The ISV App Lab during Dreamforce 2015, hosted by Salesforce and CodeScience. It was a three hour seminar in the Partner Zone focused on building your AppExchange App, and your business, from A to Z.
1. ISV AppLab
Building Your App, and Your Business, From A-Z
CodeScience
@codescience
Salesforce ISV Team
@partnerforce
2. John Richter - Director, Partner Community
Robert Sussland - Senior Product Security Engineer, Webapp Security and
Cryptography
Christopher Auyeung - Sr. Manager, User Experience
Mike Witherspoon - CEO
Brian Walsh - CSO
Eddie Blazer - Director of Architecture
Krishna Tatta - Technical Architect
Rina Henderson - Lead UX
Speakers
3. • Software Development Lifecycle
• Setting Your Business Up for Success
• Funding Opportunities for Partners
• User Experience
• The Lightning Experience
• Break
• Integration Considerations and Design Patterns
• Security Review
• Q&A
Agenda
6. The Salesforce Partner Program
World’s #1 Cloud Ecosystem
ISVs
Consulting
Partners
Resellers
Digital
Agencies
Partner Community
Partner
Operations
Partner
Marketing
Partner
Development
7. Branding?
First Call Decks?
Webinars?
Live Events?
Pilots?
Logos?
Roadmap?
Surveys?
Trial Orgs?
Sponsorships?
White papers?
Leads?
New Releases?
Orders?
Opportunities?
Projects?
Red Accounts?
Customer Stories?
Org Extensions?Technical Issues?
Design Questions?
Sales Collateral?
9. Partner User Groups
Briefings
Polls & Surveys
Instructor-led
Blogs
Program Guides
Media Assets
Partner Alerts!
Social Media
Communications
NewsFlash (e-newsletter)
Live Events
Office Hours
Learning
Ideas
Sessions
Online Programs
Roadmap
Partner Community
Releases & Pilots
10. Partner Community
Your one-stop shop for education and engagement
http://partners.salesforce.com/
• Partner Program Details
• Communications
• Training
• Deal Registration
• Webinars & Recordings
• Office Hours
• Sales & Enablement Resources
• Support
21. ISV Partner Lifecycle
Sign up
Partner Community
:: App Academy
:: Resources & Tools
:: Online Training
:: Publishing
:: Support (Cases)
Plan Build Distribute SellMarket
($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details
Technical
Review
(TE)
Business
Review (PAM)
ISVforce Guide
Developer Site
Support
22. ISV Partner Lifecycle
Sign up
Partner Community
:: App Academy
:: Resources & Tools
:: Online Training
:: Publishing
:: Support (Cases)
Environment Hub
Developer Orgs
Test Orgs
Packaging Org
Managed Package
Plan Build Distribute SellMarket
($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details
Security
Review ($)Technical
Review
(TE)
Business
Review (PAM)
ISVforce Guide
Developer Site
Support
23. ISV Partner Lifecycle
Trialforce Management Org
Partner website
Sign up
Partner Community
:: App Academy
:: Resources & Tools
:: Online Training
:: Publishing
:: Support (Cases)
Environment Hub
Developer Orgs
Test Orgs
Packaging Org
Managed Package
Plan Build Distribute SellMarket
($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details
Security
Review ($)
Operations Review
Final Contract Review
Technical
Review
(TE)
Business
Review (PAM)
ISVforce Guide
Developer Site
Support
24. ISV Partner Lifecycle
Trialforce Management Org
Partner website
Sign up
Partner Community
:: App Academy
:: Resources & Tools
:: Online Training
:: Publishing
:: Support (Cases)
Environment Hub
Developer Orgs
Test Orgs
Packaging Org
Managed Package
Partner Business Org
• Campaigns
• Leads
• Analytics
• License Mgmt App
• Opportunities
• Channel Order App
FREE
TRIALS
Plan Build Distribute SellMarket
($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details
Security
Review ($)
Operations Review
Final Contract Review
AppExchange
Marketing Program
(AMP) ($)
Technical
Review
