isv app lab
TRANSCRIPT
ISV AppLabBuilding Your App, and Your Business, From A-Z
CodeScience@codescience
Salesforce ISV Team@partnerforce
John Richter - Director, Partner Community Robert Sussland - Senior Product Security Engineer, Webapp Security
and Cryptography Christopher Auyeung - Sr. Manager, User Experience Mike Witherspoon - CEO Brian Walsh - CSO Eddie Blazer - Director of Architecture Krishna Tatta - Technical Architect Rina Henderson - Lead UX
Speakers
• Software Development Lifecycle• Setting Your Business Up for Success• Funding Opportunities for Partners• User Experience• The Lightning Experience• Break• Integration Considerations and Design Patterns• Security Review • Q&A
Agenda
John RichterDirector, Partner CommunitySalesforce Partner Program@partnerforce
The Salesforce Partner Program World’s #1 Cloud Ecosystem
ISVsConsultin
g Partners
Resellers Digital Agencies
Partner Community
PartnerOperations
PartnerMarketing
PartnerDevelopment
Branding?First Call Decks?
Webinars?
Live Events?
Pilots?
Logos?
Roadmap?Surveys?
Trial Orgs?
Sponsorships?White papers?
Leads?New Releases?
Orders?Opportunities?
Projects?
Red Accounts?
Customer Stories?
Org Extensions?Technical Issues?
Design Questions?
Sales Collateral?
Seamless. Structured. Secure.
Partner User Groups
Briefings
Polls & Surveys
Instructor-led
Blogs
Program Guides
Media Assets
Partner Alerts!
Social Media
Communications
NewsFlash (e-newsletter)
Live Events
Office Hours
Learning
Ideas
Sessions
Online Programs
Roadmap
Partner Community
Releases & Pilots
Partner Community Your one-stop shop for education and engagement
http://partners.salesforce.com/
• Partner Program Details• Communications• Training• Deal Registration• Webinars & Recordings• Office Hours• Sales & Enablement Resources• Support
Partner Community in ActionEducation & Engagement
Official: Partner Community Chatter Group
http://p.force.com/official
Questions & Answers Chatter Group
http://p.force.com/question
Alerts! for Partners
http://p.force.com/alerts
Releases for Partners
http://p.force.com/releases
Roadmap for Partners
http://p.force.com/roadmap
AppExchange Publishing
http://p.force.com/applisting
Support
http://p.force.com/case
Trailhead: ISV Basics New onboarding for ISVs
http://p.force.com/ISVbasics
• Getting Started• ISV Product Lifecycle• Tools & Resources
ISV Partner LifecycleKey Drivers for Planning Your App, and Your Business
ISV Partner Lifecycle
Sign upPartner Community:: App Academy:: Resources & Tools:: Online Training:: Publishing:: Support (Cases)
Plan Build Distribute
Sell
Market
($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details
TechnicalReview
(TE)
BusinessReview (PAM)
ISVforce GuideDeveloper Site
Support
ISV Partner Lifecycle
Sign upPartner Community:: App Academy:: Resources & Tools:: Online Training:: Publishing:: Support (Cases)
Environment HubDeveloper Orgs
Test OrgsPackaging Org
Managed Package
Plan Build Distribute
Sell
Market
($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details
Security Review
($)Technical
Review (TE)
BusinessReview (PAM)
ISVforce GuideDeveloper Site
Support
ISV Partner Lifecycle
Trialforce Management Org
Partner website
Sign upPartner Community:: App Academy:: Resources & Tools:: Online Training:: Publishing:: Support (Cases)
Environment HubDeveloper Orgs
Test OrgsPackaging Org
Managed Package
Plan Build Distribute
Sell
Market
($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details
Security Review
($) Operations Review
Final Contract ReviewTechnical
Review (TE)
BusinessReview (PAM)
ISVforce GuideDeveloper Site
Support
ISV Partner Lifecycle
Trialforce Management Org
Partner website
Sign upPartner Community:: App Academy:: Resources & Tools:: Online Training:: Publishing:: Support (Cases)
Environment HubDeveloper Orgs
Test OrgsPackaging Org
Managed Package
Partner Business Org• Campaigns
• Leads• Analytics
• License Mgmt App• Opportunities• Channel Order App
FREE
TRIALS
Plan Build Distribute
