This post discusses the top 20 reasons partners fail the AppExchange security review, and how to remediate or prevent these issues …
Here are highlights from article The Top 20 Vulnerabilities Found in the AppExchange Security Review
1. CRUD/FLS enforcement:
– Failure to properly check if objects and/or fields are accessible, creatable, deletable, and/or updateable.
– Top reason for failing the AppExchange security review.
– Thoroughly review codebase to ensure no unchecked create/read/update/delete operations.
– Enforce CRUD/FLS using user mode in queries and database operations.
– Use tools like Checkmarx, PMD, Code Analyzer, and PMD extension for VS Code to check codebase.
– Run Checkmarx Scanner as a final check for CRUD/FLS violations.
2. Insecure software version:
– Using an outdated version of a software with known security vulnerabilities.
– Commonly outdated JavaScript libraries like jQuery.
– Also includes outdated versions of other technologies like nginx, Python libraries, CKEditor, or PHP.
– Identify non-Salesforce libraries, frameworks, software, and technologies used in the AppExchange offering.
– Search for vulnerabilities in Snyk or the CVE database.
– Use Salesforce Code Analyzer’s RetireJS plugin for scanning.
3. Lack of secure coding practices:
– Failing to follow secure coding practices can lead to vulnerabilities.
– Examples include not validating input data, not using proper encryption, not handling errors correctly, etc.
– Follow secure coding guidelines provided by Salesforce.
– Use proper input validation, encryption, error handling, and other security best practices.
4. Inadequate authentication and authorization:
– Weak or inadequate authentication and authorization mechanisms can lead to unauthorized access.
– Ensure strong authentication methods are used, like multi-factor authentication.
– Implement proper authorization mechanisms to control access to resources.
– Use Salesforce’s authentication and authorization features effectively.
5. Insufficient data protection:
– Inadequate measures to protect sensitive data can lead to data breaches.
– Use encryption to protect data both in transit and at rest.
– Follow Salesforce’s data protection guidelines.
– Implement proper access controls and permissions to restrict data access.
– Regularly review and update data protection measures.
You can read it here: https://sfdc.blog/KmgXR
Source from developer(dot)salesforce(dot)com