Security Security Cheat Sheet

Overview ESAPI Functions – Force.com

ESAPI security library for Force.com available at http://code.google.com/p/force-dot-com-esapi.
Protecting the privacy of customer data and maintaining trust are salesforce.com’s core
values. The Force.com platform has numerous built-in security features and protections,
which can be utilized by our org administrators and developers. In addition, a number SFDCAccessController Class
of free security resources are available to assist developers with education, design, and Provides access control functionality to enforce CRUD/FLS and sharing in the
development of their applications. Force.com platform.
setSharingMode() Configures the library to operate with sharing, without sharing,
or to inherit sharing.
setOperationMode() Configures the library to require all operations be successful
Sharing Keywords – Force.com or to omit changes for which the user does not have access.
Controls record-level security of data. These keywords are used in Apex class declarations. insertAsUser() Insert objects while respecting the user’s access rights.
updateAsUser() Update objects while respecting the user’s access rights.
with sharing Operate with the calling user’s sharing rights. Recommended.
deleteAsUser() Delete objects while respecting the user’s access rights.
without sharing Operate without the calling user’s sharing rights. Generally only
getViewableFields() Return a list of object fields that are viewable by the current
recommended for classes doing reporting or data aggregation. user.

<unspecified Inherit sharing from calling class. Not recommended for Visualforce getUpdateableFields() Return a list of object fields that are updateable by the
current user.
sharing> controllers or Web services.
getCreatableFields() Return a list of object fields that are creatable by the current
user.
CRUD (Create, Read, Update, Delete) – Force.com isAuthorizedToView() Returns whether or not the current user is authorized to view
Controls object-level security of data. These are standard sObject and field methods. a given list of fields of a given object.
isAuthorizedToCreate() Returns whether or not the current user is authorized to
create a given list of fields of a given object.
isCreateable() Returns true if instances of this object can be created by the current
user, false otherwise. isAuthorizedToUpdate() Returns whether or not the current user is authorized to
update a given list of fields of a given object.
isAccessible() Returns true if the current user can see instances of this object type, isAuthorozedToDelete() Returns whether or not the current user is authorized to
false otherwise. delete a given object.

isUpdateable() Returns true if instances of this object can be updated by the current SFDCEncoder Class
user, false otherwise. Provides text escaping functions for Force.com.
SFDC_JSENCODE Escapes data for use in JavaScript quoted strings.
isDeleteable() Returns true if instances of this object can be deleted by the current
SFDC_JSINHTMLENCODE Escapes data for use in JavaScript quoted strings that will be
user, false otherwise. used in HTML tags.
SFDC_HTMLENCODE Escapes data for use in HTML tags.

FLS (Field Level Security) Describe Calls – Force.com SFDC_URLENCODE Escapes data for use in URLs according to RFC 3986 syntax.

Controls access to object fields. These are standard sObject and field methods.
Crypto Class – Force.com
isCreateable() Returns true if the field can be created by the current user, false Provides standard algorithms for creating digests, message authentication codes, and
otherwise. signatures, as well as encrypting and decrypting information using AES. Encryption keys
should be stored securely within a Protected Custom Setting.
isAccessible() Returns true if the current user can see this field, false otherwise. encrypt() Encrypts the blob clearText using the specified algorithm,
private key, and initialization vector. Use this method when
isUpdateable() Returns true if the field can be edited by the current user, false you want to specify your own initialization vector.
otherwise.
encryptWithManagedIV() Encrypts the blob clearText using the specified algorithm and
private key. Use this method when you want salesforce.com
to generate the initialization vector for you.
Visualforce Escaping Functions – Force.com decrypt() Decrypts the blob cipherText using the specified algorithm,
Server-side functions to escape data to prevent cross-site scripting. private key, and initialization vector.

decryptWithManagedIV() Decrypts the blob IVAndCipherText using the specified

Example: algorithm and private key. Use this method to decrypt blobs
<html><head><title> encrypted using the encryptWithManagedIV method.
{!HTMLENCODE($Request.title)}
generateAesKey() Generates an AES key of the specified size.
</title></head></html>
generateDigest() Computes a one-way hash digest based on the input string and
algorithm.
JSENCODE Escapes data for use in JavaScript quoted strings.
generateMac() Computes a message authentication code (MAC) for the input
JSINHTMLENCODE Escapes data for use in JavaScript quoted strings that will be used string, using the private key and the specified algorithm.
in HTML tags.
getRandomInteger() Returns a random Integer.
HTMLENCODE Escapes data for use in HTML tags. getRandomLong() Returns a random Long.

