Anything to do with Cloud Apps/Salesforce Development.

Best Practice, News

The CloudFlare Security incident that affects Salesforce Security

I have contacted Salesforce Security for comment, but at the moment I’m waiting on a reply.

29 March Update – Salesforce Security replied saying they were looking into it but then never replied again, which was disappointing. I did speak to Salesforce Security at CeBIT last week, we worked through the risk and there would be a chance that the OAuth tokens may be cached. But, as OAuth tokens time out the risk is now negligible.

Google Engineers earlier in the week identified an issue with CloudFlare were it was possible to see other website session data from other websites using the CloudFlare service. Cloudflare is a website security and caching service used by a huge amount of websites, we actually use the CloudFlare service for the LondonsCalling.net website to help secure it and also manage peak demand for the site in the weeks leading up to the event (although this issue doesn’t affect anyone who has purchased tickets as this is provided by Eventbrite).

So what happened?

Uber exposed data

Because CloudFlare is a multi-tenant service (multiple sites all using the same service), an issue could expose data that it shouldn’t. In this case, it was due to a buffer overrun; this is when a piece of code accidently moves into some memory in that it shouldn’t, and accesses information in memory which should only be accessed by another process (in this case a different website).

Google contacted Cloudflare via Twitter, not a usual way of communicating with a company about a security incident but as it was late on Friday and the issue needed to be resolved quickly. Cloudflare seemed to respond very quickly and activated their global kill feature at CloudFlare which disabled the affected features on their platform while they started working on a fix.

Ormandy the Google researcher that found the issue wrote.

“We keep finding more sensitive data that we need to cleanup. I didn’t realize how much of the internet was sitting behind a Cloudflare CDN until this incident, I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

How does this effect Salesforce?

Exposed data from Fitbit

So I would be highly surprised if Salesforce is using CloudFlare. In fact, I ran a couple of random checks on core Salesforce services as well as non-core services like www.salesforceusergroups.com and didn’t find that it was being used. BUT if you are connecting to Salesforce from a website that is using CloudFlare then in theory OAuth tokens, session keys, cookies, plain text, etc. may have been compromised.

OAuth is used by websites needing to authenticate with Salesforce, this then allows the website/service to access/modify your Salesforce data or just to simply authenticate and nothing more. For example, workbench.developerforce.com is essentially a separate service from the core Salesforce platform running on Amazon Web Services. When you login into it Workbench it authenticates with Salesforce and workbench receives an OAuth token from Salesforce which it uses to access your Salesforce data, so the service doesn’t have access to your username and password.

If the workbench service was using CloudFlare and someone exploited the issue, it could be theoretically possible for someone to come across the OAuth token and re-use it to access Salesforce data.

What can I do to mitigate this?

MaxMind’s response

At the moment its a bit of a race against time. The issue has been around since at least September 2016 and the issue may have been fixed at CloudFlare but there are search engines and websites that cache website data that may still have compromised data in them. This cached data could have confidential session keys/OAuth Tokens etc. from other websites. Google has been manually purging its cache, and other search engines are following suit. There are rumours that Google has also expired Google Account sessions which have resulted in people being asked to re-authenticate into Google (this has happened to me on one of my Google accounts) but Google has denied the two issues are linked.

We’re still waiting to hear from Salesforce Security on their advice, but as a precautionary measure, I’m advising my customers to re-authenticate any service that has integrations into Salesforce that stores Salesforce credentials/tokens. Re-Authenticating should then refresh the authentication tokens and invalidate the old tokens so if they are cached anywhere they can’t be used.

The importance of bounds testing (it’s more common than you think!)

The route course in the CloudFlare service came down to just one character in a piece of code, >= rather than == which resulted in the buffer overrun. Over the years I’ve seen quite a few bounds issues like the CloudFlare issue, but the following customer issue has stuck in my mind, as it had one of the greatest impacts:

I was working with a client rationalising their global marketing data and campaigns, they sold a lot of consumer products globally but the marketing was very siloed, and they wanted a single view of the customer to see what products they interacted with and spot trends.

They had a business rule on their email marketing campaigns that they would only send emails to customers after they had been on their marketing lists for more than three months. Unfortunately, we spotted a mistake in their rule which meant they were only sending emails to people who had been on their marketing lists for less than three months, essentially automatically unsubscribing their customers from their marketing lists after three months, not ideal. They had their greater & less than symbols the wrong way around, a tiny mistake on the face of it but it had far reaching effects.

I try to drill into developers the importance of bounds testing in code as well as declarative functionality. If you are using a >, <, == or any operator then write unit tests or user acceptance tests around the bounds of the expression. Eg if you were checking that a value was greater than 100 you could test the values 99, 100 & 101. You have then tested the bounds of the expression.

Summary

It does look like CloudFlare we’re quick to resolve the issue and sites that cache websites are working on clearing out the websites affected by this security hole. CloudFlare has said that the leakage affected 0.00003% of requests coming into CloudFlare which doesn’t sound that much, but Cloudflare has a massive customer base including dating websites and password managers which host particularly sensitive data. That’s a lot of data which is potentially cached and now searchable…

better to be safe than sorry!

