Salesforce AppExchange is the world’s leading marketplace for business applications, solutions, and consultants that cater to various business needs and challenges. It is powered by Salesforce, the world’s No. 1 Customer Relationship Management software that values and prioritizes security.

Salesforce places utmost importance on security and does not make any compromises in this case. Specifically, regarding safeguarding customer information, every application must undergo the rigorous Salesforce AppExchange Security Review before becoming accessible to the general public on the AppExchange platform.

This is why Salesforce AppExchange boasts over 10 million installs, 9000+ ready-to-install solutions, and over 100,000 reviews. All these applications and solutions have met the predefined security standards and passed the security review process of Salesforce.

If you have also developed an app or have a service to list on Salesforce AppExchange, we have some bonus tips for you to ace the Salesforce AppExchange security review.

And even if you fail the review process, don’t worry. We have some alternatives for that as well.

What Is Salesforce AppExchange Security Review?

The Salesforce AppExchange Security Review entails a comprehensive evaluation conducted by the esteemed Salesforce Security team. This meticulous examination guarantees the utmost security and protection for all applications submitted to the Salesforce AppExchange platform.

It shields the applications from potential data breaches, malicious cyber attacks, and any vulnerabilities that could compromise Salesforce’s security.

However, this assessment is far more than a mere test.

It embodies the rigorous standards established by Salesforce’s Product Security team, which is the benchmark every application must meet. Failure to meet these standards will result in rejection.

Salesforce always ensures that only the most secure and reliable applications are available to users on the Salesforce AppExchange platform.

Tips to Pass Salesforce AppExchange Security Review

Here are some tried and tested tips to help you pass the Security Review for AppExchange and make your application feature on top:

1. Fabricate a Security Strategy

Ensuring robust security measures throughout the Salesforce AppExchange app development cycle should be prioritized. To lay a solid foundation, designing a comprehensive security strategy for your application is important.

By aligning your entire team with this strategy, you can effectively address any possible attacks that target the vulnerabilities of your app. It also helps fulfil compliance requirements necessary for a successful review process.

Despite strict precautions, sometimes some unforeseen flaws might emerge. Consider these points while you go through the development process to avoid such setbacks:

• Try to think like a user and put your designed application to the test. This approach might bring forward some security issues you might miss while getting it evaluated through your Quality Assurance team. Keep refining the quality with several targeted use cases.
• Devise strategies for building compact security codes and solutions. This lets your development team and security manager deal with unexpected discrepancies. Incubate all the essential security guidelines in your code.
• You can use the Force.com Code Scanner Portal(Checkmarx) for regular security and code standard checks of the application. This will provide complete information about the application’s coding issues, if any.
• You can also run a final phase of evaluating your application through User Acceptance Testing. In this method, you can employ intended users to test your software. You will discover the actual performance of your software when the end-user assesses it through different real-time test cases once users confirm that the application is ready to go for the next step.

2. Walk Thoroughly Through Salesforce and Related Security Guidelines

Before you send your application to the Salesforce AppExchange security review team, carefully read the terms, conditions, and instructions of the relevant documents.

You can use these Security Review Resources as a guide to check for security issues thoroughly:

• Salesforce AppExchange Security Review
• Salesforce Security Guide
• Security Cloud Development Resources
• Security Coding Guide
• Open Web Application Security Project (OWASP)
• OWASP Top 10 Web Application Security Risks
• OWASP Testing Guide
• OWASP Secure Coding Practices-Quick Reference Guide.

Adhering to such guidelines of each of them is a tad difficult. But you can always get help from the expert to make your Salesforce AppExchange solution error-free, secured, and ready to go under the strictest security review.

3. Perform Your Own Security Review with Security Scanners

Salesforce-endorsed Security Scanners can provide valuable assistance in conducting security assessments on your application. These scanners detect concealed security vulnerabilities and are readily available to all of Salesforce’s ISV Partners. The scanners that enjoy the highest level of popularity include:

• Checkmarx – Being a Security partner of Salesforce, it renders detailed testing of applications comprising managed packages, Apex Code, and Visualforce components. It has a free version with a limited scanner and a paid version with all the features. Checkmarx runs scans on Salesforce AppCloud-hosted apps and inspects unmanaged code required to correspond to the AuthorApex username in an organization.
• Chimera – It is a cloud-based app scanner that works on Heroku. Located on third-party platforms, Registered ISV Partners can put Chimera for running security checks.
• OWASP Zed Attack Proxy (ZAP) – This free web scanning app performs security testing on app components that run on a variety of third-party platforms.

To be sure, you must conduct manual tests on the applications, as these scanners might not always unmask all the issues. The application and its code undergo two types of testing: first, the Force.com Code Scanner Portal(checkmark) performs automated tests, and then, manual tests are conducted for end-to-end verification.

