Apex coding standard and avoid vulnerabilities Security issues

Last Updated on July 25, 2017 by Rakesh Gupta

Risk

Salesforce.com Inc. is a global cloud computing company headquartered in San Francisco, California. Salesforce.com is best known for its customer relationship management (CRM) products like Sales Cloud, Service Cloud, Chatter and Salesforce1 platform etc. These days companies are using it to streamline their Sales or service process. To Implement Salesforce some time it does require to write Apex and Visualforce code. In this article I will discuss about how a customer, Project manager, administrator and developer make sure whether the code written for their uses are followed Apex coding standard as well as avoid vulnerabilities Security issues. This article will also help Salesforce ISV partners to ensure that the app they are developing for AppExchange will pass a security review in first attempt.  Below are the few ways to review/scan the code

  1. Peer reviewing
  2. Hire technical expert for code review
  3. Use some automated tool like Checkmarx

Now follow the below instruction to use Ckeckmarx

Create Checkmarx account

It’s very easy to create Checkmarx account, to do that open the link on your browser https://www.cxcloud.com/CxSaasPortal/Login.aspx?logout=true and then click on Signup link as shown in the following screenshot

Signup for Checkmarx
Signup for Checkmarx

To know more about enterprise use and pricing contact Checkmarx Sales representative.

How to use Checkmarx?

To use this app follow the below instructions

  • Click on Create New Project button as shown in the following screenshot
Create New Project step - 1
Create New Project step – 1
  • It will redirect you to a new window where you have to enter new project details (like Name. Scan Type etc) and click on Next button
  • On the next screen you will get the option to select your source code origin, In this demo I will upload code in zip file and click on Next as shown in the following screenshot
Create New Project step - 2
Create New Project step – 2

Note:- Zip file contains noting but all code that you want to scan.

  • On the next screen select zip file and click on Scan button to start scan process.
  • As soon as scan completed click on View Results link to view details, take help from the following screenshot
View Result
View Result
  • On the detail results page you will get options to open code viewer by clicking on button Open Code Viewer, You will also get options to Delete Scan Details, and Export options to. You will also get number of risk in this example #8 and other details like Start date, end date Scan risk etc under Scan Details section.
Detail Results
Detail Results
  • Click on Export Report link and select PDF full to download the result in PDF format, so you can share this detail result with your developer, customers etc.
  • PDF will contains Detailed Vulnerability Description.

This tool is user friendly and easy to use. If you are project manager or system administrator and some one ask you to review code don’t get tens use this tool #Adminrock 🙂

You can also use “Force.com Security Source Code Scanner” tool powered by Checkmarx, It’s a free web based tool. It’s required only Salesforce user name ( User must have Author Apex permission and The organization must contain less than 500,000 lines of code). For the same source organization/username, scans will be automatically rejected if a scan request was submitted in the last 2hours or there is an outstanding scan request in the queue. For automated submissions of scans, please do not scan the same organization more than twice per week. If you want to run your own scanner then contact Checkmarx to purchase license.

4 thoughts on “Apex coding standard and avoid vulnerabilities Security issues

  1. I tried this but its failed. i have a zip file that containing a apex class in txt format. when i load the zip file and scan, i got the error message that it failed(Error Message: There is some technical problem with the code you are scanning). Do i need to zip my total project and scan or i can scan indivisual class ??

  2. Seems like your blog make it traffic too high 🙂
    “Due to high volume, an application can only be scanned every 24 hours. Please submit the application again after Jun 25, 4:57 PM. We apologize for any inconvenience.”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.