking for a clean way or alternative)
I am basically facing the same challenge as @Evan here
Different Session Ids in Different contexts
I'm also running into SessionID related issues, but in a completely different use case. Background ...
1
vote
1answer
145 views
How do I fix this Stored XSS vulnerability?
The CheckMarx security scanner says that the 4th line:
$j('#h{!category}').on('click', function(event) {
in the following script, causes an XSS vulnerability. Can someone explain the best way to ...
0
votes
0answers
20 views
Push Major Upgrades before Security Review possible?
After logging a case to get Push Major enabled the Support refused it. They say its only available after security review.
This beside of the lack of documentation this makes only halfway sense to ...
11
votes
2answers
455 views
How to pass security review when using “Without sharing” by design?
I failed to pass security review for an app that has two classes using the "without sharing" keyword. Both were not choosen accidentally but by design.
On class is SObjectUnitOfWork.cls from Andrew ...
5
votes
1answer
82 views
Why did I fail Security Review when not checking FLS or using “without sharing”?
I submitted a package for security review which has a Custom Object which has internal / technical semantics only. So it's not created or even seen by users. When a user performs some action some ...
9
votes
2answers
61 views
Rolling back a managed released package?
We have a managed released package currently undergoing security review. While that is happening, we would like to make some changes to the tab layout of our application. Unfortunately, it seems that ...
6
votes
1answer
64 views
How to set a custom setting value in a managed package securely?
My application uses an authorization key stored in a protected custom setting to authenticate users to connect to an external web service. Since you can't define a default value on package install for ...
5
votes
0answers
26 views
Mini Page Layout Hovers in Managed Package
Has anyone using the mini page layout popup technique listed here in a managed package had the package rejected in security review because of it?
This is obviously an unsupported technique, but given ...
8
votes
1answer
38 views
Metadata API usage in a managed package
If I have Apex code in my managed package that makes calls to the metadata API of the org in which it is installed to do various things, e.g. describe page layouts, create Visualforce pages based on ...
1
vote
2answers
51 views
Salesforce security review
I am new to salesforce development and have a question regarding the application security review process. After the installation of my application in salesforce I want to invoke a service in my java ...
3
votes
0answers
50 views
Security Scanner finds XSS False Positives / JSENCODE incompatible with Boolean fields?
Before I submit my app for Security Review I checked it with the free scanner.
It marked the following line of JS-code in a Visualforce as Critical XSS vulnerability:
<script>var trueOrFalse = ...
1
vote
1answer
43 views
Security Review Step 5 issue
I've reached Step 5 of the Security Review submission for my new Managed Package. I've created a new Developer Org, installed the package and then proceeded to continue with the review.
At step 5, ...
4
votes
1answer
86 views
Anyone have examples of genuine security issues identified by the Burp Scanner for external web services called via Apex?
Thanks to this blog post Using the Burp Suite to test a Web Service that is consumed in a Salesforce app I believe I have successfully scanned the two web services that my managed package calls. (This ...
4
votes
1answer
102 views
“inputText_Ignoring_FLS” in force security scanner report
I scan my code, and I received a Serious issue:
<apex:inputText value="{!ld.Name}" />
I have applied FLS as the guide here : http://wiki.developerforce.com/page/Enforcing_CRUD_and_FLS
...
4
votes
2answers
133 views
SalesForce Package Distribution Scenarios
I am writing an adapter for SalesForce which functionality will be to post information about particular events happened in the CRM to the external WebService.
While I think I understood development ...
11
votes
1answer
359 views
How does Salesforce classify an app as 'Salesforce1 ready'?
As part of the Salesforce1 announcement, Salesforce showcased a list of apps on AppExchange that are 'Salesforce1 ready'. This includes several popular apps such as Box, Concur etc. I want to know how ...
3
votes
1answer
168 views
Security review for free apps in appexchange
We have created one app and planning to list in appexchange as free app. Do we need to pass security review, if yes then is it free or paid?. We have partner developer org to list in Appexchange.
3
votes
2answers
710 views
Managed app installation on Salesforce Production Org
Salesforce has two versions of Managed app
Managed App ( Beta )
Managed App ( Released )
Currently inorder to do a prototype testing I released a Managed App (Beta) and simulated how a real ...
1
vote
0answers
78 views
SF Security Review Questioner - single org solution vs hybrid single org solution
I came across this question in Salesforce Security Review Process. But I am not sure what to choose.
Is your offering a single org solution of hybrid single org solution?
Options:
A : ...
2
votes
1answer
96 views
Free App for Paid Service
I'm working on getting an app listed on the AppExchange, and we are just about ready to go into the Security Review. We were wondering if it is going to be a problem that we sell our app for free on ...
1
vote
1answer
459 views
Cross-site Scripting (XSS) in security review.?
I am getting Cross-site Scripting (XSS) while scanning in force.com scanner.if i remove javascript there is no error..what to change in javascript code..please help its quite urgent...may be encode ...
2
votes
1answer
167 views
XSRF issue in security review..?
I am getting these from URL..when i submitted my app for security review.
their report has XSRF error
can some help me how to correct this...as i need to oid from the url.i could find any ...
6
votes
4answers
403 views
Cross-Site Request Forgery (CSRF) CWE
I have Following page:
<apex:page controller="myclass" action={!clean}>
</apex:page>
and controller class as:
public with sharing class myclass
{
public void clean()
{
...
3
votes
1answer
344 views
Drag & Drop Upload Images to documents - Security Problems
We have developed a Drag & Drop multiple Image Upload with Html5, jQuery and the REST API.
We are wondering what are the problems that this feature can bring up in the security review.
Let me ...
0
votes
1answer
84 views
Running ApexClasses in PE with Security Review and Certification
I've a managed package which I would like to be installed in a Professional Edition.
When I try to install the package in the PE, I get following error, of course my package has few ...
10
votes
2answers
114 views
Incomplete code blocks vulnerability
I've submitted my application for Security Review and I've got this problem in the report.
I'm not sure how to fix it.
Let's see the First case:
I have some classes that don't have any code like ...
1
vote
1answer
555 views
How do I run burp scanner
How do I run burp scan? Do I have to buy a burp suite? What is partner license mentioned in this url?
2
votes
2answers
189 views
Sign up for partner portal
Creating partner portal is free. Please correct me if I am wrong. I want to start security review for a free application from my AppExchange profile but I can't do that before paying to salesforce. Is ...
