Visit Robert Fly's personal blog on Developer Force

Source Code Scanning

By Robert Fly | Published: January 31, 2011

A year back we began supporting source code analysis on Force.com through http://security.force.com/sourcescanner.  We've had great success with it, but the number one piece of feedback we've gotten from all of you was why there wasn't any integration with the Force.com IDE.

Checkmarx, the company we partnered with to provide Force.com source scanning, has stepped up and made an offering available to all of you.  For 90 days, for the first 1000 developers, they'll give away a free version of an Eclipse plugin that can scan all Force.com code (under 100k LoC).  The great thing about this is that you get… Continue reading

In Blog: engineering | Tagged , | 5 Comments

See You At Dreamforce!

By Robert Fly | Published: December 3, 2010

On top of the several security talks that we'll have at Dreamforce, we'll also have a security booth in the dev zone.

Here's what we'll have:

  • Code Consultations
  • Security Quiz (we'll have another prize ;-)
  • General Q&A
  • Demo and a free trial of a new tool which will help native app security/quality

For those interested, sign up for code consultations in the Dreamforce app.  See you there!

 -Robert… Continue reading

In Blog: engineering | Tagged , , | Leave a comment

And the winner is…

By Robert Fly | Published: December 2, 2010

I was really happy about the number of folks who took the quiz and the interest in it.  More-so, I was completely surprised that we had someone actually score 100% on the quiz given its difficulty.  I was even more blown away when I woke up on 12/1 and saw that three folks had scored 100%!

To everyone, congrats and I hope it was useful.  Without further ado, here are your winners:

  1. Shamil Arsunukayev – Comity Designs
  2. Rajendra Singh Ogra – Metacube Software
  3. Arvind Chaudhary – freelancing

 

Shamil won the RC Helicopter and Rajendra/Arvind will receive… Continue reading

In Blog: engineering | Tagged , , | 4 Comments

String bar = ‘raised’;

By Robert Fly | Published: November 29, 2010

The Developer Security Quiz Challenge has been going on for a couple weeks.  Not too long ago there was a 20 Way Tie – but that's old news.  We've got a new high score.

90%

You can beat it.  Lets have the first 100% score!

We'll close the contest at 23:59:59 PST on 11/30.  Get your quiz in today - http://security.force.com/platformquiz. 

  -Robert… Continue reading

In Blog: engineering | Tagged , , | 5 Comments

20 Way Tie

By Robert Fly | Published: November 17, 2010

We've had over 75 people take the quiz in the last week attempting to win the RC helicopter and claim eternal fame for their security knowledge.  Here's where we are:

  • The most common score on the quiz is 50%.
  • There is currently a 20 way tie for the top score.
  • That score is 50%.
  • That score needs to be surpassed :)

You can take the quiz more then once with a new email address.  I'd recommend folks view the training and secure coding guidelines as all of the topics covered are discussed in these two areas.

Take a shot at the quiz and

Continue reading

In Blog: engineering | Tagged , , , | 5 Comments

Security Talks at Dreamforce

By Robert Fly | Published: November 10, 2010

Dreamforce this year will feature a number of talks focusing solely on security with many more touching on the topic.  For those interested, I wanted to highlight the talks with their session abstract in one place.

You can register for this great event at http://www.salesforce.com/dreamforce/DF10/register/.

Secure Cloud Development
At salesforce.com, we believe the success of cloud computing is dependent on earning and maintaining customer trust. As a result, protecting the privacy of customer data is salesforce.com’s core value. Join us for this session to learn about the free training, tools, and resources that will help you deliver trusted Force.com applications… Continue reading

In Blog: engineering | Tagged , , | Leave a comment

Score High and Win a Prize

By Robert Fly | Published: November 8, 2010

We've had several hundred people take our developer security quiz.  No one – yes, NO ONE – has scored 100% on it.  A handful of folks have gotten close and admittedly the quiz is not easy.

We want to see someone get that perfect score and are offering an incentive.  The top score between now and 11/30 will win an e-Flite Blade RC Helicopter.  If there's a tie, we'll randomly select a winner amongst the high scores.  Before you get started on the quiz, take a look at the resources on developer.force.com/security.  In particular check out the training and read the… Continue reading

In Blog: engineering | Tagged , | 6 Comments

Follow us on Twitter

By Robert Fly | Published: October 28, 2010

We recently added a Twitter account.  Follow us @secureclouddev for all the latest news.

 -Robert… Continue reading

In Blog: engineering | Tagged , , , | Leave a comment

Spot The Bug #3

By Robert Fly | Published: October 21, 2010

Here's a new Spot The Bug.  It might be a little trickier than the others, but we're looking for a specific security flaw in this code.  We're still giving away $50 gift certificates per this post.  Last time we had lots of high quality answers and quality still matters over quickness.  I'll give out the answer in a few days.

 

Visualforce

<apex:page controller="setupTransfer">    <apex:pageBlock title="Setup Money Transfer">        <apex:form >            <apex:outputLabel >From Account :&nbsp;</apex:outputLabel><apex:inputText

Continue reading

In Blog: engineering | Tagged , , | 9 Comments

Now With More Awesome

By Robert Fly | Published: October 6, 2010

The Force.com Source Scanner was upgraded recently with some new goodies.  Here's what you'll find:

  • New "Beta" rules.  There's a number of rules we haven't yet exposed due to quality or performance issues.  They work pretty well, just not up to our standards completely.  Select "Beta" from the scan type dropdown and you'll get feedback on areas such as CRUD/FLS violations, open redirects, and a few others.  You can find some more documentation on our help page.
  • Stored XSS identification should be improved dramatically.  We are now analyzing the data types, so you shouldn't see false positives where the data retrieved won't allow
Continue reading
In Blog: engineering | Tagged , , | 1 Comment