Administration, Apex, Development, Events, Videos

Grab some popcorn, London’s Calling 2017 videos are now LIVE!

I’m totally overjoyed to announce that we’ve uploaded the majority of the sessions for London’s Calling 2017, the largest Salesforce Community event in Europe. I can now watch all those sessions I missed :), like what was Todd wearing and why? a question I’ve been itching to find out 🙂 and Belinda Parmar OBE’s keynote on Empathy totally worth a second watch!

There are four playlists on the LC YouTube Channel:

We increased the quality of the videos this year and they look really great, there are a couple of videos still yet to be processed but the majority are now up. If you do have any questions please let me know! I know what I’m doing this weekend 🙂 … where’s the popcorn!

 

Apex, Dreamforce, Videos

The Mystery of Salesforce Connect Custom Apex Extensions and the Missing video

So I wonder if anyone can answer a question that has been bugging me for months…

So Salesforce records breakout sessions at Dreamforce, and for the last couple of years, I’ve been doing a lot of theatre sessions, which don’t get recorded. So I was a little bit excited to know that one of my Dreamforce 2016 sessions had been selected to be a workshop session! Whoopie! A video’ed session and it’s going online! In the end, Salesforce started recording theatre sessions at Dreamforce 2016 as well so the majority of my sessions were recorded which was brilliant.

BUT

For some reason, Salesforce never uploaded my “Integration with Salesforce Connect and Custom Connectors” session. It never made it to the 2016 Dreamforce Developer Sessions site.

So I contacted Salesforce thinking it may have been a mistake, a couple of people did a hunt for me but couldn’t find anything conclusive.

Present > Get Feedback > Improve > Repeat

The main reason I want to know is you can only improve your public speaking with feedback. I want to know what didn’t work. I want to know why people did or didn’t engage with it. So I need your help. Could you take a look at the video and see if you can figure out why Salesforce didn’t put this video up? A couple of ideas:

  1. “The talk that was too radical for Salesforce” – I did say things which may not be the real purpose of Salesforce Connect, but in my opinion, it makes Connect a much more powerful tool than people think.
  2. “Salesforce doesn’t like product placement” – I did mention two non-Salesforce products, both of which I had contacted and one of which was a Salesforce partner anyway.
  3. “I was talking rubbish” – Maybe there are things I said that were incorrect? if so I would love to know.
  4. “They just made a mistake and forgot the video” This is probably the most likely explanation but without knowing its a bit hard to tell.
  5. “Maybe it wasn’t very good, and they don’t put bad quality sessions up” – Now with 100% of people on the session survey recommending the session for next year and 4.86 out of 5 score, one of the highest for all developer talks, I don’t think it’s that.

Take a look for yourself and see if any of these are right, I’d love to know!

 

Administration, Development, General, Videos

London’s Calling what you missed & how it came together

Missed London’s Calling? Checkout the video above! But this is how it all started…

It all really kicked off just before Dreamforce 2015 with Jodi Wagner, Simon Goodyear, Louise Lockie, Kerry Townsend & several bottles of Champagne. We were sitting around the table and the conversation turned to something I think we had all been mulling over for some time. The creation of an event for the Salesforce community, BY the Salesforce community. An event where we could learn from community experts in Salesforce who had been at the coal face. An event that wasn’t a Sales event, but an event for Salesforce Admins & Developers designed to help us learn from each other and find out about new Apps in the Salesforce ecosystem whilst have fun doing it! 🙂 Needless to say, Will Coleman turned up and more Champagne was drunk and then…

London's Calling Napkin

London’s Calling Napkin

London’s Calling was born… Our first rough sketch of the event (on the back of a napkin) consisted of a two-day event, this quickly reduced down to one day. Let’s “start small” and see what happens, hey no one may turn up!

Read more

Administration, Development, General

Adding columns to Salesforce Duplicate Management Result

Brent Downey has created a brilliant post on Salesforce’s new “Duplicate Management” tool. But one of the obvious features that is missing is being able to change the columns that the user sees when the Duplicate Management finds a match. For example, if you are matching on (e.g.) the contact name and city, when you find matching records only the contact name and city are displayed in the matching table, and there is no option to change this, which can be a real pain! I want to see the company name, address, etc. So I can tell if an actual duplicate or not. But there is a solution that I mentioned in my “Data Tips, Tricks & Strategy” session at Dreamforce 2015.

Fake your Matching rule

Brent did a great post on how to setup Duplicate Management, but I’m just going to focus on the matching rule. Based on my example above if I wanted to create a matching rule to match contacts with a similar First Name and Last Name I would create a matching rule that looks like the following:

First Matching Rules

Duplicate Management > Matching Rule; Matching on Contact First name & Last name

Read more

Development, News

Chance to win cool prices by just completing a new #Trailhead module!

