Platform Security features Winter'16

We can use the new Health Check tool to identify and fix security risks in your password, session, and network access settings, all at a glance.

• View and Address Security Risks Using Health Checks
  At a glance, we can now see and fix security risks in your Session Settings, Password Policies, and Network Access settings. A new health check dashboard shows how well your org measures against the Salesforce-recommended baseline. Health Check lets you understand and proactively remediate your org’s security risks and vulnerabilities from a single page.This feature is available in both Lightning Experience and Salesforce Classic.
• Default Certificate is 2048 Bits
  If we use client certificates or custom web address https certificates, we can now create a 2048-bit certificate or a 4096-bit certificate. The option to create a 1024-bit certificate has been removed.
• Upgrade Your Transport Layer Security (TLS) Version for HTTPS Connections
  Starting in Spring ’16, Salesforce is disabling the TLS 1.0 encryption protocol using a phased approach. We can test and upgrade to TLS 1.1 or TLS 1.2 early to give our org more time to verify end-to-end compatibility. This feature is available in both Lightning Experience and Salesforce Classic.
• Use an API Client Certificate for Improved Scurity
  We can now choose an org-specific API client certificate for workflow outbound messages, the AJAX proxy, some ApexPageReference methods, and delegated authentication HTTPS callouts. This change improves security and maintains productivity after a planned Microsoft Windows update on April 19, 2016 that retires the root certificate of the older proxy.salesforce.com certificate

Authentication and Identity features in Spring'16

We can track identity verification activity, use new identity verification Apex methods in your custom apps, and apply two-factor authentication at a more granular level.

• New Special Character Assistance When Changing Passwords
  salesforce has made it easier for users to verify their identity in Salesforce. The redesigned Salesforce Authenticator mobile app alerts users of logins and other account activities that require identity verification. Users verify the activity by responding on their mobile device. Salesforce Authenticator works for both Lightning Experience and Salesforce Classic.
• Streamlined Setup of Two-Factor Authentication for Single Sign-On and Social Sign-On Users
  If Salesforce org has SAML single sign-on or social sign-on through an authentication provider enabled, Salesforce has simplified the process of requiring two-factor authentication at login. Salesforce admins can now use profile policies and session settings to require users in these orgs to complete two-factor authentication when they log in. Previously, we had to create a custom login flow. This feature is available in both Lightning Experience and Salesforce Classic.
• New Profile Policy for Session Security Level at Login
  Salesforce has added a Session security level required at login setting for profiles. By default, the setting has a value ofNone for all profiles. Salesforce asmins can change the setting to High Assurance to require that users assigned to the profile log in with two-factor authentication. This feature is available in both Lightning Experience and Salesforce Classic.
• Session Timeout Name Changed in Profile Settings
  Salesforce has changed the name of the Session Timeout setting that controls how many minutes or hours of inactivity elapse before a session expires for users of a profile. On the profile overview page, in the Session Settings area, the setting is now called Session times out after. This feature is available in both Lightning Experience and Salesforce Classic.
• Control Session Security Level for Device Activation
  A new value in Session Security Levels, Device Activation, gives you more control over how and when your users are prompted to verify their identity. This feature is available in both Lightning Experience and Salesforce Classic.
• Track User Identity Verifications
  As an administrator, we can now monitor and audit the past six months of your users’ identity verification activity. For example, suppose that two-factor authentication is enabled when a user logs in, and the user provides a valid time-based one-time password as proof of identity. That information is recorded in Identity Verification History. This feature is available in both Lightning Experience and Salesforce Classic.
• Implement Identity Verification in Your Custom Solution with Apex
  A new Apex method, Auth.SessionManagement.generateVerificationUrl, invokes an identity verification flow in our custom solution. For example, if we have a custom Visualforce page that displays sensitive account details, you can challenge the user to verify identity before viewing it. This feature is available in both Lightning Experience and Salesforce Classic.
• Improved Security for Identity Verification
  Since an IP address isn’t a reliable indicator of a user’s identity, Salesforce has changed risk-based authentication protocol. When users log in to Salesforce from a device or browser Salesforce don’t recognize, they are now prompted to verify identity, even if they log in from an IP address Salesforce has seen before.
• Improved Security for High-Assurance Resource Access Using APIs
  If org has a policy to require a high-assurance session to access connected apps, reports, or dashboards, they can’t access them in a standard-assurance session using the Analytics or SOAP APIs. When using the Analytics API, if user's try to access a resource that requires a high-assurance session, an error message will be received. This feature is available in bothLightning Experience and Salesforce Classic.
• New Special Character Assistance When Changing Passwords
• When your users change a password that requires a special character, they now see a tooltip. The tooltip lists the characters that are allowed (!#$%-_=+<>). Previously, special characters were described only in Salesforce Help. This feature is available in both Lightning Experience and Salesforce Classic.
• New Time Values for Connected App Mobile App Settings
  We can now allow a mobile-connected app that requires PIN protection to be idle longer before it locks and requires the PIN. Previously, the values for the Require PIN after setting were none (no locking), 1, 5, 10, and 30 minutes. We’ve added values of 60, 120, 180, and 240 minutes. This feature is available in both Lightning Experience and Salesforce Classic.
• External Identity Users Can Work with Accounts, Person Accounts, Assets, and Contacts
  Users with an External Identity license can now read and edit accounts. They can also read, create, and edit assets and contacts. Previously, they couldn’t access these objects. If person accounts are enabled in org, the expanded access lets your external identity users work with person accounts. This feature is available in Salesforce Classic only.
• Create a Custom Authentication Provider Plug-in with Apex
  We can create our own external auth provider if we don’t see your preferred provider on our list. The custom authentication provider plug-in allows us to create our own single sign-on (SSO) auth provider. Admins and users can continue using the SSO credentials they already use for non-Salesforce applications with their Salesforce orgs. This feature is available in both Lightning Experience and Salesforce Classic.
• Username Added to Identity Verification Email Message
  Salesforce have added the username to the email that users receive when they log in to Salesforce from a device we don’t recognize. The Subject of the email message is “Verify your identity in Salesforce.”

Salesforce Certified Platform Developer I - Spring '16 Release

1.             What are the supported content sources for custom buttons and links? Choose 2 answers

1.             Visualforce Page

2.             Static Resource

3.             URL

4.             Chatter File

5.             Lightning Page

2.             What actions types should be configured to display a custom success message?

1.             Update a record.

2.             Post a feed item.

3.             Delete a record.

4.             Close a case

3.             When creating a record with a Quick Action, what is the easiest way to post a feed item?

1.             By selecting create case feed on the quick action.

2.             By adding a trigger on the new record.

3.             By adding a workflow rule on the new record.

4.             By selecting create case feed on the new record.

4.             What is the easiest way to verify a user before showing them sensitive content?

1.             Sending the user a SMS message with a passcode

2.             Calling the generateVerificationUrl method in apex

3.             Sending the user a Email message with a passcode

4.             Calling the Session.forcedLoginUrl method in apex

5.             What features are available when writing apex test classes? Choose 2 answers

1.             The ability to select error types to ignore in the developer console

2.             The ability to write assertions to test after an @future method

3.             The ability to set and modify the CreatedDate field in apex tests

4.             The ability to set breakpoints to freeze the execution at a given point

5.             The ability to select testing data using csv files stored in the system