General, News

New European Salesforce MVPs

Twice a year Salesforce looks for worthy people to become Salesforce MVPs. MVPs are people from the community that have demonstrated Salesforce expertise, leadership, responsiveness, and advocacy and with around 160 worldwide and it’s a growing group! There are currently around 160 MVPs worldwide and I was lucky enough to become an MVP back in January 2012, it is always an honour to be renewed in such an amazing group of people. The platform and associated products in Salesforce are so large now it’s impossible to know it all, knowing that there are guru’s around the globe focused in their own specialisation is awesome.

Salesforce has a rigorous process for evaluating MVPs, it starts first with someone nominating a potential MVP, anyone can do this here when the nominations open. Information is compiled and reviewed by a number of different teams within Salesforce as well as existing Salesforce MVPs before awarding with new MVPs or renewals. The MVP only lasts one year and if have kept up with the core tenants of being an MVP (Expertise, Leadership, Responsiveness, and advocacy) then you may be renewed for another year.

The New European MVPs!

What makes me most excited is seeing new MVPs appearing in Europe. Not to mention existing MVPs being renewed which includes myself, Jodi WagnerAgustina GarcíaAlex TennantChris EdwardsChristopher LewisFabien TaillonJoshua HoskinsKeir BowdenMichael GillMohamed El MoussaouiPhil WaltonSamuel De RyckeSimon Goodyear.

The full list can be found here.

Sergey Erlikh (@sergeyer)

Sergey Erlikh

Twitter: @sergeyer
LinkedIn: https://www.linkedin.com/in/sergeyerlikh/

Based in Amstelveen noord, Netherlands Sergey is our first European Non-Profit MVP!!! and also co-leader of The Netherlands Salesforce nonprofit user.

Louise Lockie (@LouiseLockie)

Louise Lockie

Twitter: @LouiseLockie
LinkedIn: https://www.linkedin.com/in/louise-lockie-a8250115/
Website: louiselockie.blogspot.co.uk

Louise runs the Women in Tech user group in London and has talked at a number of Salesforce events including London’s Calling this year. Checkout her talk on Tackling the “We’ve always done it this way”.

Fabrice Cathala (@fcathala)

Fabrice Cathala

Twitter: @fcathala
LinkedIn: https://www.linkedin.com/in/fcathala/
Website: saas-components.com

Fabrice is a Technical Architect working for CLOUT! His blog is filled with great advice on Salesforce Architecture and he also presented at London’s Calling on ‘Migrating to Lightning

Sunil Sarilla

Sunil Sarilla

LinkedIn: https://www.linkedin.com/in/sunil-sarilla-4a49533/
Success: https://success.salesforce.com/profile?u=0053000000AJ82FAAT

Currently Ranked 5th in Success for answering Salesforce answers he has answered 11,885 questions so far! Based in London as well? I think but I’ve never met him, so hopefully we will meet soon!

Best Practice, News

The CloudFlare Security incident that affects Salesforce Security

I have contacted Salesforce Security for comment, but at the moment I’m waiting on a reply.

29 March Update – Salesforce Security replied saying they were looking into it but then never replied again, which was disappointing. I did speak to Salesforce Security at CeBIT last week, we worked through the risk and there would be a chance that the OAuth tokens may be cached. But, as OAuth tokens time out the risk is now negligible.

Google Engineers earlier in the week identified an issue with CloudFlare were it was possible to see other website session data from other websites using the CloudFlare service. Cloudflare is a website security and caching service used by a huge amount of websites, we actually use the CloudFlare service for the LondonsCalling.net website to help secure it and also manage peak demand for the site in the weeks leading up to the event (although this issue doesn’t affect anyone who has purchased tickets as this is provided by Eventbrite).

So what happened?

Uber exposed data

Because CloudFlare is a multi-tenant service (multiple sites all using the same service), an issue could expose data that it shouldn’t. In this case, it was due to a buffer overrun; this is when a piece of code accidently moves into some memory in that it shouldn’t, and accesses information in memory which should only be accessed by another process (in this case a different website).

Google contacted Cloudflare via Twitter, not a usual way of communicating with a company about a security incident but as it was late on Friday and the issue needed to be resolved quickly. Cloudflare seemed to respond very quickly and activated their global kill feature at CloudFlare which disabled the affected features on their platform while they started working on a fix.

Ormandy the Google researcher that found the issue wrote.

“We keep finding more sensitive data that we need to cleanup. I didn’t realize how much of the internet was sitting behind a Cloudflare CDN until this incident, I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

How does this effect Salesforce?