NOTE: The competition has now ended but Trailhead is still just as cool 🙂

Trailhead has just launched some new modules on Trailhead. I’ve just completed the ‘Battle Station’ module and if you also complete it before 31st Dec, you will be entered into a draw to win either Playstation 4’s, Sphero Robots or Remote Controlled quadcopters!

Trailhead is a FANTASTIC way to learn Salesforce. We have at work ‘Trailhead Tuesday’s‘ where we sit down at lunch and battle to get as many badges as we can in a calendar month! It’s been going really well. Check them out!

Build a Battle Station App

This is a project rather than a module as its a bit more involved than just a module. But if you do this before 31st you can win prizes!

Build a Battle Station App

Do the Project now Read more

Apex, Development

Create Lightning with Lightning & IoT

If you came along to my talk “Create Lightning from Lightning & IoT”, thanks a lot! Here is my follow up post. Unfortunately in the time I couldn’t get through everything, so as promised I’ve included in the presentation slides for the Process builder code and how to expose your Apex code functionality to Process Builder.

Process Builder allows admins or click developers to build quickly processes based on their particular logic. For example, we could hook up the Lamp to flash when a high priority Case comes in. We don’t need to worry about when they need to flash the light, we are just exposing the ability for them to plug it into their process whenever they want it to fire.  Read more

Apex, Development

Five things that rocked my world learning Apex

Ok maybe not rocked my world but when I started developing on the Salesforce platform I was very much figuring it out as I went along (If only trailhead existed then!). Unfortunately, there were some things that I wished I had known before I had started. In some cases meant I had to do rework or in worse cases didn’t even know I’d made a fundamental error. So here are the top things that “rocked my world” when developing Apex for the first time.

Triggers don’t fire all the time

When I was first introduced to triggers, I was told they were very much like database triggers. Every time a record was inserted, updated, deleted or undeleted the trigger would fire. I expected that after I had written my update & delete triggers on say the contact object, the trigger would always fire in the same way a database stored procedure trigger would fire. But this is not the case. There are a couple of scenarios where triggers are not fired. A full list is here but here are the ones I know caught me out:

  1. Cascading delete operations; If you have records in a master-detail relationship and someone deletes the parent record, the children will cascade delete. The kicker? Only the parent records delete trigger is fired, not the children. To protect yourself from this happening you can put logic in the parents delete trigger.
  2. Cascading update operations as a result of a merge operation; If you merge two records together the “winning” record is kept, and the losing record is deleted. Any child records of the losing record are then “re-parented” with the winning record, but the update triggers on the child records are not fired. For example if you had two account records that you were merging, and both had opportunities on them, the Account field on the losing account’s opportunities will be updated with the new/winning account (the “re-parenting”), but the update triggers won’t fire on those opportunity records.

Read more

Administration, Development, General

Salesforce MVP Blogs… the list

Some of the most influential & knowledgeable Salesforce people in the world are Salesforce MVPs. They have a phenomenal amount of knowledge on Salesforce. So for me keeping an eye on Salesforce MVP blogs keeps me up to date with the latest goings on in the Salesforce ecosystem.

So here is my list of Salesforce MVP Blogs. I have to say when I started it I thought it wouldn’t take too long… BOY there is a lot of MVPs now! Some MVPs don’t blog as much as they focus their attention on user groups and other social networks but I’ve included everyone I know… I think.

I post the best blog posts from MVPs to my twitter.  Follow me to check them out!

If you are looking for non-MVP blogs, checkout Salesforce Ben’s Ultimate Salesforce Blog list.

This is not quite finished but I’ll try and keep this list up to date with new MVP Blogs. Please let me know if I have missed anyone!
UPDATES: 30th June 2016 – Added Matt Lacy 22nd Dec – Added Peter Knolle. 11th Sept – Added Simon Goodyear & tabs as the lists were getting big! 3rd Sep – Added Paul Battisson, Phil Walton.  1st Sept – Added Kevin Poorman, Kieren Jameson, Andy Boettcher

Read more

Apex, Development, General
  • Salesforce Lightning UI and what it means for developers!
  • Salesforce Lightning UI and what it means for developers!
  • Salesforce Lightning UI and what it means for developers!
  • Salesforce Lightning UI and what it means for developers!
  • Salesforce Lightning UI and what it means for developers!

Salesforce Lightning UI and what it means for developers!

It can be summed up in one word. Javascript. It’s a hell of a tide change for Salesforce. So long Visualforce, hello lightning components! They are coming mainstream!

So, what does this mean for developers? Is Salesforce switching off the old UI? No… well not yet, too many companies have invested too much in it and VisualForce. Are they switching off Visualforce? will you still be able to develop VisualForce? Yes of course.

The Lightning UI is still a little way off from being complete. One of the reasons is that it doesn’t have a vast amount of components that VisualForce has, but this is defiantly going to change! With Lightning Components your creating a whole application rather than just a page in VisualForce, so the complexity is higher than regular VisualForce. Read more