Explore the Latest Business Insights

Uncover the Keys to Success with Popular CRM Trends, New Releases and AI Launches and More!

Download E-Guide

Register to read the complete guide as PDF on your email.

Download Customer Success Story

Register to read the complete solution and benefits of this Case Study as a PDF on your email.

Tips To Pass Salesforce AppExchange Security Review

June 26, 2023

Table of Contents

    Salesforce AppExchange is the world’s leading marketplace for business applications, solutions, and consultants that cater to various business needs and challenges. It is powered by Salesforce, the world’s No. 1 Customer Relationship Management software that values and prioritizes security.

    Salesforce places utmost importance on security and does not make any compromises in this case. Specifically, regarding safeguarding customer information, it’s necessary for every application to undergo the rigorous Salesforce AppExchange Security Review before becoming accessible to the general public on the AppExchange platform.

    This is why Salesforce AppExchange boasts over 10 million installs, 5000+ ready-to-install solutions, and over 100,000 reviews. All these applications and solutions have met the predefined security standards and passed the security review process of Salesforce.

    If you have also developed an app or have a service to list on Salesforce AppExchange, we have some bonus tips for you to ace the Salesforce AppExchange security review.

    And even if you fail the AppExchange security review, don’t worry. We have some alternatives for that as well.

    Read on to discover how to succeed in the Salesforce AppExchange security review.

    What Is Salesforce AppExchange Security Review?

    The Salesforce AppExchange Security Review entails a comprehensive evaluation conducted by the esteemed Salesforce Security team. This meticulous examination guarantees the utmost security and protection for all applications submitted to the Salesforce AppExchange platform.

    What is Salesforce AppExchange Security Review?

    It shields the applications from potential data breaches, malicious cyber attacks, and any vulnerabilities that could compromise Salesforce’s security.

    However, this assessment is far more than a mere test.

    It embodies the rigorous standards established by Salesforce’s Product Security team, which is the benchmark every application must meet. Failure to meet these standards will result in rejection.

    Salesforce always ensures that only the most secure and reliable applications are available to users on the Salesforce AppExchange platform.

    salesforce Appexchange development services CTA

    Tips to Pass Salesforce AppExchange Security Review

    Here are some tried and tested tips to help you pass the Salesforce AppExchange Security Review and make your application feature on top:

    How to Pass AppExchange Security Review?

    1. Fabricate a security strategy

    Ensuring robust security measures throughout the Salesforce AppExchange app development cycle should be prioritized. To lay a solid foundation, designing a comprehensive security strategy for your application is important.

    By aligning your entire team with this strategy, you can effectively address any possible attacks that target the vulnerabilities of your app. It also helps fulfill compliance requirements necessary for a successful review process.

    Despite strict precautions, sometimes some unforeseen flaws might emerge. Consider these points while you go through the development process to avoid such setbacks:

    • Try to think like a user and put your designed application to the test. This approach might bring forward some security issues you might miss while getting it evaluated through your Quality Assurance team. Keep refining the quality with several targeted use cases.
    • Devise strategies for building compact security codes and solutions. This lets your development team and security manager deal with unexpected discrepancies. Incubate all the essential security guidelines in your code.
    • You can use the Force.com Code Scanner Portal(Checkmarx) for regular security and code standard checks of the application. This will provide complete information about the application’s coding issues, if any.
    • You can also run a final phase of evaluating your application through User Acceptance Testing. In this method, you can employ intended users to test your software. You will discover the actual performance of your software when the end-user assesses it through different real-time test cases once users confirm that the application is ready-to-go for the next step.

    2. Walk thoroughly through Salesforce and related Security guidelines

    Before you send your application to the Salesforce AppExchange security review team, carefully read the terms, conditions, and instructions of the relevant documents.

