Salesforce talks security: From passwords to animatronic ponies

What do the internal security policies in use at Salesforce.com say about the state of desktop security?
Written by Mary Branscombe, Contributor

Salesforce.com is making some fairly bold claims about security at its Dreamforce conference this week. For example, it's saying it can go from finding a vulnerability to having a fix rolled out in 24 hours. We'd expect that to depend on the vulnerability but the company certainly takes security seriously internally.

It has a full-time internal red team of penetration testers trying to break in. It's proactively looking for insider threats, and fewer than 20 employees at the entire company have access to the database of customer passwords.

The security policies the company applies to its own employees at work are an interesting benchmark.

Some of the security evaluation is quite creative. When the iPad 3 launched, the security team ran an internal phishing attack by sending out a suspicious email offering a discount price. Any developer clicking the link, which they should have known better than to follow, found they'd signed themselves up for another security training session.

Perhaps the most creative approach involves an animatronic pony with a motion detector. Wander up behind the desk of Chief Trust Officer Patrick Heims and try to shoulder-surf while he is sunk in his work, and the pony will start neighing, whinnying and tossing its head and generally drawing attention to you.

Given the focus on security for developing and running the Salesforce.com platform, the security policies the company applies to its own employees at work are an interesting benchmark. The 'no software' company does use software itself, but it's a limited list.

Whitelisted apps

Employees use a mix of Windows, Macs and Linux systems. Only whitelisted apps are allowed to run, so any unknown, unapproved programs — no matter how useful a user thinks they might be — are blocked until they're officially signed off.

All notebooks and laptops have full drive encryption and no personal devices are allowed on the corporate network. There's a separate Wi-Fi network you can use your own tablet on, but any device you bring to work and manage yourself just can't connect to official network resources.

All passwords are 12 characters or longer and Salesforce enforces complex passwords. The combination of GPU acceleration and what hackers have learned about the type of passwords people use from the millions leaked from various attacks allow crackers to crunch through a few billion potential passwords in a second.

Eight characters aren't enough anymore. While a brute-force attack would still take 19 days, using what we know about password patterns means you can crack a password such as Mary1234 in about 90 seconds. In 24 hours, says Heims, you can get pretty much all eight-character passwords. So, while longer passwords may be annoying, if you're not enforcing them, you're vulnerable.

Maybe what we need is animatronic ponies looking over our shoulders and giving a quick neigh when we pick bad passwords?

Editorial standards