Sell
Market
($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details
Security Review
($) Operations Review
Final Contract ReviewAppExchange Marketing Program (AMP) ($)Technical
Review (TE)
BusinessReview (PAM)
ISVforce GuideDeveloper Site
Support
• Cases• Support Console• Other Apps
ISV Partner Lifecycle
Trialforce Management Org
Partner website
Sign upPartner Community:: App Academy:: Resources & Tools:: Online Training:: Publishing:: Support (Cases)
Environment HubDeveloper Orgs
Test OrgsPackaging Org
Managed Package
Partner Business Org• Campaigns
• Leads• Analytics
• Cases • Support Console• Other Apps
• License Mgmt App• Opportunities• Channel Order App
FREE
TRIALS
Plan Build Distribute
Sell
Market
($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details
Security Review
($) Operations Review
Final Contract ReviewAppExchange Marketing Program (AMP) ($)
SalesReviewTechnical
Review (TE)
BusinessReview (PAM)
ISVforce GuideDeveloper Site
Support
ISV Partner Lifecycle
Trialforce Management Org
Partner website
Sign upPartner Community:: App Academy:: Resources & Tools:: Online Training:: Publishing:: Support (Cases)
Environment HubDeveloper Orgs
Test OrgsPackaging Org
Managed Package
Partner Business Org• Campaigns
• Leads• Analytics
• Cases • Support Console• Other Apps
• License Mgmt App• Opportunities• Channel Order App
FREE
TRIALS
Plan Build Distribute
Sell
Market
($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details
Security Review
($) Operations Review
Final Contract Review Premier Support ($)
AppExchange Marketing Program (AMP) ($)
SalesReviewTechnical
Review (TE)
BusinessReview (PAM)
ISVforce GuideDeveloper Site
Support
Foundations for AppExchange SuccessSome tricks and tips we’ve learned along the way
Mike Witherspoon CEO [email protected] @spoonscience
So many unknowns are going to affect your product• Know that you’ll be learning the
entire time• Identify biggest risks early and
confront them• Balance your skills by bringing in
people who challenge and think differently than you
You know nothing Jon Snow - YgritteChoose Your Own Adventure
Your Business
Organizations take time
Culture Matters
Invest time in your partnerships(e.g. Salesforce)
HR, legal and ops are necessary
Your Product
What? Only a third?
Features can wait until you have an MVP, customer feedback and revenue
“I don’t know why, but the best product never wins” - Michelle Witherspoon
Sales and Marketing
Purchasers buy because they identify with a message or a sales person, period.
The AppExchange will not sell your product for you (though it is an efficient marketing spend)
Rule of Thirds - Start Small, Stay Small by Rob Walling Where to Focus Your Time and Money
What is your compelling event?• Customers demanding features?• Marketing event, e.g. Dreamforce or an
industry trade show• Security review takes 2 to 8 weeks
• You may have to resubmit so leave time
• Only required for public listing. You can deploy your private listing to customers.
• Financial....watch those investor expectations and your burn rate
SaaS industry standard is per user per month.• Rarely can you justify per year, per
company or per some other dimension
• How much to charge? What is the marketing benefit/value to you if your app is free? What is the sales, construction and support cost of the app? What is a customer willing to pay?
Timing and Pricing Time = Money
How big is your market?• That’s a great question and it’s up to
you to figure that out
Business plan basics• Revenue plan• Hiring plan • Investor or budget pitch• Marketing plan
A plan is incorrect the second you finish itMarket Sizing and Business Plan
Write down who can fill each role and identify your team’s skill gaps
Determine a path to fill those gaps• Hire(and train)• Find a hired gun(solo contractor)• Outsource to a PDO
• Onshore of Offshore?• Full team or a subset?• Know your budget(1/3 of your cash)• Is your organization ready for
consultants?
