Prior to about a week ago, if you went to this page and requested a Force.com Security Source Code Scan, you would have most likely gotten an error telling you that it could not be done and that you would need to submit a case.
Luckily, Salesforce has resolved this issue and you can now simply go to the link above, enter your credentials and you will be able to scan your org for security and quality rules. The scan will take a while to run (as in several hours or even days perhaps), but I promise it is worth the wait.
What you will get back is a very thorough report that scans your entire codebase for not only security issues (of which I am sure you will be amazed by how many critical violations it will find) but it will also evaluate whether you are utilizing best practices in your code to ensure good quality.
For example, it will scan your code to tell you where you have code that does the following:
- Queries With No Where Or Limit Clause
- Multiple Trigger On same sObject
- Hardcoded Ids
- DML Statements Inside Loops
- SOSL SOQL Statements Inside Loops
- Async Future Method Inside Loops
- Test Methods With No Assert
- Need to Bulkify Apex Methods Using Collections In Methods
I think everyone should take the time to have their orgs scanned and review the results. I suspect that even the most diligent of development shops will find some issue that needs to be addressed.
I know security is probably not your favorite subject. But these days, it seems like everyday there is another major story coming out about how some big company has a major security breach. A lot of companies use Salesforce because it is secure and trust is so important. But as a developer, you have to realize that there are MANY ways you can bypass all the terrific security features Salesforce has put in place.
Developers have lots of flexibility that gives them power, but with power comes responsibility. It is so important you are aware of all the ways you may inadvertently make your app vulnerable to attack. Unfortunately, most of the documentation on this subject is loooooonnnnnggg and how shall I say this….BORING!
Well, for all you visual learners that really love practical examples, your help has arrived. The Salesforce security team has begun a series of Webinars designed to get developers up to speed with some practical, code-based demonstrations that show:
- How we as developers can inadvertently bypass security
- What you can do to correct the mistake and make your app secure again
So far there are only 2 webinars in the series, but just watching these two will probably teach you more than you get by trying to pour through and interpret all that other boring documentation.
Hope you find these as helpful and enlightening as I did. And thanks to the Security team for taking the time to put the sample app together along with these webinars.