As an Independent Software Vendor (ISV) building apps on the Salesforce platform, ensuring the security and health of your package code is critical. Code scanning tools can help you detect security vulnerabilities and coding issues early in the development process, which is essential for passing the Salesforce security review. In this blog, we’ll explore some of the best code-scanning tools available for Salesforce ISVs.
Source Code Scanners
The following scanners scan all the programming languages commonly used by a Salesforce developer.
Salesforce Code Analyzer (Salesforce CLI Scanner)
This intuitive, open-source tool can scan your package code and identify common coding issues and possible vulnerabilities. Plus, it can detect various security, quality, and performance issues.
Whether you prefer to work on a local developer machine or integrate the scanner into a CI/CD process, installing the Salesforce Code Analyzer is simple and straightforward. What’s more, this tool aggregates PMD, ESlint, RetireJS, Copy-Paste Detector (CPD), and Salesforce Graph Engine, which are powerful analyzers that cover all of the languages a Salesforce developer would typically use.
With the Salesforce Code Analyzer, you can enjoy a single installation process and a single set of commands to interact with multiple rule engines. The scanner uses a unified set of rules that are checked by their respective rule engines, making it easier for you to spot any issues. And when the scanner identifies any violations, you’ll receive a unified rule violation report that includes all issues identified by the engines.
For more detailed information about the Salesforce CLI Scanner, check out the link below.
Checkmarx
If you’re submitting a Salesforce package or component for a security review, it’s essential to use the Checkmarx Source Code Scanner. This tool checks for security vulnerabilities and common coding and design issues in Apex, Visualforce, and Lightning code. However, it’s important to note that it doesn’t scan the external endpoints of a solution.
As a partner, you can benefit from advanced functionality by using the Partner Security Portal. Make sure to leverage the Checkmarx Source Code Scanner to ensure that your Salesforce package or component meets security standards.
For more information on the tool, check out the links below.
Web Application / API Scanners
The following scanners scan the web applications, and API endpoints used in your ISV Package.
Chimera
Chimera is a cloud-based security scanner designed to check for security vulnerabilities in the external endpoints of your managed package. Unlike some other security scanners, Chimera scans solutions from a Salesforce IP address.
One of the best things about Chimera is that it doesn’t require a download – you can access this scanner from the Partner Security Portal. However, there are some limitations. Chimera cannot be used with endpoints on domains you don’t own because it requires uploading a token to the root of the external server. If your solution connects to endpoints on domains that you don’t own, you won’t be able to upload the token and can’t use Chimera. In such cases, it’s best to use an alternative tool like the free OWASP Zed Attack Proxy (ZAP) scanner or purchase a license for Burp Suite.
For more information on the tool, check out the link below.
https://security.secure.force.com/security/tools/forcecom/scanner
OWASP ZAP
OWASP ZAP is an open-source online scanner developed by OWASP for performing security testing. This free tool requires installation on a local system and is an excellent choice if a part of your managed package solution is a web application or external endpoint you don’t control.
ZAP is specifically designed for testing web applications and is flexible and extensible, making it a popular choice for developers and security professionals alike. It can be used to identify vulnerabilities such as SQL injection, cross-site scripting, and other potential security risks. For more information on the tool, check out the links below.
https://owasp.org/www-project-zap/
https://security.secure.force.com/security/tools/webapp/zaprunningscan
Burp Suite
Burp Suite is a comprehensive set of tools used for evaluating web application security. If you want to assess the security of your web application that is located outside of Force.com, then Burp Suite is an excellent choice.
By launching the tool and configuring your web browser to use it as a proxy server, you can intercept, inspect, modify, and analyze all web traffic. This feature enables you to identify and address a wide range of potential security vulnerabilities, such as SQL injection, cross-site scripting, and more. For more information on the tool, check out the link below.
https://portswigger.net/burp
Conclusion
To sum up, it is crucial to conduct security scans on your package code and connected endpoints at different stages of the development process. Performing periodic scans and addressing any flagged issues promptly can help prevent the accumulation of security vulnerabilities, thereby reducing your workload in the future. Using reliable code-scanning tools is essential to ensure the safety and robustness of your package code. Remember to prioritize security throughout the development lifecycle to deliver a secure and dependable package to your users.