CALL US

  +91 8266041801

  +44 203 372 4609

  +1 408 454 6110

  evontech

Get Free Quote

What are the security and privacy implications of building Salesforce apps?

  • A guide to prepare yourself for the AppExchange security review process and know about other privacy implications of building Salesforce apps

How to pass AppExchange security review for Salesforce app

Security and privacy are the two major concerns in the Internet age. According to the Center for Strategic and International Studies (CSIS),  the US companies collectively lose US$100 billion a year to cybercriminals. It's a tough commitment to assure enterprise customers to share their data in the cloud. But after years into cloud computing and forming a trust, Salesforce established itself as a secure platform for building a product. The app development process on Salesforce AppExchange doesn't end with building the product. There are certain security and privacy implications of building a Salesforce app. The Salesforce security team conducts strict security reviews of each product before they get listed on AppExchange. Customers feel certainty in knowing that AppExchange products are reliable and provide the highest level of data security.

The Security Review Process

The Salesforce security team conducts precise security review to every Salesforce product before green-lighting them for AppExchange. Therefore, the security review process of an app takes from 4-6 weeks from the time the app has been submitted which take place in 6 key steps:

  1. ISV partner submits its app security review via Partner Community
  2. Security review operation team verifies the submission
  3. The submission then gets added to the product security queue
  4. Product security team performs tests and validates results
  5. Security review operation team notifies partner of results

Note: It could take 2-3 more weeks for product security to test a resubmission of a package that wasn’t approved previously but shows fixed security issues.

Securing customer data and maintaining their trust is important for being part of building Salesforce apps. Security Review ultimately helps build trust between you and your customers.  Every app on the AppExchange must go through AppExchange security review to ensure they follow proper security guidelines. Therefore a developer needs to adjust its app for the security review in the development process for listing it in the AppExchange. To assist partners with it, Salesforce offers various free security resources for the development of apps. We are going to list a few key resources the Salesforce uses while taking on a new client who has to go through the security review process for the first time. 

ISVforce Guide

This guide is brief documentation which intends to help Salesforce partner in every step of planning, building, distributing, marketing, selling, and supporting solutions that run on the Salesforce platform. While the guide helps you successfully navigate the stages of the solution lifecycle, it also has a dedicated section on the Security Review that could come in handy if you are stuck at any stage of the security review process. 

Security Review Module 

It's a Trailhead module that walks you through the process of creating your security plan for Salesforce related products. Along with preparing you for security review, it also shows a step by step method to submit and list an app on the AppExchange.

Develop Secure Web Apps Trial

This trial comprises five modules to help you detect and prevent common vulnerabilities in your code and strengthen your web apps. It covers vulnerabilities such as application security, cross-site scripting, app logic vulnerability prevention, data leak prevention, and security for Lightning components. 

Partner Security Portal

This is a centralised portal for Salesforce partners only, which gives them access to few security review tools such as Source Code Scanner, Chimera Scanner, and Office Hours. 

  • Source Code Scanner lets you schedule scans for your org code, download scan reports, and manage scan credits for your orgs. 
  • Office hours lets you talk with the Security Review team at Salesforce. Partners can book time with AppExchange security engineers and security review operations team. 

How to prepare for security review

You are aware that a security review process for your product is the next big step, and you can’t launch your product on AppExchange without passing the review. But how do you prepare for the security review in order to pass the review process? Here is a list of a few suggestions which can help you prepare for the security review.

Learn to recognize and neutralize security threats

The Salesforce product security team focuses on the vulnerability of an app to the most common threats. They will hit your app with a series of threats and try their best to get access to important data within your product. If you prepare your app against these attacks by recognizing them at an early stage and neutralize them, then the chances are they can't break-in, hence you pass the review. 

Protect your app against the list of attacks on the OWASP

The Open Web Application Security Project (OWASP) keeps a complete list of the most common web attacks such as injection, session hacking and cross-site scripting. Protecting your app against these and other web attacks on the OWASP list helps you pass the security review.  Additionally, you develop the least level of app security.