Exposed data from Fitbit

So I would be highly surprised if Salesforce is using CloudFlare. In fact, I ran a couple of random checks on core Salesforce services as well as non-core services like www.salesforceusergroups.com and didn’t find that it was being used. BUT if you are connecting to Salesforce from a website that is using CloudFlare then in theory OAuth tokens, session keys, cookies, plain text, etc. may have been compromised.

OAuth is used by websites needing to authenticate with Salesforce, this then allows the website/service to access/modify your Salesforce data or just to simply authenticate and nothing more. For example, workbench.developerforce.com is essentially a separate service from the core Salesforce platform running on Amazon Web Services. When you login into it Workbench it authenticates with Salesforce and workbench receives an OAuth token from Salesforce which it uses to access your Salesforce data, so the service doesn’t have access to your username and password.

If the workbench service was using CloudFlare and someone exploited the issue, it could be theoretically possible for someone to come across the OAuth token and re-use it to access Salesforce data.

What can I do to mitigate this?

MaxMind’s response

At the moment its a bit of a race against time. The issue has been around since at least September 2016 and the issue may have been fixed at CloudFlare but there are search engines and websites that cache website data that may still have compromised data in them. This cached data could have confidential session keys/OAuth Tokens etc. from other websites. Google has been manually purging its cache, and other search engines are following suit. There are rumours that Google has also expired Google Account sessions which have resulted in people being asked to re-authenticate into Google (this has happened to me on one of my Google accounts) but Google has denied the two issues are linked.

We’re still waiting to hear from Salesforce Security on their advice, but as a precautionary measure, I’m advising my customers to re-authenticate any service that has integrations into Salesforce that stores Salesforce credentials/tokens. Re-Authenticating should then refresh the authentication tokens and invalidate the old tokens so if they are cached anywhere they can’t be used.

The importance of bounds testing (it’s more common than you think!)

The route course in the CloudFlare service came down to just one character in a piece of code, >= rather than == which resulted in the buffer overrun. Over the years I’ve seen quite a few bounds issues like the CloudFlare issue, but the following customer issue has stuck in my mind, as it had one of the greatest impacts:

I was working with a client rationalising their global marketing data and campaigns, they sold a lot of consumer products globally but the marketing was very siloed, and they wanted a single view of the customer to see what products they interacted with and spot trends.

They had a business rule on their email marketing campaigns that they would only send emails to customers after they had been on their marketing lists for more than three months. Unfortunately, we spotted a mistake in their rule which meant they were only sending emails to people who had been on their marketing lists for less than three months, essentially automatically unsubscribing their customers from their marketing lists after three months, not ideal. They had their greater & less than symbols the wrong way around, a tiny mistake on the face of it but it had far reaching effects.

I try to drill into developers the importance of bounds testing in code as well as declarative functionality. If you are using a >, <, == or any operator then write unit tests or user acceptance tests around the bounds of the expression. Eg if you were checking that a value was greater than 100 you could test the values 99, 100 & 101. You have then tested the bounds of the expression.

Summary

It does look like CloudFlare we’re quick to resolve the issue and sites that cache websites are working on clearing out the websites affected by this security hole. CloudFlare has said that the leakage affected 0.00003% of requests coming into CloudFlare which doesn’t sound that much, but Cloudflare has a massive customer base including dating websites and password managers which host particularly sensitive data. That’s a lot of data which is potentially cached and now searchable…

better to be safe than sorry!

Dreamforce, General, News

My 2016 Salesforce year in review

This time last year I don’t think I could ever have imagined that I would have the time to write a blog post. It was our first London’s Calling with event which involved huge amounts of work, guides to create, banners to be printed, sponsors to coral, bags to stuff, menus to choose, finances to manage, t-shirt to design. We were all maxed out! but the largest community-led event for Salesforce Professionals is back bigger than ever on Feb 10th! (well last year anyway).

What I’m most excited about for this year is our keynote speaker. Those eagle-eyed of you may have spotted some clues around the place. I’m really hoping that they go down well as it’s a little bit different than last year, but I’m staying tight-lipped until we announce… tomorrow! 🙂

For me, LC2017 will be a change in direction for me. But I have to say 2016 was although frustrating on a number of different fronts, the Salesforce front was really quite fun 🙂

My 2016 in Salesforce

Well, I think 2016 was quite an epic year all in all. My main theme for 2016 was vegetables so hopefully, people saw that 🙂 and somehow I found some room to be trustee of a theatre company & get married?!

User groups from London to Sydney & New Zealand!

We had 7 user groups in London at the beginning of the year…

.. and in 2016 another was born. The Pardot user group:

I managed to connect with community members across the globe talking at the Sydney user group, and here’s a pic from the Auckland user group:

Our London Admin user group had its 2yr old birthday!

We had #TrailheadDX Live!!

