ISV App Lab

ISV AppLabBuilding Your App, and Your Business, From A-Z

CodeScience@codescience

Salesforce ISV Team@partnerforce

John Richter - Director, Partner Community Robert Sussland - Senior Product Security Engineer, Webapp Security

and Cryptography Christopher Auyeung - Sr. Manager, User Experience Mike Witherspoon - CEO Brian Walsh - CSO Eddie Blazer - Director of Architecture Krishna Tatta - Technical Architect Rina Henderson - Lead UX

Speakers

• Software Development Lifecycle• Setting Your Business Up for Success• Funding Opportunities for Partners• User Experience• The Lightning Experience• Break• Integration Considerations and Design Patterns• Security Review • Q&A

Agenda

John RichterDirector, Partner CommunitySalesforce Partner Program@partnerforce

The Salesforce Partner Program World’s #1 Cloud Ecosystem

ISVsConsultin

g Partners

Resellers Digital Agencies

Partner Community

PartnerOperations

PartnerMarketing

PartnerDevelopment

Branding?First Call Decks?

Webinars?

Live Events?

Pilots?

Logos?

Roadmap?Surveys?

Trial Orgs?

Sponsorships?White papers?

Leads?New Releases?

Orders?Opportunities?

Projects?

Red Accounts?

Customer Stories?

Org Extensions?Technical Issues?

Design Questions?

Sales Collateral?

Seamless. Structured. Secure.

Partner User Groups

Briefings

Polls & Surveys

Instructor-led

Blogs

Program Guides

Media Assets

Partner Alerts!

Social Media

Communications

NewsFlash (e-newsletter)

Live Events

Office Hours

Learning

Ideas

Sessions

Online Programs

Roadmap

Partner Community

Releases & Pilots

Partner Community Your one-stop shop for education and engagement

http://partners.salesforce.com/

• Partner Program Details• Communications• Training• Deal Registration• Webinars & Recordings• Office Hours• Sales & Enablement Resources• Support

Partner Community in ActionEducation & Engagement

Official: Partner Community Chatter Group

http://p.force.com/official

Questions & Answers Chatter Group

http://p.force.com/question

Alerts! for Partners

http://p.force.com/alerts

Releases for Partners

http://p.force.com/releases

Roadmap for Partners

http://p.force.com/roadmap

AppExchange Publishing

http://p.force.com/applisting

Support

http://p.force.com/case

Trailhead: ISV Basics New onboarding for ISVs

http://p.force.com/ISVbasics

• Getting Started• ISV Product Lifecycle• Tools & Resources

ISV Partner LifecycleKey Drivers for Planning Your App, and Your Business

ISV Partner Lifecycle

Sign upPartner Community:: App Academy:: Resources & Tools:: Online Training:: Publishing:: Support (Cases)

Plan Build Distribute

Sell

Market

($) – denotes an additional fee may apply, speak with your Partner Account Manager (ISV) for details

TechnicalReview

(TE)

BusinessReview (PAM)

ISVforce GuideDeveloper Site

Support



Environment HubDeveloper Orgs

Test OrgsPackaging Org

Managed Package


Sell

Market


Security Review

($)Technical

Review (TE)



Support


Trialforce Management Org

Partner website




Managed Package


Sell

Market


Security Review

($) Operations Review

Final Contract ReviewTechnical

Review (TE)



Support



Partner website




Managed Package

Partner Business Org• Campaigns

• Leads• Analytics

• License Mgmt App• Opportunities• Channel Order App

FREE

TRIALS


Sell

Market


Security Review


Final Contract ReviewAppExchange Marketing Program (AMP) ($)Technical

Review (TE)



Support

• Cases• Support Console• Other Apps



Partner website




Managed Package



• Cases • Support Console• Other Apps


FREE

TRIALS


Sell

Market


Security Review


Final Contract ReviewAppExchange Marketing Program (AMP) ($)

SalesReviewTechnical

Review (TE)



Support



Partner website




Managed Package



• Cases • Support Console• Other Apps


FREE

TRIALS


Sell

Market


Security Review


Final Contract Review Premier Support ($)

AppExchange Marketing Program (AMP) ($)

SalesReviewTechnical

Review (TE)



Support

Foundations for AppExchange SuccessSome tricks and tips we’ve learned along the way

Mike Witherspoon CEO [email protected] @spoonscience

So many unknowns are going to affect your product• Know that you’ll be learning the

entire time• Identify biggest risks early and

confront them• Balance your skills by bringing in

people who challenge and think differently than you

You know nothing Jon Snow - YgritteChoose Your Own Adventure

Your Business

Organizations take time

Culture Matters

Invest time in your partnerships(e.g. Salesforce)

HR, legal and ops are necessary

Your Product

What? Only a third?

