Nerd @ Work

When Salesforce is life!

Quick Guide to Salesforce Firewall Configuration

Today’s guest post is delivered by Gilad David Maayan, a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.


What is eCDN Web Application Firewall?

Salesforce Commerce Cloud provides a built-in content delivery network called eCDN, designed to accelerate site access and content delivery. It provides a safer and more reliable online shopping experience.

The eCDN also includes a web application firewall (WAF). Unlike a network firewall that inspects network traffic and blocks attacks at the network level, a WAF can protect application-layer traffic from web security threats and common web application vulnerabilities. For example, WAFs can protect against SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). The WAF is automatically updated with new rules and attack patterns to stay ahead of evolving threats.

How Does eCDN WAF Work?

eCDN WAF looks at all interactions with merchant websites—legitimate shopper behavior, bot traffic, and potentially malicious requests. All requests to the storefront are made over HTTP/S or AJAX. The WAF scrutinizes all requests, identifying common patterns of legitimate web traffic and possible attack patterns, and filtering out malicious traffic. The WAF can identify unusual or malicious traffic and block it to prevent security threats from reaching the eCommerce server. eCDN WAF also inspects website addresses and URLs to detect anomalies like malicious redirects.

When a suspicious request is made to a merchant’s site, the eCDN WAF evaluates the request and applies the action configured by the merchant:

  • If the selected action is “challenge”—the suspicious user is presented with a CAPTCHA and must submit it successfully to proceed to the next page. If the user does not successfully complete the CAPTCHA, the WAF blocks the request before it reaches the Commerce Cloud.
  • If the selected action is “block”—the suspicious user is immediately blocked.

Merchants can manage eCDN WAF in the Business Manager interface. They can configure WAF and access logs, and define how tightly their security settings should be enforced by setting the WAF to low, medium, or high security. WAF configuration is individual to each merchant site and depends on the type of traffic a website receives, and the level risk tolerance for the merchant’s business operations

A lower setting might be appropriate if a brand uses bots, or accepts the use of certain types of bots, which might trigger the WAF too frequently.

eCDN WAF Modes of Operation

When responding to potential web application threats, eCDN WAF inspects each incoming request, assigns a threat score, and responds appropriately. The WAF uses OWASP definitions to detect common web application attacks. Each incoming request that triggers an OWASP rule increases the overall threat score.

WAF uses three modes of operation to respond to detected OWASP threats:

  • Simulate—logs events without blocking or requiring web requests. This option allows administrators to see the impact of the WAF in challenge or block mode and decide which mode of operation is best for their online store.
  • Challenge—when challenge mode is enabled, suspected malicious users must fill in a CAPTCHA before accessing the store. Challenge mode is useful when there is a risk the WAF might accidentally target legitimate shoppers. Challenge mode allows a legitimate user to enter CAPTCHA information and continue their shopping experience.
  • Block—if an incoming web request is suspicious, a blocked page is displayed and the web request is prevented from reaching the server. The block option is the most effective against threat actors. However, this option is also the most restrictive. If the WAF incorrectly identifies a real shopper as malicious, the shopper is blocked and cannot enter the store.

Working with Simulation Mode

If you are new to WAF, SalesForce recommends running WAF in simulation mode for at least one week. Simulation mode captures and records information about site traffic.

You can review the generated logs to make data-driven decisions about firewall requirements and decide how to best configure the WAF. When reviewing logs, consider the following:

  • Which rules are triggered and how often are they executed?
  • Which region triggered the rule, and do you sell to or ship to this country?
  • Which IP addresses are associated with suspicious requests identified by WAF rules? Doing an IP lookup of a suspected malicious IP address can reveal more information.

After rtunning the WAF in simulation mode, you can decide whether to increase the sensitivity level of the WAF (if you see real threat actors are identified as malicious). Alternatively, you can reduce the sensitivity of the WAF (if you see there are real shoppers wrongly identified as malicious).

Modify eCDN WAF Settings

To change eCDN WAF settings:

  1. Choose Administration > Sites > Embedded CDN Settings.
  2. Choose a zone.
  3. On the WAF tab, select Enabled to turn on the WAF for the zone, or deselect it to disable WAF for this zone.
  4. From the Action dropdown list, select the action to take when an anomalous request is discovered—Simulate, Challenge, or Block.
  5. From the Sensitivity drop down, select a sensitivity level—high, medium, or low.

To obtain log data for analysis:

Select one or more dates and times and click Request Log. An email with a link is sent to your Business Manager email account when the log file is available for download. Download the logs to analyze your traffic and adjust WAF sensitivity accordingly.