(TE)
Business
Review (PAM)
ISVforce Guide
Developer Site
Support
• Cases
• Support Console
• Other Apps
25. ISV Partner Lifecycle
Trialforce Management Org
Partner website
Sign up
Partner Community
:: App Academy
:: Resources & Tools
:: Online Training
:: Publishing
:: Support (Cases)
Environment Hub
Developer Orgs
Test Orgs
Packaging Org
Managed Package
Partner Business Org
• Campaigns
• Leads
• Analytics
• Cases
• Support Console
• Other Apps
• License Mgmt App
• Opportunities
• Channel Order App
FREE
TRIALS
Plan Build Distribute SellMarket
($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details
Security
Review ($)
Operations Review
Final Contract Review
AppExchange
Marketing Program
(AMP) ($)
Sales
ReviewTechnical
Review
(TE)
Business
Review (PAM)
ISVforce Guide
Developer Site
Support
26. ISV Partner Lifecycle
Trialforce Management Org
Partner website
Sign up
Partner Community
:: App Academy
:: Resources & Tools
:: Online Training
:: Publishing
:: Support (Cases)
Environment Hub
Developer Orgs
Test Orgs
Packaging Org
Managed Package
Partner Business Org
• Campaigns
• Leads
• Analytics
• Cases
• Support Console
• Other Apps
• License Mgmt App
• Opportunities
• Channel Order App
FREE
TRIALS
Plan Build Distribute SellMarket
($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details
Security
Review ($)
Operations Review
Final Contract Review
Premier
Support ($)
AppExchange
Marketing Program
(AMP) ($)
Sales
ReviewTechnical
Review
(TE)
Business
Review (PAM)
ISVforce Guide
Developer Site
Support
28. So many unknowns are going to affect your
product
• Know that you’ll be learning the entire time
• Identify biggest risks early and confront
them
• Balance your skills by bringing in people
who challenge and think differently than
you
You know nothing Jon Snow - Ygritte
Choose Your Own Adventure
29. Your Business
Organizations take time
Culture Matters
Invest time in your
partnerships(e.g. Salesforce)
HR, legal and ops are
necessary
Your Product
What? Only a third?
Features can wait until you
have an MVP, customer
feedback and revenue
“I don’t know why, but the
best product never wins” -
Michelle Witherspoon
Sales and Marketing
Purchasers buy because they
identify with a message or a
sales person, period.
The AppExchange will not
sell your product for you
(though it is an efficient
marketing spend)
Rule of Thirds - Start Small, Stay Small by Rob Walling
Where to Focus Your Time and Money
30. What is your compelling event?
• Customers demanding features?
• Marketing event, e.g. Dreamforce or an
industry trade show
• Security review takes 2 to 8 weeks
• You may have to resubmit so leave time
• Only required for public listing. You can
deploy your private listing to customers.
• Financial....watch those investor expectations
and your burn rate
SaaS industry standard is per user per month.
• Rarely can you justify per year, per company
or per some other dimension
• How much to charge?
What is the marketing benefit/value to you if
your app is free?
What is the sales, construction and support
cost of the app?
What is a customer willing to pay?
Timing and Pricing
Time = Money
31. How big is your market?
• That’s a great question and it’s up to you
to figure that out
Business plan basics
• Revenue plan
• Hiring plan
• Investor or budget pitch
• Marketing plan
A plan is incorrect the second you finish it
Market Sizing and Business Plan
32. Write down who can fill each role and identify
your team’s skill gaps
Determine a path to fill those gaps
• Hire(and train)
• Find a hired gun(solo contractor)
• Outsource to a PDO
• Onshore of Offshore?
• Full team or a subset?
• Know your budget(1/3 of your cash)
• Is your organization ready for consultants?
