Security compliance of code is important, and it's tough to escape when you’re planning to list your app on AppExchange. My previous post about the “Preparing for security review process” lists various steps for the same. One of the steps required is passing your code to “Force.com security scanner”, this scanner scans the code and emails you back the results. This worked decently in past, but would be nicer if:
You must be getting curious to scan and explore this online tool, here is the link to register and get you started for free:
I was bugged by these questions, which I got cleared from the Checkmarx team.
Looking forward for the same.
- We don’t have to wait for scanner’s email to come, as its delivery time is not guaranteed to be within X hours.
- One can track the code quality for improvement or degradation over the time.
- Integration with code versioning system like GIT, to pull and scan the results as required.
Exploring – *NEW* Checkmarx Online Code ScannerI recently came across this new online code scanner by Checkmarx. This scanner address all of the problems listed above and gives rich insights. Here are a couple of video screencasts that walk you thru functionality of this new scanner.
Introduction to Checkmarx Online Scanner
How to scan code ?
Viewing the scan results and understanding the security issues
Register online and start scanning
Some probable FAQs
Question#1 : Is the Checkmarx online scanner free ?Answer: As of now they are offering free trial account for most probably an unknown time. More details to come soon, but no harm in playing around and exploring till its free to get more confidence on your investment decision on this scanner (if it gets paid in future)
Question #2 What is difference between Scan Type - Default and Top 10, what are all the rules Default scan is running ?Answer: “Top 10” searches Client Source Code for the top 10 security vulnerabilities as defined by OWASP, the leading source for information on Web Application Security. The “Default”(or Checkmarx Strong Scan) setting contains OWASP Top 10 + many other queries identified by Checkmarx security experts as being a dangerous risk for web applications (Checkmarx can run over 1000 security queries !)
Question #3 From results point of view, “Code Retention 24 hours” is same as "Keep the code", only the stored code is dumped after 24 hours ?Answer: Correct. “Purge the code in 24 hours” means that the code will automatically be deleted. “Keep the code” keeps access to the code available for the developer to continuously refer to. Users can also manually remove the code from the servers when ready by pressing Delete.
Question#4 What other languages are supported ?Answer:
Question#5 Can we trust on Checkmarx from security and code protection standpoint ?Answer: Yes one can trust on Checkmarx, here is good reasoning about the same.
- All interactions between the Client and Checkmarx are HTTPs secured.
- In addition, sensitive data (passwords, etc.) are encrypted within the database.
- While scanning the Source Code, the code resides within the Amazon Web Services (AWS) cloud environment, which is a fully accredited and secure solution.
- This online PDF document gives more fine details on the same.
- Here is a link about classic Checkmarx scanner on Salesforce site, that explains about the process: https://security.secure.force.com/security/tools/forcecom/scannerhelp
References and related reading
- Register for Checkmarx online scanner
- Preparing for Salesforce AppExchange Security Review !
- Force.com ESAPI, a key to simplify apex security compliance !