Conclusion

In conclusion, configuring the Salesforce firewall is an important step in ensuring the security and integrity of your Salesforce account. By following the steps outlined in this quick guide, you can effectively set up and manage your firewall to protect your account from external threats and unauthorized access. It is also important to regularly review and update your firewall configuration to ensure it remains effective in protecting your account and data. By taking the time to properly set up and maintain your Salesforce firewall, you can ensure the security and success of your business.

TrailblazerDX 2023 registration open! 🤓

Are you ready for 2 full immersion days of Salesforce tech learning in beautiful San Francisco? 😮

If you, an admi/dev/architect, are looking for some real epicness, be ready for:

  • 200+ technical sessions
  • 400+ experts from Salesforce, MuleSoft, Slack, and Tableau
  • Knowledge share from thousands professionals
  • Parties, fun, parties, and fun

By registering now, you’ll get a $ 400 discount.

👉Click here for more details

Get a glimpse of the awesomeness with this recap of TrailblazerDX 22.

ORGanizer Connector: create your personal Salesforce credentials hub! 🎯

📣 It’s with great pleasure that I’m announcing that ORGanizer Connector has successfully passed the AppExchange security review and it will soon be publicly listed it’s just been publicly listed!

What’s ORGanizer Connector?

ORGanizer Connector is a free AppExchange app that can be freely installed on any org type (production, sandbox or developer edition).

The app usage is really simple:

  • manually create Backup records that contains one or more credentials (Backup Items) whose secrets (password and token) are encrypted with a key stored in the main Backup record (which only who has access to the record can get)
  • massively import ORGanizer for Salesforce backups to automatically create Backup records using ORGanizer for Salesforce backup files
  • Each Backup can be shared using Salesforce standard sharing model, so org users can see only the record they are allowed to access and nothing more (we suggest a Private sharing model extended with sharing rules or manual sharing)
  • The package exposes a couple of REST APIs to let external applications integrate
    • By having access to a Backup record, you can use the Send Secret by Email button to receive the encryption secret by mail: this secret will be used to decrypt the secrets using the Reveal Password & Token button on the Backup Item record or using the ORGanizer for Salesforce native integration (for Full PRO and Team users only), or creating your own integration following the Github repo example

Is it really free?

The app is absolutely free 👌

If you want to use the ORGanizer for Salesforce native integration you need a Full PRO or Team license, though, but for companies it can be a life saver!

How do you use ORGanizer Connector integration?

It’s easy as 1,2,3:

  1. Install the package on your org (👉 AppExchange Link)
  2. Open the Options page (right click on ORGanizer icon and select Options)
  3. Select the Import/Export tab
  4. In the ORGanizer Connector (PRO) section select a connection (i.e. a login already stored on ORGanizer that lets you login to the org where ORGanizer Connector is installed…I suggest using an OAuth login)
    • Provided org can be a production org, a sandbox org or a Developer Edition org, no limitations!
  5. Select a Backup record and click the Get Backup button
    • Remember: you need to get the Backup’s Secret using the Send Secret by Email button on the Backup record
  6. Select the logins you want to be loaded into ORGanizer for Salesforce extension
  7. Select a login group already on your extension or create a new one and click the Import Logins button
    • If you import a login that is already on ORGanizer (username is the unique key) the login will simply be updated with the new passoword and token

Have a look at the video below to have a glimpse of how simple is ORGanizer for Salesforce’s Connector user experience:

When will ORGanizer Connector be available to install from AppExchange?

UPDATE: The package has just been listed and is available from this 🔗 AppExchange link.

We hope to be ready to publish the listing within Christmas 2022 alogn with an updated version of ORGanizer for Salesforce extension that will enable the native integration for PRO users.

What if I need more details?

Contact me:

📣DevOps Center is now Generally Available!

Finally this amazing tool is GA!

DevOps Center is IMHO one of the most anticipated tools that we, the community of Salesforce professionals, were waiting since ages 👴

This gap has been filled in the years by many amazing products like Copado, Flosum, Gearset, AutoRABIT, Blue Canvas, Prodly or Opsera to name a few, but finally a Salesforce branded tool has just born to overcome many of the difficulties with Change Sets.

DevOps Center is a valid alternative to organize your work, track changes automatically, integrate seamlessly with GitHub (other GIT providers coming soon), and deploy updates easily with clicks: developers who are used to work on Git can still go on with it as DevOps center automatically updates its UI based on Git activity and admins can still participate in tracking changes on Git using clicks and not command line.