These scanners can help you find the source of the security issues but may not tell you what preventive measures to take when facing a false positive error. To prevent such situations, record this encounter in detail and attach it to your review submission.

• Configure Security Testing External Environments
• Conduct testing by putting yourself in place of the end-users, and keep following these steps.
• You can use Environmental Hub to set up a Partner Developer Edition org.
• Install the managed package in the org and create multiple user profiles.
• Turn on My Domain for packages having lightning.

Voila!. You are ready to set go for Security Testing.

4. Schedule a Discussion with the Salesforce Team

If you have a doubt, it is advisable to schedule a discussion with the Salesforce Security team before it becomes unmanageable.

You can initiate this conversation by accessing the Salesforce Partner Security portal, where you can get your concerns addressed, including the setup of customer components. By clarifying your doubts and resolving unexpected issues, you can ensure a smoother AppExchange app submission process.

5. Arrange All the Required Documentation and Credentials

Permit the Salesforce Security Review team to access your application’s elements, environments, and packages, facilitating a smooth and hassle-free review process.

You can also arrange concise and comprehensive documentation and the required credentials to aid in the assessment. Additionally, you can include scanned security reports, documentation addressing false positive errors, and any relevant usage guides, if applicable.

6. Submit Your Application for the Review Process

Once all the contingencies are met, submit your application for review. You can do so from the Partner Community Publishing Console. Go to Submission Wizard and upload all the essential credentials and documentation. You can take reference to these tips to make your Salesforce AppExchange listing stand out.

How Does The Salesforce AppExchange Security Review Work?

Once your application is submitted, the Security Review team will initiate the verification process within 1-2 days. Upon verification completion, your application will be placed in the submission queue.

The duration for the completion of the security review process for appexchnage is not fixed and varies based on multiple factors. These factors include solution architecture, customization, etc.

The Salesforce Security Review teams employ threat-modeling profiles based on standard web vulnerabilities to assess your application across various parameters. They will attempt to breach the security measures programmed into your solution using different test cases to access or modify unauthorized data, similar to how a real security threat would operate.

The Salesforce Security team tests for several security threats, including:

• SOQL and SQL injection
• Cross-site scripting
• Non-secure authentication and access control protocols
• Vulnerabilities specific to the Salesforce platform, such as record-sharing violations

Obtaining the seal of approval to publish your application on Salesforce AppExchange is a significant achievement. You will receive an Approval email containing detailed instructions for publishing your approved application.

If the Security team identifies any vulnerabilities, they will compile a report and send it to you for rectification.

What if you fail the Security Review?

Successfully clearing the AppExchange security review in one attempt is challenging. Rather than viewing it as a failure, consider it an opportunity to enhance the quality of your application and ensure that no bugs are overlooked during the subsequent testing.

Check out this webinar for a detailed understanding of the security process involved in submitting an app to AppExchange.

Here’s a suggested next-best-action step:

• Begin by thoroughly studying the review report provided by the Salesforce Security team. It will provide detailed information about all known vulnerabilities. Use the table of contents to explore different security issues categorized within the report. Additionally, you will find a comprehensive description at the bottom of each section.
• Gather your team and devise new security strategies and practices. You can also incorporate new test cases alongside the existing ones. Allow your team to thoroughly analyze the report, identify methods to address the listed vulnerabilities, and implement necessary security measures for your application.
• Remember that the Security team has limited time for testing, and some vulnerabilities may have been missed. Consider conducting additional testing for the listed and unlisted issues by involving the Salesforce Security team. This will provide an extra layer of assurance in identifying and resolving any new vulnerabilities that may have arisen during the follow-up review.
• Once confident that all security threats have been addressed, resubmit your application for the AppExchange Security Review process. If there have been any changes to the application or managed package, ensure that you rebuild the package and submit the latest released version of your application for security review.

According to the revised AppExchange security review fee structure, each attempt requires a fee of $999 to review your solution.

If your application is free of threats this time, you will receive clearance in the Security Review Process, followed by an approval email from the Salesforce Security team. This email will guide listing your application on the Salesforce AppExchange platform.

Conclusion

The Salesforce AppExchange Security Review is a crucial step in upholding Salesforce’s rigorous security standards and ensuring that your application provides a safe, secure, reliable, and resilient platform.

To increase the chances of successfully passing the review, conducting thorough internal testing of your Salesforce-based application is highly advised before submitting it to the Security team.

However, seeking assistance from industry experts can be beneficial if you desire to navigate the AppExchange Security Review with confidence and aim to clear it on the first attempt. At Cyntexa, we offer the expertise of seasoned professionals who excel in navigating and succeeding in Security review tests.

Contact our experts and let your application score in the review test!