Salesforce meets AWS

Salesforce announced that it was investing $800m into AWS and moving its core platform over to AWS and with AWS setting up a new London region this is going to be huge. The future is Serverless, in my opinion, and we have Ryan Kronenberg talking all about serverless technology & AWS at London’s Calling.

London World Tour

I spoke on Securing your Salesforce org from your employees and also a talk on how I thought people were missing the point on Salesforce Connect. As well as helping out at the trailhead zone.

and had some great feedback… I did say my 2016 theme was vegetables! Did anyone else spot them?

Also… there was a Star Wars invasion at the London World Tour, thank’s Phil!!

London’s Calling

We ran the first and largest Salesforce community event in Europe! It made some of us… well quite strange… 🙂

 

 

Dreamforce

Had an epic time at Dreamforce. This year Salesforce went “Trailhead all in” with 170,000 attendees!! I did two talks “Admin’s Guide to Developer Console” and “Salesforce Connect custom adapters”, although bizarrely after getting one of the highest session scores for the dev talk Salesforce has berried the talk video? hmm… maybe my talk was a little to radical 🙂

But The Admin’s Guide to developer console talk went down equally as well:

I helped out at the Security Expert booth and as I walked up to it what did I see but Ben Edwards SF Tools, if you haven’t seen them check them out!

At the awesome people party I had a caricature created of me 🙂

Was one of the presenters at the Dreamforce SMB DemoJam:

Yes, a grew a tail! Maybe I had been hanging out in the Trailhead zone too long? 🙂

MidWest Dreamin

I had the honour of running the DemoJam at MidWest Dreamin. Was great fun! and we’re doing it again at London’s Calling with 13 sponsors!

Salesforce year in review

As Salesforce comes to its year-end the company has continued its growth up 25%. But it’s interesting to see over the past year or so Salesforce has really started looking at vertical growth through the finance cloud and health cloud offerings. It’s a nice start and hopefully if these are successful more will follow, but still no-where near SAPs 25 odd verticals. Salesforce has also focused its Health cloud around patient records but it will be interesting to see how this develops in 2017.

AI & Automation

I believe we are now in the age of automation. The landscape is changing and Salesforce is pushing that envelope around automation and AI for companies. Salesforce’s acquisitions into AI I think are a great step forward. But with AI comes collaboration of data to allow machine learning so for me there are still hurdles to overcome around privacy as well as cost.

Summary

It’s been a fun year, including all the other things I got up too, getting married, honeymoon and not to mention the charity work I’ve been doing as trustee of Baseless Fabric Theatre.

But, 2017 sees a change in direction for me which I’m announcing at London’s Calling on the 10th Feb. Onwards and upwards. Let’s make 2017 great again 😉

 

Dreamforce, News, Videos

When Two wizards and Yoda met at Dreamforce …

This year’s Dreamforce was a blast! I have to say I was just a little bit busy! Two Sessions, staffing the code consultations and mini-hacks, helping out on the Salesforce security booth and deejaying the AppExchange DemoJam. But one of the most fun parts of Dreamforce was being on the WizardCast podcast hosted by the brilliant Brian Kwong (The Salesforce Wizard) and Mark Ross (Salesforce Yoda). They have just released it so go checkout all the things I really shouldn’t have said live on air, oh and Brian we missed I’m a qualified Snowboard instructor too! 🙂

If you have not got WizardCast on your podcast list add it on 🙂 Read more

News

There be treasure hiding in Trailhead!

Trailhead has released some rather nautical Trailheads so that you can navigate the differentiators that drive Salesforce’s success: our core values, innovative technology, and vibrant ecosystem.

trailhead_module_advantage_salesforce_success_model

Salesforce Success Model

Learn who Salesforce is and our vision for driving customer success.

Go to Module Read more

General, News

Get to know the new European Salesforce MVPs!

I am TOTALLY overjoyed to see eight new EU Salesforce MVPs!! Especially as several of them I mentored! I still remember when all the EU MVPs rocked up to the Salesforce London big Cloudforce event. There were just 4 of us, now 26 of us (I think). We’ve also added Italy & Israel to the countries that now have a Salesforce MVP in them. I’m also relieved that I was renewed this year as well. I’m now a 5x or 6x Salesforce MVP… I’ve lost count 🙂

The Salesforce MVP Programme is a programme run by Salesforce to award people in the community for their Accessibility, Expertise, Responsiveness, Leadership & Advocacy in Salesforce. If you want to learn about how Salesforce awards and MVP they have recently created a blog about the whole process!