DevOps Center is available in any production org with Professional, Enterprise, or Unlimited Edition, or a Developer Edition org…so you can get your hands dirty!

Take a look at Salesforce Developers official blog for more links on how to learn!

💬Virtual chit-chat about being an MVP and the future of Salesforce [ITA]

Few days ago I’ve been interviewed by Carlo De Bonis for his Spaghetti Salesforce vlog (in Italian 🍕🍝).

We talked about my career path, what being a Salesforce MVP means and what I believe our amazing Trailblazer Community and Salesforce ecosystem will evolve in the next years.

Have a nice view!

Salesfore Spring ’23 coming!

This is the time of the year when a new release is about to arise from the epic forges of the Salesforce laboratories, where magic spells and powerful artifacts are built!

Salesforce Spring’23 Logo

Here are the key dates to be considered:

  • December 12nd: you can get your own pre-release org to test the new features (use this link)
  • December 21st: release notes will be available on the help site(use this link)
  • January 6th: preview sandboxes gets the new release (for more info about how to handle sandboxes previews have a loog at this site)
    The same days new Trailhead content will be published to handle your certification maintenance
  • January 10th: overview content is released to have a sneak peek of what’s new (e.g. have a look at the release in the box site, but the Get Ready for Release chapter on the release note should have all the links)
  • January 13rd, February 3rd, February 7th: Spring ’23 comes to all orgs, check the maintenance calendar to see which instances comes first!

📣Vlocity University Dismission imminent🚪

📣Salesforce Partners Announcement ⚠

Vlocity University courses has been migrated to Partner Learning Camp, the one-stop-shop for all Salesforce enablement.

All Vlocity University courses have been moved to PLC to deliver even greater value for customers and trusted partners.

Vlocity University is retiring on December 31, 2022.

What does this mean for Salesforce partners?

Wether you have or not a Vlocity University account, no worries at all: join the Partner Learning Camp.

You simply login to the Salesforce Partner Community, click the Learn tab, and then click the Start Learning button under Partner Learning Camp.

🎉Nerd At Work awarded by ApexHours

It’s an honour that Nerd At Work as been been recognized by Apex Hours as one of the top Salesforce blogs for 2022!

Time to party 🎉🎉🎆🎇🥳🥳🍰!!!

💡ChatGPT + Salesforce = 🤯

Seeing a lot of surprise around #chatgpt and wanted to do my own test…

What is ChatGOPT? According to the main site(…) ChatGPT (…) [is a trained IA that, ndr] interacts in a conversational way. The dialogue format makes it possible for ChatGPT to answer followup questions, admit its mistakes, challenge incorrect premises, and reject inappropriate requests.

In 2 words, you make a question and ChatGPT tries its best to respond you via text, you can even ask it to write some coding!
I asked “write a bubble sort algorithm in Salesforce Apex that sorts a Contact array based on Name field length
Which ok, it’s not the whole codebase of the Hubble Telescope but so far this is the result:

📣Announcement to all coders: prepare to change your job 🤣🤣🤣

Last question:

Try it out and share the fun 🤣

Link: ChatGPT

Is SalesForce Quip Secure? What You Need to Know

Today’s guest post is delivered by Gilad David Maayan, a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.


What Is SalesForce Quip? 

Quip is a solution that facilitates team collaboration. It combines spreadsheet and document creation and editing capabilities with comment and chat functions, allowing teams to communicate directly about projects and tasks as they work.

Quip allows you to collaboratively create and edit spreadsheets, documents, and lists in real time using a smart inbox interface. The inbox can filter and flag documents for faster searches. It saves all document revisions to let users track changes and annotate documents and spreadsheets. You can mark completed tasks on a checklist to notify all team members when a task is finished. 

Users can chat directly within the document instead of sending and receiving emails. You can message and comment on any content using the built-in one-to-one feature. You can also use @mentions to guide team members to specific spreadsheet cells or insert items into documents, including images or code. The team can leverage user-managed notifications to keep up-to-date with mentions and messages.

Quip can work on native Android and iOS applications across mobile and desktop devices. Its offline capabilities allow users to work on documents when an Internet connection is unavailable, updating the changes whenever a connection appears.

SalesForce acquired Quip in July 2016 for a total price of approximately $750 million.

Benefits of SalesForce Quip Integration

The main advantage of integrating SalesForce Quip is exporting real-time data from SalesForce to Quip. You can open SalesForce reports in a Quip spreadsheet with a single click. The data is always live, and Quip immediately reflects all changes. 