Roles for an agile development team• Software architect(Salesforce Platform)• Product Owner• Scrum Master• UX Designer• Salesforce Developer(Configuration, Apex,
Visualforce, Lightning, etc)• Quality Assurance/Quality Engineer
Assess Your Team 17 Roles to Build a Product
Business ModelISVForce
Adds on to Salesforce CRM
Customers are existing Salesforce users
OEMMarket outside of
Salesforce ecosystemAssumes no CRM
objects
Revenue Collection
Free - best place to start
Checkout - Salesforce collects
Traditional - Partner collects
Partner Tiers
Free and Registered <120K annually
Silver - 120K to 800K ACV
Gold and Platinum - > 800K
Know your value to SalesforceWhat Kind of Partner Are You?
Funding Opportunities for ISVsMany different models are available
52%
25%
21%SaaS
SaaS + Service
Tech-enabled services
Digital Media
• 100+ financings across 70+ companies• Almost 80% are SaaS
• Revenue Based Financing for tech companies• $50k-$1mm per company• Technology + Capital = Better for
Entrepreneurs
Funding paths for ISV’s
Revenue$5m
Established
Ideation
Launch & Traction
Growth & Scale
BreakoutDebt
Equity
Bootstrap / Friends & Family
Incubator / Angels
VC Backed Non VC Blended
Bank / Debt Revenue-Based Finance Venture Capital
Guarantees &Controls
Financial CovenantsSometimes Personal
Guarantees
No Financial CovenantsNo Personal Guarantees
Partner in the Business (Board Seat, Voting Rights)
Added Value Low / None Medium High
Dilution None / Low None High
Payment Flexibility Low: Fixed Payments
Medium: Variable Payments
High: No Payments
Speed 4-8 months 4 weeks Highly variable. Typical 3-9 months of focused effort
p37
Funding Option Comparison
• The best of debt and equity – aligned interests with no dilution• Essentially a royalty agreement • Monthly payments = fixed % of revenue• Fits SaaS
p38
What is Revenue-based financing?
1 2 3 4 5 6 7 8 9 10 11 12 13 14Period
Company revenueLoan payment
Example Financing• Up to $1M or 33% of annualized revenue
run rate• $500K funding• Payment: 5% of monthly revenue• Repayment: 1.7x principal ($850K)• Maturity: 5 years
What Is UX?It’s rarely just about making things pretty!
UX is Empathy Question: What is Empathy?
In a hypothetical narrative, a person sees a fast food restaurant.
A person sees a fast food restaurant as they are driving their car to the mall.
UX is Empathy Question: What is Empathy?
A middle aged woman sees her favorite fast food restaurant as she drives her car to the mall to buy a pair of dress shoes for an interview.
UX is Empathy Question: What is Empathy?
UX: The “Thinking Parts”
UX: The “Thinking Parts”
I want to get my head into your project!
UX: The “Thinking Parts”
I want to get my head into your project! Leverage my ignorance.
UX: The “Thinking Parts”
I want to get my head into your project! Leverage my ignorance. It’s not just about visual design!
UX: The “Thinking Parts”
I want to get my head into your project! Leverage my ignorance. It’s not just about visual design! Tale tell signs of good thinking.
UX: The “Design Parts”
UX: The “Design Parts”
Design an experience, including your brand.
UX: The “Design Parts”
Design an experience, including your brand. Visualize requirements via proof of concept.
UX: The “Design Parts”
Design an experience, including your brand. Visualize requirements via proof of concept. Iteration ...
UX: The “Design Parts”
Design an experience, including your brand. Visualize requirements via proof of concept. Iteration …
… we didn’t get to the future without iteration!
UX: The “Build Parts”
Prototype, prototype, PROTOTYPE!
UX: The “Build Parts”
Prototype, prototype, PROTOTYPE! HTML / CSS = less expensive vetting cycle
UX: The “Build Parts”
Prototype, prototype, PROTOTYPE! HTML / CSS = inexpensive vetting Parallel universe...
What Does UX Look Like?It differs for everyone, but here’s what’s worked for us...
