Apex Language Vulnerabilities and Overview

Apex Language Vulnerabilities and Overview

What is Apex?

Apex is Salesforce’s proprietary programming language used for building applications to manage data and processes in the Force.com framework. Apex, the world’s first “on demand programming language,” enables thousands of Salesforce AppExchange applications to add business logic to system events and Visualforce pages.

Who uses Apex?

In addition to Salesforce AppExchange partners, many large Salesforce customers also use Apex to code their own applications for internal company use. Also, companies may hire partners and consultants for app development and salesforce customization.

Top Independent Software Vendor (ISV) Architects from the Salesforce Partner Community discuss using Checkmarx. View the full, original video here.

Apex Language Vulnerabilities:

For the 2,500+ applications live on the SalesForce AppExchange, the thousands of organizations utilizing their services, as well the countless organizations using Apex code for internal use, application security is a major concern. Apex applications face potential threats from cross site scripting (XSS), SOQL and SOSL injections, frame spoofing and more.

To date, Checkmarx has detected over 2.5 million vulnerabilities in Apex code including:

  • Cross Site Scripting

  • SOQL Injections

  • SOSL Injections

  • Frame Spoofing

  • Access Control Issues

For a full list of queries that Checkmarx scans for, visit our query database.

Checkmarx and Apex Code:

Since 2008, Checkmarx has been Salesforce’s official Static Application Security Testing (SAST) partner. The result of this partnership is Salesforce’s Security Source Scanner which is a cloud-based source code analysis (SCA) scanner built directly into Force.com.

The Checkmarx powered Force.com Security Source Scanner acts as a security gatekeeper for new, and updated, applications being uploaded to the Salesforce AppExchange platform in order to further enhance the security, productivity and efficiency of the AppExchange security review process. To date, the Security Source Scanner has scanned over 2 billion lines of code.

Source Code Analysis significantly reduces the amount of penetration testing iterations that Salesforce, and third party organizations, need to endure during their security reviews thus allowing the applications to get to market faster.

The Free Force.com Security Source Scanner

The Force.com Security Source Scanner offers AppExchange vendors the opportunity to scan their applications for security and design issues at a rate of 180,000 lines of code every six months. Vendors with smaller applications and infrequent scans are the best fit for the free Force.com scanner.

In addition to Apex, the Force.com scanner also analyses VisualForce, JavaScript and HTML5 for design and security issues. Upon completion, the application vendor receives an email report containing an HTML report outlining any identified issue that arose during the scan as well as an xml file that containing the same information in a structured format.

Robert Sussland, Product Security Team at Salesforce, discusses Checkmarx with Salesforce customers. View the full, original video here

Who scans their code with the Force.com scanner?

The Force.com Security Source Scanner is free and available for use by both Salesforce customers and AppExchange partners.