They say a poor craftsman blames their tools, but having good tools helps. Sometimes, it’s the only way to get the job done effectively. At Salesforce Trust, we often build tools to help us more effectively perform our work. A subset of these tools are released publicly, and referenced below.


Ponce is an IDA Pro plugin that provides users the ability to perform taint analysis and symbolic execution over binaries in an easy and intuitive fashion. With Ponce you are two clicks away from getting all the power from cutting edge symbolic execution. Entirely written in C/C++.

Secure Filters

secure-filters is a collection of Output Sanitization functions (“filters”) to provide protection against Cross-Site Scripting (XSS) and other injection attacks.


Vulnreport is a platform for managing penetration tests and generating well-formatted, actionable findings reports without the normal overhead that takes up security engineer’s time. The platform is built to support automation at every stage of the process and allow customization for whatever other systems you use as part of your pentesting process.


Threatshell is a python-based command line shell aimed at providing security researchers with a single, integrated environment for gathering information from various intelligence APIs and analysis scripts, and storing all of the obtained information into one or more elasticsearch instances. The goal of keeping the results in elasticsearch being to provide a historical search mechanism for all of the gathered information, and to start building a clever event analyzer to assist in hunting and analysis activities.

CSI (Continuous Security Integration) Framework

CSI (Continuous Security Integration) is an open security automation framework that aims to stand on the shoulders of security giants, promoting trust and innovation. Build your own custom automation freely and easily using pre-built modules.


Using Chimera during or after development of an external service to connect with a Salesforce app couldn’t be simpler. Once your web-based application is ready to be scanned, simply create a test account on the application and provide Chimera with a URL and those test credentials. Chimera will take care of figuring out how to log in to your application and run a battery of different tests and scans. A consolidated report with all issues, warnings, and informational notes will be generated and emailed to you when the scan is complete.


Providence is a system for code commit & bug system monitoring. It is deployed within an organization to monitor code commits for security (or other) concerns, via customizable plugins. A plugin performs logic whenever a commit occurs.


The ESAPI (The OWASP Enterprise Security API) library is designed to make it easier for programmers to retrofit security into existing applications or build a solid foundation for new development.


A Unicode based visual CAPTCHA scheme that leverages the 64K Unicode code points from the Basic Multilingual Plane (plane 0) to construct the CAPTCHAs that can be solved with 2 to 4 mouse clicks. It is written in Java and tested to work on JDK 8.0. You will also need Maven build system. This project has two demo applications; a sample web application the the second is a Swing based UI. You can play with either and provide your feedback.