Roles for an agile development team
• Software architect(Salesforce Platform)
• Product Owner
• Scrum Master
• UX Designer
• Salesforce Developer(Configuration, Apex,
Visualforce, Lightning, etc)
• Quality Assurance/Quality Engineer
Assess Your Team
17 Roles to Build a Product
33. Business Model
ISVForce
Adds on to Salesforce
CRM
Customers are existing
Salesforce users
OEM
Market outside of
Salesforce ecosystem
Assumes no CRM
objects
Revenue Collection
Free - best place to start
Checkout - Salesforce collects
Traditional - Partner collects
Partner Tiers
Free and Registered <120K
annually
Silver - 120K to 800K ACV
Gold and Platinum - > 800K
Know your value to Salesforce
What Kind of Partner Are You?
35. 52%
25%
21% SaaS
SaaS + Service
Tech-enabled services
Digital Media
• 100+ financings across 70+ companies
• Almost 80% are SaaS
• Revenue Based Financing for tech companies
• $50k-$1mm per company
• Technology + Capital = Better for Entrepreneurs
36. Funding paths for ISV’s
Revenue$5m
Established
Ideation
Launch & Traction
Growth & Scale
Breakout
Debt
Equity
Bootstrap / Friends & Family
Incubator / Angels
VC Backed Non VC Blended
37. Bank / Debt Revenue-Based Finance
Venture
Capital
Guarantees &
Controls
Financial Covenants
Sometimes Personal
Guarantees
No Financial Covenants
No Personal Guarantees
Partner in the Business (Board
Seat, Voting Rights)
Added Value Low / None Medium High
Dilution None / Low None High
Payment Flexibility
Low:
Fixed Payments
Medium:
Variable Payments
High:
No Payments
Speed 4-8 months 4 weeks
Highly variable. Typical 3-9
months of focused effort
p37
Funding Option Comparison
38. • The best of debt and equity – aligned interests with no dilution
• Essentially a royalty agreement
• Monthly payments = fixed % of revenue
• Fits SaaS
p38
What is Revenue-based financing?
1 2 3 4 5 6 7 8 9 10 11 12 13 14Period
Company revenue
Loan payment
Example Financing
• Up to $1M or 33% of annualized revenue run
rate
• $500K funding
• Payment: 5% of monthly revenue
• Repayment: 1.7x principal ($850K)
• Maturity: 5 years
41. UX is Empathy
Question: What is Empathy?
In a hypothetical narrative, a person sees a fast food
restaurant.
42. A person sees a fast food restaurant as they are driving
their car to the mall.
UX is Empathy
Question: What is Empathy?
43. A middle aged woman sees her favorite fast food
restaurant as she drives her car to the mall to buy a pair of
dress shoes for an interview.
UX is Empathy
Question: What is Empathy?
46. UX: The “Thinking Parts”
I want to get my head into your project!
Leverage my ignorance.
47. UX: The “Thinking Parts”
I want to get my head into your project!
Leverage my ignorance.
It’s not just about visual design!
48. UX: The “Thinking Parts”
I want to get my head into your project!
Leverage my ignorance.
It’s not just about visual design!
Tale tell signs of good thinking.
50. UX: The “Design Parts”
Design an experience, including your brand.
51. UX: The “Design Parts”
Design an experience, including your brand.
Visualize requirements via proof of concept.
52. UX: The “Design Parts”
Design an experience, including your brand.
Visualize requirements via proof of concept.
Iteration ...
53. UX: The “Design Parts”
Design an experience, including your brand.
Visualize requirements via proof of concept.
Iteration …
… we didn’t get to the future without iteration!
69. Any transfer of data from multiple services
Examples:
• Salesforce SOAP call-out to an ERP systems
• Mobile app RESTful call-in to Salesforce to get leads
• Salesforce-hosted VF page XHR callout to 3rd party stock ticker
• Salesforce-hosted VF page embeds a twitter feed (iframe/”mashup”)
What is Integration?
