Tips To Pass Salesforce AppExchange Security Review

Tips To Pass Salesforce AppExchange Security Review

January 24, 2023 | visibility 270 views

Salesforce, the world’s No. 1 Customer Relationship Management software, has its own Marketplace, i.e., Salesforce AppExchange. This Marketplace is a hotspot for all business applications, solutions, and consultants to address different business needs and issues.

Security is the word that Salesforce values and never compromise with. And when it comes to adhering to the security of customer information & data, the Product Security team of Salesforce makes every application go through a tight security review before it becomes publicly available for all the end-users on Salesforce AppExchange. 

There is a reason why Salesforce AppExchange has more than 10 million installs, 5000+ ready-to-install solutions, and over 100,000 reviews. That reason is, all these applications and solutions met the predefined Security standards and got a green signal in the Security review process of Salesforce. 

If you have also created something that you look forward to enlisting on Salesforce AppExchange, we have got you nine bonus tips to pass the Salesforce AppExchange Security review. 

Still, if you fail the security review, there is no need to worry. We got your back and mentioned some auxiliaries for that as well. 

Stay with this blog to score a hundred points in the Salesforce AppExchange Security review. 

What is Salesforce AppExchange Security Review? 

A rigorous series of security tests that the Salesforce Security team runs on every submitted application is known as Salesforce AppExchange Security Review. The motive for conducting these stringent tests is to ensure that every App that goes live on Salesforce AppExchange is secured and not vulnerable to malicious cyber attacks. 

Well, this test is not just a test. The Product Security team of Salesforce has set some ground standards that every application should meet; if not, it gets rejected. 

Salesforce AppExchange Security review has four steps: 

  1. Prepare 
  2. Test 
  3. Free Trial 
  4. Launch
  • Start by checking off the presence of all prerequisites of the AppExchange Security Review. 
  • Now make sure that your submitted application meets all security standards.
  • Next comes the testing of your applications, where the App’s security is assessed on different criteria. 
  • Once you pass the Security Review, you can set your App on a free trial before the launch. 
  • Last step would be the launch your approved application on the App Store when all the guidelines are fulfilled. 

Check out how you can start: 

Firstly, businesses are required to sign a partnership agreement with Salesforce, then they can either build an application in-house by hiring an Salesforce AppExchange Development team, or consider taking services from a PDO Partner.

  • Join the Salesforce Partner Program and log in to Partner Community. 
  • Agree to the terms and conditions of the Salesforce Partner Program Agreement. 
  • Work on building a Lightning Ready solution. 
  • Perform diligent internal testing to identify security threats with the help of Checkmarx scan in the development phase and fix them. 

If you are taking help of a development partner then it is important for you to be aware of the cost to develop and list an appexchange application

Assemble all the crucial documents: 

Develop, test, fix your application and prepare it for Security Review. There are some necessary documents that you need to assemble: 

  • Solution Architecture documents have details of platform features, product information, package overview, and an entire synopsis of the Integration and object model. 
  • Product documents like the acting personas of the application system. 
  • Documents for data flow between the mobile phone, composite site, and Chrome extension, along with the Salesforce org. 
  • Demo org consisting of seed data plus managed package. 
  • Burp/Chimera/ZAP scanned reports. 
  • Checkmarx Scanned reports 
  • Step-by-step guide for user navigation in the Salesforce org, where the managed package is installed.

How to finally submit your listing for Security Review approval:

Users should perform all of these steps on Salesforce Partner Community: 

  • Prepare a solution listing 
  • Provide business as well as product information
  • Upload all compliance certifications 
  • And submit your application. 

Security Review and AppExchange Listing Fees

Security Review and AppExchange Listing Fees

Tips to pass Salesforce AppExchange Security Review 

Here are some workable tips to pass Salesforce AppExchange Security Review and make your submitted application shine in the test: 

Tips to pass Salesforce AppExchange Security Review

1. Fabricate a Security Strategy

Security is one thing that should be prioritized throughout the Salesforce AppExchange Development cycle. It’s good to begin by drafting a Security strategy for your application. When your team is all aligned with the strategy, it becomes less complicated to deal with the possible attacks luring the app towards vulnerabilities and the compliance required for a successful review process. 