    You can use these Security Review Resources as a guide to check for security issues thoroughly:

    • Salesforce AppExchange Security Review
    • Salesforce Security Guide
    • Security Cloud Development Resources
    • Security Coding Guide
    • Open Web Application Security Project (OWASP)
    • OWASP Top 10 Web Application Security Risks
    • OWASP Testing Guide
    • OWASP Secure Coding Practices-Quick Reference Guide.

    Adhering to such guidelines of each of them is a tad difficult. But you can always get help from the expert to make your Salesforce AppExchange solution error-free, secured, and ready to go under the strictest security review.

    3. Perform your own Security Review with Security Scanners

    Salesforce-endorsed Security Scanners can provide valuable assistance in conducting security assessments on your application. These scanners detect concealed security vulnerabilities and are readily available to all of Salesforce’s ISV Partners. The scanners that enjoy the highest level of popularity include:

    • Checkmarx – Being a Security partner of Salesforce, it renders detailed testing of applications comprising managed packages, Apex Code, and Visualforce components. It has a free version with a limited scanner and a paid version with all the features. Checkmarx runs scans on Salesforce AppCloud-hosted apps and inspects unmanaged code required to correspond to the AuthorApex username in an organization.
    • Chimera – It is a cloud-based app scanner that works on Heroku. Located on third-party platforms, Registered ISV Partners can put Chimera for running security checks.
    • OWASP Zed Attack Proxy (ZAP) – This free web scanning app performs security testing on app components that run on a variety of third-party platforms.

    To be sure, you must conduct manual tests on the applications, as these scanners might not always unmask all the issues. The application and its code undergo two types of testing: first, the Force.com Code Scanner Portal(checkmark) performs automated tests, and then, manual tests are conducted for end-to-end verification.

    These scanners can help you find the source of the security issues but may not tell you what preventive measures to take when facing a false positive error. To prevent such situations, record this encounter in detail and attach it to your review submission.

    • Configure Security Testing External Environments
    • Conduct testing by putting yourself in place of the end-users, and keep following these steps.
    • You can use Environmental Hub to set up a Partner Developer Edition org.
    • Install the managed package in the org and create multiple user profiles.
    • Turn on My Domain for packages having lightning.

    Voila!. You are ready to set go for Security Testing.

    4. Schedule a discussion with the Salesforce team

    If you have a doubt, it is advisable to schedule a discussion with the Salesforce Security team before it becomes unmanageable.

    You can initiate this conversation by accessing the Salesforce Partner Security portal, where you can get your concerns addressed, including the setup of customer components. By clarifying your doubts and resolving unexpected issues, you can ensure a smoother AppExchange app submission process.

    5. Arrange all the required Documentation and Credentials

    Grant the Salesforce Security Review team permission to access your application’s elements, environments, and packages, facilitating a smooth and hassle-free review process.

    You can also arrange concise and comprehensive documentation and the required credentials to aid in the assessment. Additionally, you can include scanned security reports, documentation addressing false positive errors, and any relevant usage guides, if applicable.

    6. Submit your application for the Salesforce AppExchange security review

    Once all the contingencies are met, submit your application for review. You can do so from the Partner Community Publishing Console. Go to Submission Wizard and upload all the essential credentials and documentation. You can take reference to these tips to make your Salesforce AppExchange listing stand out.

    How Does The Salesforce AppExchange Security Review Work?

    Once your application is submitted, the Security Review team will initiate the verification process within 1-2 days. Upon verification completion, your application will be placed in the submission queue.

    AppExchange Security Review Process

    The duration for the completion of the Salesforce AppExchange security review process is not fixed and varies based on multiple factors. These factors include solution architecture, customization, etc.

    The Salesforce Security Review teams employ threat-modeling profiles based on standard web vulnerabilities to assess your application across various parameters. They will attempt to breach the security measures programmed into your solution using different test cases to access or modify unauthorized data, similar to how a real security threat would operate.