70. Considerations:
• SecurityReview has very strict pass/fail criteria. This
alone has the largest influence on integration design
because it has the most constraints.
• Data at Rest, In-Transit, In-Use
• Authentication
• CSRF/XSS/SOQL-Injection, CDN
Mitigations:
• Custom Protected Settings
• Encrypted Fields / Platform Encryption
• TLS, Two-way SSL auth
• SAML, oAuth, CSR, named credentials
• CORS, StaticResources
• CheckMarx and ZAP/BURP Scan
• Can be integrated into build automation
Design Considerations
Consideration: Security Review
71. Considerations:
• Transaction Context: Trigger, VFPage, Browser, etc
• Bulkified
• JSON vs XML
• Data Width, Frequency, Schedule
Mitigations:
• WF-OBM, @future, queueable, batch, scheduled
• Bulkify everything
• Least data
• CheckMarx Scanner
Design Considerations
Consideration: Performance/Scalability
72. Considerations:
• Blocking or non-blocking operation?
•Need immediate feedback?
•Streaming data
Mitigations:
• Validate business requirements
Design Considerations
Consideration: User Experience
73. Considerations:
•Layer Choice: Server or Browser?
•Skillsets: back-end, front-end, middle
•Solution choice
Mitigations:
• Clicks not code
• Designing with layers and appropriate patterns
• Microservices and SOA
• Middleware
Design Considerations
Consideration: Maintenance
74. Considerations:
•Buy a tool vs custom build
•Cost scalability
Design Considerations
Consideration: Money, duh
Mitigations:
Engage a PDO!
76. Use Case:Salesforce and ISV need asynchronous API access to each other
Challenge: Building a secure, authenticated integration
• Storing 3rd party credentials = bad! Use revocable tokens authorized by the user or admin
that are specific to each client
• oAuth is a user-driven process; performing it bi-directionally is challenging
Solution:
• VF “Setup” page to initialize the oAuth flow to the 3rd party service
• Request a refresh token, store in a custom protected hierarchy setting
• Upon completion of flow, redirect to a Canvas app
• Canvas can utilize a “Lifecycle Handler” ISV-defined Apex Class
• Sends 3rd party & Salesforce refresh tokens in one payload to 3rd party
2-way Token Exchange
Integration Patterns
79. Challenge: Push data changes that happen in Salesforce to your 3rd party system
• Do it cheap
• Do it fast
• Make it perform
Solution:
• Workflow Outbound Messages
• Middleware hosted by 3rd Party or custom SOAP webservice built by 3rd party
Data Push
Integration Patterns
80. Data Push
Integration Patterns
Pros Cons
Clicks not code Salesforce-provided WSDL, no REST
Built-in queueing/retry Limited Data Payloads
Bulkified FIFO Queue, no order/priority
Supported/upgraded by Salesforce Asynchronous
No limits No authN tokens. Security via trust and
“callbacks”
Admin configurable
82. Challenge: Synchronize data to and/or from a 3rd party
Solution:
• Programmatic callouts via Apex to push and pull changes
• @future, Queuable, Batch
• Remote Site Setting (can now be packaged)
• Custom Protected Hierarchy Settings for endpoints
Common Pitfall: most ISVs also have a multi-tenant “pod” architecture. Referenced endpoint
needs to be a proxy or router.