Features can wait until you have an MVP, customer feedback and revenue

“I don’t know why, but the best product never wins” - Michelle Witherspoon

Sales and Marketing

Purchasers buy because they identify with a message or a sales person, period.

The AppExchange will not sell your product for you (though it is an efficient marketing spend)

Rule of Thirds - Start Small, Stay Small by Rob Walling Where to Focus Your Time and Money

http://www.amazon.com/Start-Small-Stay-Developers-Launching/dp/0615373968/ref=sr_1_1?s=books&ie=UTF8&qid=1437073144&sr=1-1&keywords=start+small+stay+small

What is your compelling event?• Customers demanding features?• Marketing event, e.g. Dreamforce or an

industry trade show• Security review takes 2 to 8 weeks

• You may have to resubmit so leave time

• Only required for public listing. You can deploy your private listing to customers.

• Financial....watch those investor expectations and your burn rate

SaaS industry standard is per user per month.• Rarely can you justify per year, per

company or per some other dimension

• How much to charge? What is the marketing benefit/value to you if your app is free? What is the sales, construction and support cost of the app? What is a customer willing to pay?

Timing and Pricing Time = Money

How big is your market?• That’s a great question and it’s up to

you to figure that out

Business plan basics• Revenue plan• Hiring plan • Investor or budget pitch• Marketing plan

A plan is incorrect the second you finish itMarket Sizing and Business Plan

Write down who can fill each role and identify your team’s skill gaps

Determine a path to fill those gaps• Hire(and train)• Find a hired gun(solo contractor)• Outsource to a PDO

• Onshore of Offshore?• Full team or a subset?• Know your budget(1/3 of your cash)• Is your organization ready for

consultants?

Roles for an agile development team• Software architect(Salesforce Platform)• Product Owner• Scrum Master• UX Designer• Salesforce Developer(Configuration, Apex,

Visualforce, Lightning, etc)• Quality Assurance/Quality Engineer

Assess Your Team 17 Roles to Build a Product

http://agilemethodology.org/

https://partners.salesforce.com/s/education/appvendors/ISV_Partner_Roles

Business ModelISVForce

Adds on to Salesforce CRM

Customers are existing Salesforce users

OEMMarket outside of

Salesforce ecosystemAssumes no CRM

objects

Revenue Collection

Free - best place to start

Checkout - Salesforce collects

Traditional - Partner collects

Partner Tiers

Free and Registered <120K annually

Silver - 120K to 800K ACV

Gold and Platinum - > 800K

Know your value to SalesforceWhat Kind of Partner Are You?

http://www.salesforce.com/docs/en/webstore/index.htm

https://partners.salesforce.com/s/education/appvendors/ISV_Program

Funding Opportunities for ISVsMany different models are available

52%

25%

21%SaaS

SaaS + Service

Tech-enabled services

Digital Media

• 100+ financings across 70+ companies• Almost 80% are SaaS

• Revenue Based Financing for tech companies• $50k-$1mm per company• Technology + Capital = Better for

Entrepreneurs

Funding paths for ISV’s

Revenue$5m

Established

Ideation

Launch & Traction

Growth & Scale

BreakoutDebt

Equity

Bootstrap / Friends & Family

Incubator / Angels

VC Backed Non VC Blended

Bank / Debt Revenue-Based Finance Venture Capital

Guarantees &Controls

Financial CovenantsSometimes Personal

Guarantees

No Financial CovenantsNo Personal Guarantees

Partner in the Business (Board Seat, Voting Rights)

Added Value Low / None Medium High

Dilution None / Low None High

Payment Flexibility Low: Fixed Payments

Medium: Variable Payments

High: No Payments

Speed 4-8 months 4 weeks Highly variable. Typical 3-9 months of focused effort

p37

Funding Option Comparison

• The best of debt and equity – aligned interests with no dilution• Essentially a royalty agreement • Monthly payments = fixed % of revenue• Fits SaaS

p38

What is Revenue-based financing?

1 2 3 4 5 6 7 8 9 10 11 12 13 14Period

Company revenueLoan payment

Example Financing• Up to $1M or 33% of annualized revenue

run rate• $500K funding• Payment: 5% of monthly revenue• Repayment: 1.7x principal ($850K)• Maturity: 5 years

39

Contact Information R. Branden Harper

Director – Investment Team [email protected]

310.463.3285

mailto:[email protected]

What Is UX?It’s rarely just about making things pretty!

UX is Empathy Question: What is Empathy?

In a hypothetical narrative, a person sees a fast food restaurant.

A person sees a fast food restaurant as they are driving their car to the mall.


