+91 8266041801

  +44 203 372 4609

  +1 408 454 6110


Get Free Quote

What are the security and privacy implications of building Salesforce apps?

  • A guide to prepare yourself for the AppExchange security review process and know about other privacy implications of building Salesforce apps

How to pass AppExchange security review for Salesforce app

Security and privacy are the two major concerns in the Internet age. According to the Center for Strategic and International Studies (CSIS),  the US companies collectively lose US$100 billion a year to cybercriminals. It's a tough commitment to assure enterprise customers to share their data in the cloud. But after years into cloud computing and forming a trust, Salesforce established itself as a secure platform for building a product. The app development process on Salesforce AppExchange doesn't end with building the product. There are certain security and privacy implications of building a Salesforce app. The Salesforce security team conducts strict security reviews of each product before they get listed on AppExchange. Customers feel certainty in knowing that AppExchange products are reliable and provide the highest level of data security.

The Security Review Process

The Salesforce security team conducts precise security review to every Salesforce product before green-lighting them for AppExchange. Therefore, the security review process of an app takes from 4-6 weeks from the time the app has been submitted which take place in 6 key steps:

  1. ISV partner submits its app security review via Partner Community
  2. Security review operation team verifies the submission
  3. The submission then gets added to the product security queue
  4. Product security team performs tests and validates results
  5. Security review operation team notifies partner of results

Note: It could take 2-3 more weeks for product security to test a resubmission of a package that wasn’t approved previously but shows fixed security issues.

Securing customer data and maintaining their trust is important for being part of building Salesforce apps. Security Review ultimately helps build trust between you and your customers.  Every app on the AppExchange must go through AppExchange security review to ensure they follow proper security guidelines. Therefore a developer needs to adjust its app for the security review in the development process for listing it in the AppExchange. To assist partners with it, Salesforce offers various free security resources for the development of apps. We are going to list a few key resources the Salesforce uses while taking on a new client who has to go through the security review process for the first time. 

ISVforce Guide

This guide is brief documentation which intends to help Salesforce partner in every step of planning, building, distributing, marketing, selling, and supporting solutions that run on the Salesforce platform. While the guide helps you successfully navigate the stages of the solution lifecycle, it also has a dedicated section on the Security Review that could come in handy if you are stuck at any stage of the security review process. 

Security Review Module 

It's a Trailhead module that walks you through the process of creating your security plan for Salesforce related products. Along with preparing you for security review, it also shows a step by step method to submit and list an app on the AppExchange.

Develop Secure Web Apps Trial

This trial comprises five modules to help you detect and prevent common vulnerabilities in your code and strengthen your web apps. It covers vulnerabilities such as application security, cross-site scripting, app logic vulnerability prevention, data leak prevention, and security for Lightning components. 

Partner Security Portal

This is a centralised portal for Salesforce partners only, which gives them access to few security review tools such as Source Code Scanner, Chimera Scanner, and Office Hours. 

  • Source Code Scanner lets you schedule scans for your org code, download scan reports, and manage scan credits for your orgs. 
  • Office hours lets you talk with the Security Review team at Salesforce. Partners can book time with AppExchange security engineers and security review operations team. 

How to prepare for security review

You are aware that a security review process for your product is the next big step, and you can’t launch your product on AppExchange without passing the review. But how do you prepare for the security review in order to pass the review process? Here is a list of a few suggestions which can help you prepare for the security review.

Learn to recognize and neutralize security threats

The Salesforce product security team focuses on the vulnerability of an app to the most common threats. They will hit your app with a series of threats and try their best to get access to important data within your product. If you prepare your app against these attacks by recognizing them at an early stage and neutralize them, then the chances are they can't break-in, hence you pass the review. 

Protect your app against the list of attacks on the OWASP

The Open Web Application Security Project (OWASP) keeps a complete list of the most common web attacks such as injection, session hacking and cross-site scripting. Protecting your app against these and other web attacks on the OWASP list helps you pass the security review.  Additionally, you develop the least level of app security.