2-Way Data Sync
Integration Patterns
83. 2-Way Data Sync
Integration Patterns
Pros Cons
Can callout to any WSDL/REST Higher maintenance burden
Can utilize any ordering/priority/retry logic Asynchronous limits shared with whole org
More complex data payloads Requires programmatic skillset
More complex integration scenarios Less configurable by end-users
85. Security Review
Nothing is more important to salesforce.com than the privacy of
their customer’s data
Horizontal attacks require testing all entry points in your
solution
The more that customers trust AppExchange applications, the
more likely they are to install them
Team of 10+ Security Experts to review all applications
approved or the AppExchange
86. Apex and Visualforce
All code must be evaluated using Checkmarx
Anything higher than a informational must be fixed
CRUD/FLS often gets flagged
JS
SOQL Injection
87. CRUD and FLS
CRUD:
• Create
• Read
• Update
• Delete
FLS
• Field Level Security
Apex Code must test for these conditions
ESAPI library: https://code.google.com/p/force-dot-com-
esapi/wiki/GettingStarted
88. External Web Application
This is generally our largest risk factor for AppExchange products
• We test early and often
• It can take longer for the ISV to fix these issues due to existing
development priorities
All web applications must be scanned using BURP or Zap
• Includes website (authenticated and un-authenticated)
• APIs
• Webservices
• Any third party services as well
• All vulnerabilities marked as non informational must be addressed
89. What to BURP Scan
API Endpoints
Web Application (Authenticated/Unauthenticated)
Website (if sharing same infrastructure)
Canvas Apps
OAuth / Auth process
Web Service calls
Client Side JS library (Google maps, etc)
DO NOT FORGET TO
Scan authentication/login pages
Scan API endpoints after authenticating otherwise their code is not exercised!
90. Top Ten for Web Applications
1. Injection: SQL, OS, LDAP
2. Cross Site Scripting (XSS): improper validation and escaping allows attacker to execute scripts in
browser to hijack user sessions or redirect to malicious sites
3. Broken Authentication/User Management: attackers can compromise passwords, keys, and
session tokens to assume users’ identities
• Username Enumeration is included in this pattern
• Password reset always tested
• DON’T STORE PASSWORDS IN PLAIN TEXT!
4. Insecure Direct Object Reference: exposing internal configuration and not securing it properly
5. Cross Site Request Forgery (XSRF): Sites that rely upon identity can be spoofed
91. Top Ten for Web Applications
6. Security Misconfiguration: default security settings for most web software is more open than
secure. Modify defaults to lock down to only essentially functionality that is required
7. Insecure Cryptographic Storage: Proper hashing/encryption for sensitive data (SSN, Credit Cards,
OAuth Tokens, Passwords, etc)
8. Failure to Restrict URL Access: all pages behind authentication must enforce access control
9. Insufficient Transport Layer Protection: Often due to expired/invalid certificates, improper
configuration, or weak algorithms. See Heartbleed Bug!
10. Unvalidated Redirects and Forwards: Attackers can redirect users to phishing and malware sites
92. Mobile/Desktop Application Guidance
Store Oauth tokens in keychain
• All OSes provide keychain for storing tokens
• Do not provide your own security model/storage
Set your device to Proxy internet connection through BURP running on
Desktop
Capture API calls to external applications
Spider/actively scan all endpoints via BURP
93. Security Review Org, Part I
A test org must with your managed package installed and fully configured are required
• Do not submit a PDE. This must be a test org for your target customer – generally
an EE Test org
• Spin up new test orgs via your Environment Hub
Create users for each of the profiles you are exposing
Documentation on how the application works
• Can be a word/pdf document
• Can also be a screencast
Note that the SR team reviews hundreds of applications: make it as easy as possible for them to test
your application!
We are all on the same team
94. Security Review Org, Part II
If an external integrations, users on external system must be included
If Desktop or Mobile application, the application + users for the
application must be included
On premise solutions (PBX, ACD, Databases, etc) need to have a full,
working environment for the Security Review team
• They will not use a VM for the testing
• Must configure yourself and make available via VPN connection
If your web application shares infrastructure with your public website,
that will be included in the test as well
95. Submission Process
Seven page wizard to submit your application
Upload security certifications/policies that your organization may have
You must include Checkmarx report
If you have any callouts or integrations, you must submit BURP report
• html output
If you have exceptions to the reports, you must submit via the wizard as well
• In our experience, exceptions are fewer and farther between
Credentials for your test org must be included
For paid applications, credit card payment in last step
Must complete ISV agreement prior to Security Review
Prescreening takes place prior to entering Security Review queue