Scheduling a Security Assessment (Vulnerability or Penetration Test)
Prior to performing a Security assessment against the Salesforce platform, Salesforce strongly recommends reviewing the latest copies of our third-party Application and Network Vulnerability Assessment Summaries. To request a copy of these documents, please work through your Salesforce Account Team point of contact.
If after reviewing the third-party summaries it is determined that a customer assessment is still required, please complete the following steps to schedule the assessment a minimum of 5 business days prior to starting:
1. Navigate to the Security Assessment Notification Portal.
2. Authorize the Security Assessment Notification Portal to access basic information from your Salesforce instance (e.g. Organization Identification Number, Contact Information). Authorization must be performed by a Salesforce System Administrator who is authenticated to their production Salesforce instance (Developer, Test, Trial and Sandbox instances will not authenticate correctly). Once authenticated via your Production instance, you can submit the Organization ID of the Salesforce instance to be tested (e.g. Production, Developer, Test, Trial and Sandbox).
3. Download the Security Assessment Agreement from the hyperlink, review the agreement, and accept the terms noted in the agreement by checking the checkbox.
Important: In the event a valid written Security Assessment Agreement (SAA) exists between Customer and Salesforce with respect to the same subject matter contemplated herein, the terms and conditions of such existing SAA shall supersede the SAA terms and conditions electronically accepted by Customer herein.
Note: Salesforce doesn't accept redlines of the Security Assessment Agreement.
4. Complete all contact information and testing information fields and click Register in order to submit the request.
5. If submitted successfully, a confirmation email will be sent to the email address auto populated under the section “Your Contact Info” and should appear as follows.
6. Salesforce will review and approve the Security Assessment request. A confirmation email will be sent to the email address auto populated under the field “Your Contact Info” and should appear as follows.
Process Requirements and Restrictions
- Manual testing can be performed at anytime, however, all automated testing needs to be restricted to the weekend (Friday 21:00 PST - Sunday 23:59 PST). You're required to accept the Security Assessment Agreement and submit relevant contact and testing information as noted in step 3 and 4 prior to starting any testing.
- Customers are not permitted to perform a security assessment during a major upgrade or maintenance window on the instance they wish to assess. This schedule can be validated by visiting the public trust website.
Frequently Asked Questions
What data is accessed once authorization is given to the Security Assessment Notification Portal?
The Security Assessment Notification Portal requires that you authorize the form to fetch basic information from your Salesforce Organization and User. This is limited in scope and does not capture any session information or additional data other than Organization ID and Contact information.
We performed an assessment without following the request process, what now?
If the Security Assessment has been performed and was not scheduled through the Security Assessment Notification Portal, you are required to complete the process retroactively. Please complete steps 1-5 above.
Redlines are not accepted on the Security Assessment Agreement, however, our legal is not comfortable with the terms. What do we do?
Please work with your Salesforce Account Team point of contact to engage Salesforce legal counsel in discussing why redlines to the agreement are a non-starter.
Why is our Assessment running into bandwidth restriction issues?
Please log a Support case in the Help & Training portal requesting a temporary increase in limits. In the ticket, please provide a clear business justification and the timeframe for the temporary increase. The request will be submitted to the force.com sites product manager for approval. In addition, be sure to engage your respective Account Executive to sponsor the request.
What is the next step after the Security Assessment is complete and we have findings for review?
Salesforce requires you to validate all findings before circling back to us. This will require a security resource on your end to review and validate findings (especially for automated scanner report output). Review the Platform Security FAQ to assist customers in identifying common false positives.
Any outstanding vulnerabilities should be reported to Salesforce via a Support case through the Help & Training portal, and must include the following information:
- Confirmation number provided in step 5 once the submission process is completed.
- Summary of all findings and associated severity level of each finding.
- Detail assessment report noting each finding.
- Definitively demonstrate how to reproduce the vulnerability.
- Provide applicable HTTP requests/responses.
- Notation as to why this example is believed to be a finding
Note: This process will not cover any vulnerabilities found with custom development (e.g. apex/vf/sites, etc). You'll need to validate and fix any findings with your custom development.