Prepare your app for Salesforce specific security

The most important and unique security feature of the Salesforce platform is CRUD/FLS - Create/Read/Update/Delete and Field Level Security. This feature determines who can access specific objects and fields within an org. Failing to implement CRUD/FLS security accurately is the main reason apps fail the security review. You should consider this while developing the app as CRUD/FLS  relates to how objects communicate within your app. 

Ownership of security

Security is indeed everyone’s responsibility, but developers get too engaged in the process. Every development team should have a person in charge who takes care of all the security elements of your app. Certain things can get missed in getting a product market-ready in the given timeline. To ensure security remains a primary concern, appoint a dedicated security advocate for the team.

Write secure code

The next step to prepare for security review is building secure software by following secure coding guidelines. Read more about it in Salesforce secure coding guidelines documentation which contains a collection of web security threats found during security audits. 

Security is the key

Nobody likes delays in a project, especially if it's because of a fundamental security flaw. If it's a minor issue, it can be fixed with ease. But if it's not, then you might have to go back and change your design, facing additional work and extra delay.  It can get tense if your launch date gets pushed because the Salesforce Product Security team identifies a security vulnerability in your solution.  Most of the businesses go for a Salesforce consulting companies to guide them through this. 

Evon Technologies specializes in bringing enterprise applications to the AppExchange. We take care of all the security and privacy implications that come with building a Salesforce app. Our expertise in the subject has enabled us to provide Salesforce development services in India to Salesforce partners by following Salesforce security guidelines. Our team applies secure design and programming practices at every stage of development and tests your app against threats. Before initiating the AppExchange security review, we make sure that every resource is utilized to pass it. No matter if you’re a startup looking to get into AppExchange or a serial entrepreneur aiming for better results, contact us today! or email us at This email address is being protected from spambots. You need JavaScript enabled to view it. 


What Do Non-Compete Agreements Actually Mean in Ou...
Role of Product Owners in Scrum Implementation

Related Posts


development Salesforce CRM offshore software development business offshore software development company outsourcing application C++ software Cloud computing apps web java Big Data Analytics web development mobile app development app development cloud Big Data mobile app development company custom J2ee IT developers IT consulting and software development developer javascript website project management QA Offshore development India software development Salesforce customization NodeJs Evon Technologies Software development and testing testing Product Development Salesforce Cloud Services Salesforce consulting Automation Web 3.0 consultant Offshore development Android development Web app development programming data security mobile Salesforce Lightning enterprise Joomla developers MVP Development Python QA and Testing Salesforce CRM business analysts Offshore software development services consulting Agile Development project management methodology Agile product Development startups Salesforce Mobile Development Blockchain Salesforce cloud digital marketing services EmployeeEngagement Progressive Web Apps digital marketing services india data iOS apps risk management Social Media Marketing DevOps software development outsourcing offshore Salesforce development language React Native mobile app testing accessibility Android app development outsourcing Collaboration Java development tools business management applications AI Scrum JUnit Big Data Cloud Database & Computing | Top JavaScript Libraries data protection HTML5 development Marketing Automation Services Azure Digital Marketing Business Growth c++ language Virtual reality

Our Team

We are a group of technology experts committed to designing, developing and delivering solutions for our clients, since the year 2006. Our team of 425+ stays ahead of the ever-evolving technology landscape it works in. Thus, we keep honing and expanding our expertise in order to cater to both startups as well as established enterprises. Know more about us here.


  •   CMMI - Level 3
  •   ISO 27001 : 2013
  •   ISO 9001 : 2015

Get in Touch

  +91 8266041801

  +44 203 372 4609

  +1 408 454 6110


 This email address is being protected from spambots. You need JavaScript enabled to view it.

   A- 5, IT Park, Dehradun, Uttarakhand, India, PIN - 248001.

follow us on

We use cookies on our website to provide you with a more personalised digital experience and for analytics related to our website and other media. For more information, please review our Privacy Policy and Cookies Policy.