Even after taking all the precautions, some flaws crawl from the corner. To cope with such situations; you can get a security manager on board. You are now equipped to effectively identify and remove security threats. Later, the Security Manager must circulate the information related to the amendment made by the development team before the review.

Consider these points while you go through the development process: 

  • Try to think like a user and put your designed application to the test. This approach might bring forward some security issues you might miss while getting it evaluated through your Quality Assurance team. Keep refining the quality with several targeted use cases. 
  • Devise strategies for building compact security codes and solutions. This lets your development team and security manager deal with unexpected discrepancies. Incubate all the essential security guidelines in your code. 
  • You can also consider running a final phase of evaluating your application through User Acceptance Testing. In this method, you can employ intended users to test your software. You will discover the actual performance of your software when end-user assess it through different real-time test cases. Once users confirms that the application is ready-to-go for next step. 

2. Walk thoroughly through Salesforce and related Security guidelines 

Carefully read the relevant documents’ terms, conditions, and instructions before submitting your application to the Salesforce Security Review team. You can take these Security Review Resources as a reference for meticulously reviewing security issues:

  • Salesforce AppExchange Security Review 
  • Salesforce Security Guide
  • Security Cloud Development Resources
  • Security Coding Guide
  • Open Web Application Security Project (OWASP)
  • OWASP Top 10 Web Application Security Risks
  • OWASP Testing Guide
  • OWASP Secure Coding Practices-Quick Reference Guide.

3. Perform your own Security Review with Security Scanners 

Salesforce-supported Security Scanners can be of great help for performing security checks on your application. These scanners work like a charm in recognizing hidden security issues and are accessible to all ISV Partners of Salesforce. The most used scanners are:

  • Checkmarx – Being a Security partner of Salesforce, it renders detailed testing of applications comprising managed packages, Apex Code, and Visualforce components. It has a free version with  limited scanner and paid version with all the features. Checkmarx runs scans on Salesforce AppCloud-hosted apps and inspects unmanaged code required to correspond to the AuthorApex username in an organization. 
  • Chimera – It is a cloud-based app scanner that works on Heroku. Located on third-party platforms, Registered ISV Partners can put Chimera for running security checks.  
  • OWASP Zed Attack Proxy (ZAP)This free web scanning app performs security testing on app components that run on a variety of third-party platforms. 

To be sure, you must conduct manual tests on the applications, as these scanners might not always unmask all the issues. 

These scanners might get you the root cause of the security issues but fail to identify which protective measures you should use while encountering a false positive error. To avoid such circumstances, document this encounter in detail and attach it to your review submission. 

  • Configure Security Testing External Environments
  • Conduct testing by putting yourself in place of the end-users, and keep following these steps. 
  • You can use Environmental Hub to set up a Partner Developer Edition org. 
  • Install the managed package in the org and create multiple user profiles. 
  • Turn on My Domain for packages having lightning. 

Voila! You are ready to set go for Security Testing. 

4. Schedule a discussion with Salesforce Team 

If you encounter any uncertainty or potential issues, you can proactively address them by scheduling a meeting with the Salesforce Security team through the Salesforce Partner Security Portal. During this meeting, you can discuss any concerns and address any bugs or glitches before they become bigger problems. This will help you clear any doubts and ensure a smooth submission process.

5. Arrange all the required Documentation and Credentials 

Provide the Salesforce Security Review team access to the elements, environments, and packages used in the application and help row the plain sailing review process. You can arrange concise and augmented documentation coupled with necessary credentials. In addition, you can also attach scanned security reports, false positive error documentation, and usage guides (if any).

6. Submit your application for Salesforce AppExchange Security Review 

Once all the contingencies are met, submit your application for review. You can do so from Partner Community Publishing Console. Go to Submission Wizard and upload all the essential credentials and documentation. You can take reference of these tips to make your Salesforce AppExchange listing standout. 

How Does The Salesforce AppExchange Security Review Work

Security Review Ops will commence with the verification process of your application in 1-2 days once it gets submitted. After verifying it, they will line your application up in the submission queue. 

It takes approx 4-6 weeks to conclude the AppExchange Security Review process. 