    The Salesforce Security team tests for several security threats, including:

    • SOQL and SQL injection
    • Cross-site scripting
    • Non-secure authentication and access control protocols
    • Vulnerabilities specific to the Salesforce platform, such as record-sharing violations

    Obtaining the seal of approval to publish your application on Salesforce AppExchange is a significant achievement. You will receive an Approval email containing detailed instructions for publishing your approved application.

    If the Security team identifies any vulnerabilities, they will compile a report and send it to you for rectification.

    What if you fail the Security Review?

    Successfully clearing the Salesforce AppExchange Security Review in one attempt is challenging. Rather than viewing it as a failure, consider it an opportunity to enhance the quality of your application and ensure that no bugs are overlooked during the subsequent testing.

    Failed security-review

    Here’s a suggested next-best-action step:

    • Begin by thoroughly studying the review report provided by the Salesforce Security team. It will provide detailed information about all known vulnerabilities. Use the table of contents to explore different security issues categorized within the report. Additionally, you will find a comprehensive description at the bottom of each section.
    • Gather your team and devise new security strategies and practices. You can also incorporate new test cases alongside the existing ones. Allow your team to thoroughly analyze the report, identify methods to address the listed vulnerabilities, and implement necessary security measures for your application.
    • Remember that the Security team has limited time for testing, and some vulnerabilities may have been missed. Consider conducting additional testing for the listed and unlisted issues by involving the Salesforce Security team. This will provide an extra layer of assurance in identifying and resolving any new vulnerabilities that may have arisen during the follow-up review.
    • Once confident that all security threats have been addressed, resubmit your application for the AppExchange Security Review process. If there have been any changes to the application or managed package, ensure that you rebuild the package and submit the latest released version of your application for security review.

    According to the revised AppExchange security review fee structure, each attempt requires a fee of $999 to review your solution.

    If your application is free of threats this time, you will receive clearance in the Security Review Process, followed by an approval email from the Salesforce Security team. This email will guide listing your application on the Salesforce AppExchange platform.

    Hire dedicated Appexchange developers


    The Salesforce AppExchange Security Review is a crucial step in upholding Salesforce’s rigorous security standards and ensuring that your application provides a safe, secure, reliable, and resilient platform.

    To increase the chances of successfully passing the review, conducting thorough internal testing of your Salesforce-based application is highly advised before submitting it to the Salesforce Security team.

    However, seeking assistance from industry experts can be beneficial if you desire to navigate the AppExchange Security Review with confidence and aim to clear it on the first attempt. At Cyntexa, we offer the expertise of seasoned professionals who excel in navigating and succeeding in Security review tests.

    Contact our experts and let your application score in the review test! 

    Fill the form to access our exclusive webinar presentation!

    Frequently Asked Questions

    Salesforce conducts a set of security tests of the application built on the Salesforce.com user interface. They evaluate the functionality and design by making the app go through numerous test cases before making it available for the end-users on Salesforce AppExchange. All businesses and developers must get their applications reviewed by the Salesforce Security team. Once approved by them, you get permission to publish it on the AppExchange platform and get a review from Salesforce declaring your application meets all the standards that apply to the systems on which it is used. In addition, security review ensures that the app addresses all the applicable regulatory requirements like GLBA, HIPAA, and PCI- DSS.

    Testing and verifying a solution takes 3-4 weeks to complete the entire review process. Once they finish the scrutiny, they will either approve your application or share a review report containing all the issues they encountered while performing testing.

    Protecting the customer's data and maintaining fidelity should be your top concerns while creating an application. As part of a security evaluation, assess your product's defenses against the threats listed on the OWASP list before submitting it for final review.

    Absolutely Yes. All the applications and solutions listed on Salesforce AppExchange are highly secure. Salesforce makes each application undergo a strict security scan and get its code validated by Salesforce.com security experts. Even if one bug is detected, the Security team will not permit the app to get published on Salesforce AppExchange. Users can rely on the rigid security standards formulated by Salesforce to keep customer and business data safe.

    digital experiences