You can also quickly export a Quip document to an Excel, Word, CSV, or PDF format. Users can invite each other by sending a link to the document—they can continue editing the document after sharing using the browser or a dedicated app.

Quip improves interaction and collaboration between team members, helping them make well-informed decisions. It lets you better understand your data and receive real-time, actionable information. The regularly updated data helps you make the right decisions for your business.

Another benefit of this tool is the tracking feature for historical data—it allows you to view changes made over a specific period. If necessary, you can undo changes to keep the app’s functionality.

Is SalesForce Quip Secure?

Quip is SalesForce’s cloud document platform, obligating it to maintain a high degree of security. Security of document management tools like Quip is critical to ensure endpoint security for your employee’s corporate and personal devices. Below are some of the security capabilities Quip offers your organization.

Audits, Certifications and Compliance 

Quip has the following auditing and regulatory certifications: 

  • SOC 2 (Type 2 Certification)
  • EU-US Privacy Shield Framework
  • Swiss-US Privacy Shield Framework

All customer data stored in Quip falls under the annual certification to the EU-US and Swiss-US privacy shield frameworks awarded to SalesForce. The US DoC administered these frameworks, requiring independent SOC 2 audits of the SalesForce IT security environment, which extends to Quip. 

The SalesForce executive for your organization’s account can provide the latest Service Organization Control 2 report. Quip is also GDPR-compliant, with its systems undergoing annual security audits by a leading, independent auditor.

Penetration Testing and Bug Bounties

Achieving robust application security requires testing by security professionals. Quip contracts with an external organization to conduct annual penetration tests on Quip services. The management team reviews the results and tracks the findings to resolution. Penetration tests are performed in a controlled environment without exposing customer data.

Apart from penetration testing, Quip offers a bug bounty to encourage developers to discover and disclose vulnerabilities to the company. It continuously triages submissions and tracks them to find resolutions.

Access Authentication

Quip restricts access to your production infrastructure based on the job function of authorized persons. Only a limited number of system admins and managers have privileged access to the system. 

Quip authenticates users to production according to modern security best practices that use Secure Shell (SSH) keys and require two-factor authentication (2FA). It restricts access to the public cloud management console to authorized users who need access to perform their job duties, also using 2FA.

Encryption

Quip encrypts all customer data stored in its services at rest and in transit. It uses Transport Layer Security (TLS) to encrypt data and protect its integrity and security during transmission between Quip services and the user’s browser. It securely stores and manages encryption keys in a cloud-based infrastructure. 

Identity and Access Management (IAM) roles can control access and support audits. Quip never stores encryption keys in the source code, and it rotates the keys according to industry standards. You can use the Enterprise Key Management feature for additional visibility and control—it lets you create and manage encryption keys for your Quip data in the AWS cloud. 

Incident Management

The management team provides documentation of all incident management procedures and policies to ensure the following:

  • Contributors identify potential security incidents and report them to the relevant team members for resolution.
  • Employees adhere to the defined protocols to resolve security incidents.
  • Quip documents all procedures for making changes and notifying external and internal users.
  • Quip triages and tracks incidents to enable their resolution on time.

Service Monitoring

The Quip infrastructure monitors the performance and availability of its services and notifies the engineering team if a service diverges from performance, reliability, or availability thresholds. On-call engineers can quickly address these issues. 

Quip’s service monitoring also covers security issues and uses the production access logs to identify anomalous activity. When Quip identifies anomalous behavior, it tracks the issue until it finds a solution. It logs all logins to each production system for monthly reviews—security staff investigates, records, and remediates suspicious and unexpected login attempts. 

Quip’s intrusion detection system (IDS) helps detect and record unusual behavior. Quip continuously monitors the system’s capacity for strategic, long-term planning.

Conclusion

In this article, I explained the basics of SalesForce Quip and covered the security measures put in place by SalesForce to protect your data:

  • Certifications and compliance – Quip complies with SOC 2 (Type 2), EU-US Privacy Shield Framework, and Swiss-US Privacy Shield Framework.
  • Access authentication – Quip supports SSH and 2-factor authentication.
  • Penetration testing – Quip performs annual penetration testing and has a bug bounty program to discover security weaknesses.
  • Encryption – Quip encrypts all data at rest and in transit and uses TLS for all communications.
  • Incident management – Quip has well documented incident management procedures, as required by compliance standards.
  • Service monitoring – Quip infrastructure is continuously monitored and anomalous events are immediately investigated.

I hope this will help you make an informed decision when adopting Quip for a security-conscious enterprise.

Page 3 of 25

Powered by WordPress & Theme by Anders Norén