URLENCODE Escapes data for use in URLs according to RFC 3986 syntax. sign() Computes a unique digital signature for the input string, using
the supplied private key and the specified algorithm.

http://developer.force.com
Custom Setting Methods Session Settings
Special objects and field methods that support a “protected” mode for storing sensitive Controls available for general session handling settings, including session timeout.
information like encryption keys. These settings can be found under Setup | Security Controls | Session Settings.

getAll() Returns a map of the data sets defined for the custom setting. List Setting Name Description Recommended
custom settings only.
Timeout value Idle session time before automatically 30 minutes
logging user out of Salesforce.
getInstance() Returns the “lowest level” custom setting data set for the specified
dataset name, user ID, Profile ID, or current user (depending on
Disable session Disable the warning browser pop-up when a Yes
parameters and setting type). Identical to getValues() for List custom
timeout warning user is about to be logged out from the idle
settings.
popup session timeout.

getValues() Returns only the custom setting data set for the specified dataset Lock sessions to Force the user session to remain locked Yes (if possible)
name, user ID, Profile ID, or current user (depending on parameters the IP address from to the IP address from which the user
and setting type). which they originate authenticated. May impact AppExchange
installations.
getOrgDefaults() Returns the custom setting data set for the organization. Hierarchy
custom settings only. Require secure Require HTTPS on all page requests. Yes
connections (https)

Password Policies Enable caching and Allow the user’s browser to store and auto- No
Controls available for enabling password restrictions and account lockout settings. autocomplete on complete usernames or passwords after
These settings can be found under Setup | Security Controls | Password Policies. login page first login.

Setting Name Description Recommended

Auditing and Logging
User passwords Frequency to automatically expire 90 days Salesforce provides several types of audit logs for monitoring logins and changes to your
expire in passwords. organization.

Enforce password Number of previous passwords to 5 passwords remembered Setting Name Description Location
history save to prevent password re-use.
User Login All successful and failed login attempts Setup | Manage Users |
Minimum password Minimum length of a password. 8 characters History are recorded and saved for 180 days. Login History
length
Setup Audit Every configuration (Setup) change is Setup | Security Controls
Password complexity Controls whether the password Must mix alpha and Trail logged and archived for 180 days. | View Setup Audit Trail
requirement contains a mix of letters and numbers. numeric
Object History Selected standard and custom fields Setup | Customize |
Password question Require the user’s password hint to Cannot contain password Tracking can be enabled to track the change [object type] | Fields |
requirement not contain the password. history. Set History Tracking

Maximum invalid login Number of invalid logins allowed 5 Sensitive Permissions

attempts before locking out the account. When using profiles, we recommend reviewing profiles for these sensitive permissions.
Permissions per profile can be viewed at Setup | Manage users | Profiles.
Lockout effective period Length of time an account remains 30 minutes
locked out. Premission Description

Author Apex Can modify and deploy Apex. By default, Apex code runs with full
Login and Authentication Settings administrative privileges.
Login and Authentication features and restrictions. These settings should be enabled as
appropriate for your company. Customize Make configuration changes to the organizational settings.
Application
Setting Name Description Location
Download Install or uninstall packages from the AppExchange.
IP Address User logins can be Setup | Security Controls | Network AppExchange
Restrictions restricted to a specific IP Access (everyone) packages
address or a range of IP Setup | Manage Users | Profiles
addresses. (individual profiles)
Manage Users The ability to create or modify user accounts, including logins,
sharing rules, and login restrictions.
Time of Day User logins can be Setup | Manage Users | Profiles
Restrictions restricted to specified times
Modify All Data This permission gives the user the ability to create, edit, or delete all
of the day.
data in Salesforce.

Single Sign-On Enable delegated Delegated authentication:

Password Never Prevent the password from expiring.
Options authentication or federated Contact Support
Expires
authentication via SAML. Federated authentication:
Setup | Security Controls | Single
Sign-On Settings View All Data View all data owned by other users.

For other cheatsheets:

http://developer.force.com/cheatsheets 030712