A middle aged woman sees her favorite fast food restaurant as she drives her car to the mall to buy a pair of dress shoes for an interview.


UX: The “Thinking Parts”


I want to get my head into your project!


I want to get my head into your project! Leverage my ignorance.


I want to get my head into your project! Leverage my ignorance. It’s not just about visual design!


I want to get my head into your project! Leverage my ignorance. It’s not just about visual design! Tale tell signs of good thinking.

UX: The “Design Parts”


Design an experience, including your brand.


Design an experience, including your brand. Visualize requirements via proof of concept.


Design an experience, including your brand. Visualize requirements via proof of concept. Iteration ...


Design an experience, including your brand. Visualize requirements via proof of concept. Iteration …

… we didn’t get to the future without iteration!

UX: The “Build Parts”

Prototype, prototype, PROTOTYPE!


Prototype, prototype, PROTOTYPE! HTML / CSS = less expensive vetting cycle


Prototype, prototype, PROTOTYPE! HTML / CSS = inexpensive vetting Parallel universe...

What Does UX Look Like?It differs for everyone, but here’s what’s worked for us...

Personas

Context

User Flows

User Flows (continued, because we like these… a lot)

Information Architecture

Information Architecture with User Flow (yep, still important)

Wireframing

Optimizing UI (SLDS)

Prototyping

The Lightning Experience

IntegrationBest practices for integration in an ISV App

Any transfer of data from multiple servicesExamples:• Salesforce SOAP call-out to an ERP systems• Mobile app RESTful call-in to Salesforce to get leads• Salesforce-hosted VF page XHR callout to 3rd party stock ticker• Salesforce-hosted VF page embeds a twitter feed (iframe/”mashup”)

What is Integration?

Considerations:• SecurityReview has very strict pass/fail criteria. This alone has the largest influence on integration design because it has the most constraints.

• Data at Rest, In-Transit, In-Use• Authentication• CSRF/XSS/SOQL-Injection, CDN

Mitigations:• Custom Protected Settings• Encrypted Fields / Platform Encryption• TLS, Two-way SSL auth• SAML, oAuth, CSR, named credentials• CORS, StaticResources• CheckMarx and ZAP/BURP Scan

• Can be integrated into build automation

Design Considerations Consideration: Security Review

Considerations:• Transaction Context: Trigger, VFPage, Browser, etc

• Bulkified• JSON vs XML• Data Width, Frequency, Schedule

Mitigations:• WF-OBM, @future, queueable, batch, scheduled

• Bulkify everything• Least data• CheckMarx Scanner

Design Considerations Consideration: Performance/Scalability

Considerations:• Blocking or non-blocking operation?•Need immediate feedback?•Streaming data

Mitigations:• Validate business requirements

Design Considerations Consideration: User Experience

Considerations:•Layer Choice: Server or Browser?•Skillsets: back-end, front-end, middle•Solution choice

Mitigations:• Clicks not code• Designing with layers and appropriate patterns

• Microservices and SOA• Middleware

Design Considerations Consideration: Maintenance

Considerations:•Buy a tool vs custom build•Cost scalability

Design Considerations Consideration: Money, duh

Mitigations:Engage a PDO!

Integration Patterns2-Way Token Exchange

Use Case:Salesforce and ISV need asynchronous API access to each other Challenge: Building a secure, authenticated integration

• Storing 3rd party credentials = bad! Use revocable tokens authorized by the user or admin that are specific to each client

• oAuth is a user-driven process; performing it bi-directionally is challenging

Solution:• VF “Setup” page to initialize the oAuth flow to the 3rd party service• Request a refresh token, store in a custom protected hierarchy setting• Upon completion of flow, redirect to a Canvas app• Canvas can utilize a “Lifecycle Handler” ISV-defined Apex Class

• Sends 3rd party & Salesforce refresh tokens in one payload to 3rd party• 3rd Party links & stores the SF refresh token

2-way Token ExchangeIntegration Patterns

2-way Token ExchangeIntegration Patterns

Integration PatternsEasy Data “Push”

Challenge: Push data changes that happen in Salesforce to your 3rd party system• Do it cheap• Do it fast• Make it perform

Solution:• Workflow Outbound Messages• Middleware hosted by 3rd Party or custom SOAP webservice built by 3rd party

Data PushIntegration Patterns

Data PushIntegration Patterns

Pros Cons

Clicks not code Salesforce-provided WSDL, no REST

Built-in queueing/retry Limited Data Payloads

Bulkified FIFO Queue, no order/priority

Supported/upgraded by Salesforce Asynchronous

No limits No authN tokens. Security via trust and “callbacks”

Admin configurable

Integration Patterns2-Way Data Sync

Challenge: Synchronize data to and/or from a 3rd party

Solution:• Programmatic callouts via Apex to push and pull changes• @future, Queuable, Batch• Remote Site Setting (can now be packaged)• Custom Protected Hierarchy Settings for endpoints

Common Pitfall: most ISVs also have a multi-tenant “pod” architecture. Referenced endpoint needs to be a proxy or router.