Personas
Context
User Flows
User Flows (continued, because we like these… a lot)
Information Architecture
Information Architecture with User Flow (yep, still important)
Wireframing
Optimizing UI (SLDS)
Prototyping
The Lightning Experience
IntegrationBest practices for integration in an ISV App
Any transfer of data from multiple servicesExamples:• Salesforce SOAP call-out to an ERP systems• Mobile app RESTful call-in to Salesforce to get leads• Salesforce-hosted VF page XHR callout to 3rd party stock ticker• Salesforce-hosted VF page embeds a twitter feed (iframe/”mashup”)
What is Integration?
Considerations:• SecurityReview has very strict pass/fail criteria. This alone has the largest influence on integration design because it has the most constraints.
• Data at Rest, In-Transit, In-Use• Authentication• CSRF/XSS/SOQL-Injection, CDN
Mitigations:• Custom Protected Settings• Encrypted Fields / Platform Encryption• TLS, Two-way SSL auth• SAML, oAuth, CSR, named credentials• CORS, StaticResources• CheckMarx and ZAP/BURP Scan
• Can be integrated into build automation
Design Considerations Consideration: Security Review
Considerations:• Transaction Context: Trigger, VFPage, Browser, etc
• Bulkified• JSON vs XML• Data Width, Frequency, Schedule
Mitigations:• WF-OBM, @future, queueable, batch, scheduled
• Bulkify everything• Least data• CheckMarx Scanner
Design Considerations Consideration: Performance/Scalability
Considerations:• Blocking or non-blocking operation?•Need immediate feedback?•Streaming data
Mitigations:• Validate business requirements
Design Considerations Consideration: User Experience
Considerations:•Layer Choice: Server or Browser?•Skillsets: back-end, front-end, middle•Solution choice
Mitigations:• Clicks not code• Designing with layers and appropriate patterns
• Microservices and SOA• Middleware
Design Considerations Consideration: Maintenance
Considerations:•Buy a tool vs custom build•Cost scalability
Design Considerations Consideration: Money, duh
Mitigations:Engage a PDO!
Integration Patterns2-Way Token Exchange
Use Case:Salesforce and ISV need asynchronous API access to each other Challenge: Building a secure, authenticated integration
• Storing 3rd party credentials = bad! Use revocable tokens authorized by the user or admin that are specific to each client
• oAuth is a user-driven process; performing it bi-directionally is challenging
Solution:• VF “Setup” page to initialize the oAuth flow to the 3rd party service• Request a refresh token, store in a custom protected hierarchy setting• Upon completion of flow, redirect to a Canvas app• Canvas can utilize a “Lifecycle Handler” ISV-defined Apex Class
• Sends 3rd party & Salesforce refresh tokens in one payload to 3rd party• 3rd Party links & stores the SF refresh token
2-way Token ExchangeIntegration Patterns
2-way Token ExchangeIntegration Patterns
Integration PatternsEasy Data “Push”
Challenge: Push data changes that happen in Salesforce to your 3rd party system• Do it cheap• Do it fast• Make it perform
Solution:• Workflow Outbound Messages• Middleware hosted by 3rd Party or custom SOAP webservice built by 3rd party
Data PushIntegration Patterns
Data PushIntegration Patterns
Pros Cons
Clicks not code Salesforce-provided WSDL, no REST
Built-in queueing/retry Limited Data Payloads
Bulkified FIFO Queue, no order/priority
Supported/upgraded by Salesforce Asynchronous
No limits No authN tokens. Security via trust and “callbacks”
Admin configurable
Integration Patterns2-Way Data Sync
Challenge: Synchronize data to and/or from a 3rd party
Solution:• Programmatic callouts via Apex to push and pull changes• @future, Queuable, Batch• Remote Site Setting (can now be packaged)• Custom Protected Hierarchy Settings for endpoints
Common Pitfall: most ISVs also have a multi-tenant “pod” architecture. Referenced endpoint needs to be a proxy or router.