Prepare your app for Salesforce specific security

The most important and unique security feature of the Salesforce platform is CRUD/FLS - Create/Read/Update/Delete and Field Level Security. This feature determines who can access specific objects and fields within an org. Failing to implement CRUD/FLS security accurately is the main reason apps fail the security review. You should consider this while developing the app as CRUD/FLS  relates to how objects communicate within your app. 

Ownership of security

Security is indeed everyone’s responsibility, but developers get too engaged in the process. Every development team should have a person in charge who takes care of all the security elements of your app. Certain things can get missed in getting a product market-ready in the given timeline. To ensure security remains a primary concern, appoint a dedicated security advocate for the team.

Write secure code

The next step to prepare for security review is building secure software by following secure coding guidelines. Read more about it in Salesforce secure coding guidelines documentation which contains a collection of web security threats found during security audits. 

Security is the key

Nobody likes delays in a project, especially if it's because of a fundamental security flaw. If it's a minor issue, it can be fixed with ease. But if it's not, then you might have to go back and change your design, facing additional work and extra delay.  It can get tense if your launch date gets pushed because the Salesforce Product Security team identifies a security vulnerability in your solution.  Most of the businesses go for a Salesforce consulting companies to guide them through this. 

Evon Technologies specializes in bringing enterprise applications to the AppExchange. We take care of all the security and privacy implications that come with building a Salesforce app. Our expertise in the subject has enabled us to provide Salesforce development services in India to Salesforce partners by following Salesforce security guidelines. Our team applies secure design and programming practices at every stage of development and tests your app against threats. Before initiating the AppExchange security review, we make sure that every resource is utilized to pass it. No matter if you’re a startup looking to get into AppExchange or a serial entrepreneur aiming for better results, contact us today! or email us at This email address is being protected from spambots. You need JavaScript enabled to view it. 

 

What Do Non-Compete Agreements Actually Mean in Ou...
Role of Product Owners in Scrum Implementation

Related Posts

SEARCH BLOG

salesforce offshore software development development offshore software development company CRM Cloud computing software Big Data Analytics mobile app development business C++ web development outsourcing mobile app development company Big Data cloud app development Project Management IT consulting and software development IT developers apps Java software development Salesforce customization Offshore development India J2ee Javascript developer Android development Product Development Salesforce Cloud Services Salesforce consulting Progressive Web Apps Web app development Software development and testing Offshore development Node.js Salesforce development iOS apps Offshore software development services risk management Salesforce Lightning digital marketing services Evon Technologies business analysts software development outsourcing digital marketing services india Salesforce CRM Social Media Marketing Salesforce cloud Salesforce Mobile Development web project management methodology MVP Development Agile Development EmployeeEngagement QA Joomla developers Agile product Development Python consultant data security developers business management Virtual reality Android app development outsourcing Scrum data protection Big data and lead generation partner task management hiring Big Data Cloud Database & Computing | Android apps programming Staff Augmentation Resource Management startups data Higher Productivity App Development Outsourcing Business Growth testing QA services MVP software Findnerd offshore Digital Marketing salesforce apps blockchain Content Management System Popular CMS Collaboration mobile app testing project management methodologies Web designinng CMS Software Offshore development company Reactive Programming application

About Us

Evon is a Software Consultancy based in India. We are a 250+ people company. We primarily service clients who want to either completely outsource a new idea or are looking to build an offshore team

Recent Tweets

Evon Technologies

What is #ISV in #Salesforce and How Evon's Prolific Experience in it can benefit your business? Read here -… https://t.co/h6zfwkF2d1

Evon Technologies

Future Of Mobile Devices With Increasing Dynamic User Experiences Read here - https://t.co/ZZaRQ5xS94 The evolutio… https://t.co/Z8QOa3YUGF

Get in Touch

  +91 8266041801

  +44 203 372 4609

  +1 408 454 6110

  evontech

 This email address is being protected from spambots. You need JavaScript enabled to view it.

   A- 5, IT Park, Dehradun, Uttarakhand, India, PIN - 248001.

follow us on

×
We use cookies on our website to provide you with a more personalised digital experience and for analytics related to our website and other media. For more information, please review our Privacy Policy and Cookies Policy.