2-Way Data SyncIntegration Patterns

2-Way Data SyncIntegration Patterns

Pros Cons

Can callout to any WSDL/REST Higher maintenance burden

Can utilize any ordering/priority/retry logic Asynchronous limits shared with whole org

More complex data payloads Requires programmatic skillset

More complex integration scenarios Less configurable by end-users

Security ReviewSecurity starts with design

Security Review Nothing is more important to salesforce.com than the privacy of their customer’s data Horizontal attacks require testing all entry points in your solution The more that customers trust AppExchange applications, the more likely they are to install them Team of 10+ Security Experts to review all applications approved or the AppExchange

Apex and Visualforce All code must be evaluated using Checkmarx Anything higher than a informational must be fixed CRUD/FLS often gets flagged JS SOQL Injection

CRUD and FLS CRUD:• Create • Read • Update • Delete FLS• Field Level Security Apex Code must test for these conditions ESAPI library: https://code.google.com/p/force-dot-com-esapi/wiki/GettingStarted

External Web Application This is generally our largest risk factor for AppExchange products• We test early and often• It can take longer for the ISV to fix these issues due to existing

development priorities All web applications must be scanned using BURP or Zap• Includes website (authenticated and un-authenticated)• APIs• Webservices• Any third party services as well• All vulnerabilities marked as non informational must be

addressed

What to BURP Scan API Endpoints Web Application (Authenticated/Unauthenticated) Website (if sharing same infrastructure) Canvas Apps OAuth / Auth process Web Service calls Client Side JS library (Google maps, etc)

DO NOT FORGET TO Scan authentication/login pages Scan API endpoints after authenticating otherwise their code is not exercised!

Top Ten for Web Applications1. Injection: SQL, OS, LDAP2. Cross Site Scripting (XSS): improper validation and escaping allows attacker to

execute scripts in browser to hijack user sessions or redirect to malicious sites3. Broken Authentication/User Management: attackers can compromise passwords,

keys, and session tokens to assume users’ identities• Username Enumeration is included in this pattern• Password reset always tested

• DON’T STORE PASSWORDS IN PLAIN TEXT!

4. Insecure Direct Object Reference: exposing internal configuration and not securing it properly

5. Cross Site Request Forgery (XSRF): Sites that rely upon identity can be spoofed

Top Ten for Web Applications6. Security Misconfiguration: default security settings for most web software is more

open than secure. Modify defaults to lock down to only essentially functionality that is required

7. Insecure Cryptographic Storage: Proper hashing/encryption for sensitive data (SSN, Credit Cards, OAuth Tokens, Passwords, etc)

8. Failure to Restrict URL Access: all pages behind authentication must enforce access control

9. Insufficient Transport Layer Protection: Often due to expired/invalid certificates, improper configuration, or weak algorithms. See Heartbleed Bug!

10. Unvalidated Redirects and Forwards: Attackers can redirect users to phishing and malware sites

Mobile/Desktop Application Guidance Store Oauth tokens in keychain• All OSes provide keychain for storing tokens• Do not provide your own security model/storage Set your device to Proxy internet connection through BURP running on Desktop Capture API calls to external applications Spider/actively scan all endpoints via BURP

Security Review Org, Part I A test org must with your managed package installed and fully configured are required• Do not submit a PDE. This must be a test org for your target customer –

generally an EE Test org• Spin up new test orgs via your Environment Hub Create users for each of the profiles you are exposing Documentation on how the application works• Can be a word/pdf document• Can also be a screencast Note that the SR team reviews hundreds of applications: make it as easy as possible for them to test your application! We are all on the same team

Security Review Org, Part II If an external integrations, users on external system must be included If Desktop or Mobile application, the application + users for the application must be included On premise solutions (PBX, ACD, Databases, etc) need to have a full, working environment for the Security Review team• They will not use a VM for the testing• Must configure yourself and make available via VPN

connection If your web application shares infrastructure with your public website, that will be included in the test as well

Submission Process Seven page wizard to submit your application Upload security certifications/policies that your organization may have You must include Checkmarx report If you have any callouts or integrations, you must submit BURP report• html output If you have exceptions to the reports, you must submit via the wizard as well• In our experience, exceptions are fewer and farther between Credentials for your test org must be included For paid applications, credit card payment in last step Must complete ISV agreement prior to Security Review Prescreening takes place prior to entering Security Review queue

Thank you