2-Way Data SyncIntegration Patterns
2-Way Data SyncIntegration Patterns
Pros Cons
Can callout to any WSDL/REST Higher maintenance burden
Can utilize any ordering/priority/retry logic Asynchronous limits shared with whole org
More complex data payloads Requires programmatic skillset
More complex integration scenarios Less configurable by end-users
Security ReviewSecurity starts with design
Security Review Nothing is more important to salesforce.com than the privacy of their customer’s data Horizontal attacks require testing all entry points in your solution The more that customers trust AppExchange applications, the more likely they are to install them Team of 10+ Security Experts to review all applications approved or the AppExchange
Apex and Visualforce All code must be evaluated using Checkmarx Anything higher than a informational must be fixed CRUD/FLS often gets flagged JS SOQL Injection
CRUD and FLS CRUD:• Create • Read • Update • Delete FLS• Field Level Security Apex Code must test for these conditions ESAPI library: https://code.google.com/p/force-dot-com-esapi/wiki/GettingStarted
External Web Application This is generally our largest risk factor for AppExchange products• We test early and often• It can take longer for the ISV to fix these issues due to existing
development priorities All web applications must be scanned using BURP or Zap• Includes website (authenticated and un-authenticated)• APIs• Webservices• Any third party services as well• All vulnerabilities marked as non informational must be
addressed
What to BURP Scan API Endpoints Web Application (Authenticated/Unauthenticated) Website (if sharing same infrastructure) Canvas Apps OAuth / Auth process Web Service calls Client Side JS library (Google maps, etc)
DO NOT FORGET TO Scan authentication/login pages Scan API endpoints after authenticating otherwise their code is not exercised!
Top Ten for Web Applications1. Injection: SQL, OS, LDAP2. Cross Site Scripting (XSS): improper validation and escaping allows attacker to
execute scripts in browser to hijack user sessions or redirect to malicious sites3. Broken Authentication/User Management: attackers can compromise passwords,
keys, and session tokens to assume users’ identities• Username Enumeration is included in this pattern• Password reset always tested
• DON’T STORE PASSWORDS IN PLAIN TEXT!
4. Insecure Direct Object Reference: exposing internal configuration and not securing it properly
5. Cross Site Request Forgery (XSRF): Sites that rely upon identity can be spoofed
Top Ten for Web Applications6. Security Misconfiguration: default security settings for most web software is more
open than secure. Modify defaults to lock down to only essentially functionality that is required
7. Insecure Cryptographic Storage: Proper hashing/encryption for sensitive data (SSN, Credit Cards, OAuth Tokens, Passwords, etc)
8. Failure to Restrict URL Access: all pages behind authentication must enforce access control
9. Insufficient Transport Layer Protection: Often due to expired/invalid certificates, improper configuration, or weak algorithms. See Heartbleed Bug!
10. Unvalidated Redirects and Forwards: Attackers can redirect users to phishing and malware sites
Mobile/Desktop Application Guidance Store Oauth tokens in keychain• All OSes provide keychain for storing tokens• Do not provide your own security model/storage Set your device to Proxy internet connection through BURP running on Desktop Capture API calls to external applications Spider/actively scan all endpoints via BURP
Security Review Org, Part I A test org must with your managed package installed and fully configured are required• Do not submit a PDE. This must be a test org for your target customer –
generally an EE Test org• Spin up new test orgs via your Environment Hub Create users for each of the profiles you are exposing Documentation on how the application works• Can be a word/pdf document• Can also be a screencast Note that the SR team reviews hundreds of applications: make it as easy as possible for them to test your application! We are all on the same team
Security Review Org, Part II If an external integrations, users on external system must be included If Desktop or Mobile application, the application + users for the application must be included On premise solutions (PBX, ACD, Databases, etc) need to have a full, working environment for the Security Review team• They will not use a VM for the testing• Must configure yourself and make available via VPN
connection If your web application shares infrastructure with your public website, that will be included in the test as well
Submission Process Seven page wizard to submit your application Upload security certifications/policies that your organization may have You must include Checkmarx report If you have any callouts or integrations, you must submit BURP report• html output If you have exceptions to the reports, you must submit via the wizard as well• In our experience, exceptions are fewer and farther between Credentials for your test org must be included For paid applications, credit card payment in last step Must complete ISV agreement prior to Security Review Prescreening takes place prior to entering Security Review queue
Thank you