May 14, 2013 2 min read

Security: Philosophy of Trust

As we continue working hard to make Jasmine Practice Management a reality, we are now at a point where we are working on passing the Salesforce Security Review. I want to talk some about the security review and what it means to Jasmine Practice Management and you.

In the development of Jasmine Practice Management, we’ve made the architectural decision to build in the cloud and on a platform called Salesforce. While we believe that being cloud based offers many advantages and is the future of acupuncture practice management, we are also aware of the risks that come with an always on and always online environment. The main risk being security.

What is the Salesforce Security Review?

The Salesforce Security Review is a mandatory annual security review for applications built on the Salesforce Platform. The Salesforce Platform being the underlying technology we have chosen to build Jasmine Practice Management. The Salesforce Platform is a very powerful platform to build applications on top of and is a larger topic to be discussed in a later post.

Every year, Jasmine Practice Management will undergo this security review to ensure that new features and functionality we’ve developed adhere to Salesforce’s strict level of security.

The scope of the security review covers all aspects of the application, even parts of the application not built directly on top of the platform. The reason for this is that the security of a system must be treated as whole to ensure that no vulnerabilities exist.

The security review is heavily based on OWASP, the Open Web Application Security Project, which is an organization whose mission is on improving the security of software. What this means is that the security review has been developed to meet industry best practices for security and to ensure applications meet a high level of security.

The many levels of the security review

The first level of the security review involves a source code vulnerability scanner. Brakeman will analyze our code to find security issues as we are developing the application and we can quickly address the issues.

The next level is to use industry strength security scanning tools, Checkmarx and Burp Suite, which mimic what hackers would do and to uncover security risks and vulnerabilities. These tools are used while the application is running and on the network as they would be in production.

The final level of the security review is a manual and automated application and network security testing performed by an expert on the Salesforce Security team. The results of the review are then shared with us and any issues will need to be resolved before Salesforce will allow Jasmine Practice Management to be offered on the platform.

Philosophy of Trust

As a company, Jasmine Software, we want to earn your trust. And we understand that trust takes time and must be earned. We intend to take steps to be a transparent company and part of that is talking directly and openly about security and keeping your data safe.

The security review is just a small part of a much larger discussion on security which I will be addressing more about in upcoming posts. In the meantime, for more details about Salesforce security is here.

If you have comments or question, feel free to contact me any time at mintotsai@jasminepm.com.

Thank You,

Minto Tsai
Founder