And now for the new MVPs:

Mohamed El Moussaoui

Mohamed El Moussaoui

Mohamed El Moussaoui – France   
Mohamed & Fabien run the Paris Dev user group. They were both over from France for London’s Calling a couple of weeks ago and I was REALLY hoping this year would be the year they made MVP. They run the Paris user group for quite a while and they are both great guys!!
Website: http://www.elmoussaoui.me/#blog

 

Fabien

Fabien Taillon

Fabien Taillon – France   
Fabien did a talk at London’s Calling when he was over and its well worth a watch! “Style your application with Lightning Experience Look & Feel using SLDS
Website: http://www.fabientaillon.com/

 

Read more

Development, News

Chance to win cool prices by just completing a new #Trailhead module!

NOTE: The competition has now ended but Trailhead is still just as cool 🙂

Trailhead has just launched some new modules on Trailhead. I’ve just completed the ‘Battle Station’ module and if you also complete it before 31st Dec, you will be entered into a draw to win either Playstation 4’s, Sphero Robots or Remote Controlled quadcopters!

Trailhead is a FANTASTIC way to learn Salesforce. We have at work ‘Trailhead Tuesday’s‘ where we sit down at lunch and battle to get as many badges as we can in a calendar month! It’s been going really well. Check them out!

Build a Battle Station App

This is a project rather than a module as its a bit more involved than just a module. But if you do this before 31st you can win prizes!

Build a Battle Station App

Do the Project now Read more

General, News

No fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules

-   UK Financial Conduct Authority   -

An interesting thing happened last month. The UKs Financial Conduct Authority (FCA) produced a document proposing new guidance for the financial services using third party cloud computing solutions.

 

The Financial Conduct Authority (FCA) is a financial regulatory body in the United Kingdom, but operates independently of the UK government, and is financed by charging fees to members of the financial services industry. The FCA regulates financial firms providing services to consumers and maintains the integrity of the UK’s financial markets. It focuses on the regulation of conduct by both retail and wholesale financial services firms.

 

What I find interesting is how FCA has embraced cloud computing using Salesforce extensively in its operations. It can only be a good thing that the UK regulator for the financial services industry is paving the way for cloud-based services. I do sometimes get frustrated with companies who don’t have brilliant physical/logical security around their internal information assets, and then say having an internal solution makes it “more secure”. The majority of successful hacks come from within the company not from external.

Ransomware, insider threats… companies not prepared

A recent report showed that nearly half (46%) of small business owners have no employee responsible for data security and more alarming that 27% have no process or policies at all. But even larger companies This year has been a tough year for security with just this week yet another attack. JD Wetherspoon was hit by a cyber attack releasing over 650k of customers records.

Cloud computing setup correctly (or even in some cases out of the box) could be more secure than some companies internal systems. Just the basic fact that you could, in theory, lock your entire IT and development team out of your production environment and have the deployment of changes & administration function a business function and not an IT one. This makes Cloud Computing at a reduced risk of internal attack, and when the majority of hacks are internal, this has to be a good thing. Just talk to the CIA, if Snowden (an IT admin) hadn’t had full admin privileges when he didn’t need them things could have been very different.

 

Read more at:

http://www.out-law.com/en/articles/2015/november/fca-paves-the-way-for-cloud-computing-in-uk-financial-services/

 

News

Salesforce Trailhead continues to get bigger

With the launch of the new Salesforce Experience UI, Salesforce Trailhead now has increased to over 40 modules! I find it interesting that in the release of the Salesforce UI Trailhead formed an important role in getting the word out on the new UI something I hope will continue! (Maybe a replacement for the release exams??).

One of the most interesting for me was the Event Monitoring module. The new Salesforce event monitoring seemed to pass me by and I didn’t even know it existed. But this is a great feature for monitoring Salesforce usage especially now that the majority of the left nav hacks have been removed and you therefore can’t use Google Analytics anymore to monitor Salesforce (see here for a left nav workaround). Read more

News

Get to know the New EU Salesforce MVPs!

Salesforce has just announced the new batch of MVPs to join the brilliant Salesforce MVP community. The MVP programme recognises exceptional individuals within the Salesforce community for their leadership, knowledge, and ongoing contributions. These individuals represent the spirit of the community and what it is all about.

In the EU we now have 3 new MVPs!

 

  • Samuel De RyckeSamuel De Rycke (@SamuelDeRycke); Our first continental Europe MVP (I’m excluding Carolina from this as she’s mainly based in the UK 🙂 ) ! Samuel is based in Belgium working for ABSI which is one of the oldest Salesforce.com partners in Benelux. I first met him in Paris at the #Salesforce1Tour a great guy! He’s a very worthy moderator of Salesforce Stack Exchange! Co-organiser of the Belgium Salesforce Developer User group and a really great photographer!

Read more