Salesforce Security Review teams induce threat-modeling profiles based on common web vulnerabilities to test your application on each parameter. Then, the teams will attempt to breach the security already programmed in your solution through different test cases. Of course, the ulterior motive is to extract or modify data that isn’t permitted to access, just like a security threat will do. 

Following are some security threats that the Salesforce Security team tests:

  • SOQL and SQL injection
  • Cross-site scripting
  • Non-Secure authentication and access control protocols
  • Vulnerabilities specific to the Salesforce platform, such as record-sharing violations

What’s better than getting the seal of approval for publishing your application? You will receive an Approval mail containing discrete instructions for publishing your approved application on Salesforce AppExchange. 

If the Security team locates any vulnerabilities, they will draft it in a report and send it to you for rectification.

What to do if you fail the Security Review?

It’s no secret that successfully clearing Salesforce AppExchange Security Review in one attempt is no piece of cake. More than 50 percent of applications fail in the first submission. So despite considering it a failure, see it as an opportunity to elevate the quality of your application and ensure no bugs are left behind for the second testing attempt.

You can initiate by deeply studying the review report from the Salesforce Security team. All the known vulnerabilities will be mentioned there in detail. Plus, refer to the table of contents to explore the types of security issues cataloged. Also, locate an accompanying detailed description at the bottom of the tab. 

Gather your team and formulate new security strategies and practices. You can also institute new test cases with existing ones. Let your team read the report, discover ways to fix the enlisted vulnerabilities, and implement corrective measures for the app’s security. 

The Security team is time-bound for testing the app, and there are fair chances that they lapse on some vulnerabilities. In this case, you can put your application to multiple testing for both listed and not listed issues by the Salesforce Security team. This way, you will be double sure of the deletion of new vulnerabilities that could have popped up in the follow-up review. 

Resubmit your application for the AppExchange Security Review process once you believe all security threats are dismantled. For example, resubmit all the replenished information through the wizard if you have made changes to your managed package on the Salesforce platform or revised components on the external platform. 

Fortunately, there are no resubmission fees as you will use the same name and package ID. 

If your application is threat-free this time, you will get a clearance in the Security Review Process, followed by an approval email from the Salesforce Security team. This email will guide you in the enlistment of your application on Salesforce AppExchange. 


This Salesforce AppExchange Security Review is mundane for maintaining the security standards established by Salesforce and making your application a safe, secure, reliable, threat-free, and resilient platform. 

It is recommended to stage strong internal testing of your Salesforce-based application before passing it in the hands of the Salesforce Security team. However, if you expect your application to clear the Salesforce AppExchange Security review in one stroke, then you might need the help of experts. Here at Cyntexa, we have got the best industry experts well-versed in cracking Security review tests. 

Get in touch with our experts and let your application score in the review test! 

Asked Questions

Salesforce conducts a set of security tests of the application built on the user interface. They evaluate the functionality and design by making the app go through numerous test cases before making it available for the end-users on Salesforce AppExchange. All businesses and developers must get their applications reviewed by the Salesforce Security team. Once approved by them, you get permission to publish it on the AppExchange platform and get a review straight from Salesforce declaring your application meets all the standards that apply to the systems on which it is used. In addition, security review ensures that the app addresses all the applicable regulatory requirements like GLBA, HIPAA, and PCI- DSS.

Testing and verifying a solution takes 3-4 weeks to complete the entire review process. Once they finish the scrutiny, they will either approve your application or share a review report containing all the issues they encountered while performing testing.

Protecting the customer's data and maintaining fidelity should be your top concerns while creating an application. As part of a security evaluation, assess your product's defenses against the threats listed on the OWASP list before submitting it for final review.

The most common reason apps fail the security review is the incapability of correctly implementing CRUD/FLS security. These security measures directly relate to how different objects communicate in your app.

Absolutely Yes. All the applications and solutions listed on Salesforce AppExchange are highly secure. Salesforce makes each application undergo a strict security scan and get its code validated by security experts. Even if one bug is detected, the Security team will not permit the app to get published on Salesforce AppExchange. Users can rely on the rigid security standards formulated by Salesforce to keep customer and business data safe.

Customer Success Stories

Leave a Reply

Your email address will not be published. Required fields are marked *