How to pass AppExchange security review for Salesforce app

Security and privacy are the two major concerns in the Internet age. According to the Center for Strategic and International Studies (CSIS),  the US companies collectively lose US$100 billion a year to cybercriminals. It's a tough commitment to assure enterprise customers to share their data in the cloud. But after years into cloud computing and forming a trust, Salesforce established itself as a secure platform for building a product. The app development process on Salesforce AppExchange doesn't end with building the product. There are certain security and privacy implications of building a Salesforce app. The Salesforce security team conducts strict security reviews of each product before they get listed on AppExchange. Customers feel certainty in knowing that AppExchange products are reliable and provide the highest level of data security.

The Security Review Process

The Salesforce security team conducts precise security review to every Salesforce product before green-lighting them for AppExchange. Therefore, the security review process of an app takes from 4-6 weeks from the time the app has been submitted which take place in 6 key steps:

  1. ISV partner submits its app security review via Partner Community
  2. Security review operation team verifies the submission
  3. The submission then gets added to the product security queue
  4. Product security team performs tests and validates results
  5. Security review operation team notifies partner of results

Note: It could take 2-3 more weeks for product security to test a resubmission of a package that wasn’t approved previously but shows fixed security issues.

Securing customer data and maintaining their trust is important for being part of building Salesforce apps. Security Review ultimately helps build trust between you and your customers.  Every app on the AppExchange must go through AppExchange security review to ensure they follow proper security guidelines. Therefore a developer needs to adjust its app for the security review in the development process for listing it in the AppExchange. To assist partners with it, Salesforce offers various free security resources for the development of apps. We are going to list a few key resources the Salesforce uses while taking on a new client who has to go through the security review process for the first time. 

ISVforce Guide

This guide is brief documentation which intends to help Salesforce partner in every step of planning, building, distributing, marketing, selling, and supporting solutions that run on the Salesforce platform. While the guide helps you successfully navigate the stages of the solution lifecycle, it also has a dedicated section on the Security Review that could come in handy if you are stuck at any stage of the security review process. 

Security Review Module 

It's a Trailhead module that walks you through the process of creating your security plan for Salesforce related products. Along with preparing you for security review, it also shows a step by step method to submit and list an app on the AppExchange.

Develop Secure Web Apps Trial

This trial comprises five modules to help you detect and prevent common vulnerabilities in your code and strengthen your web apps. It covers vulnerabilities such as application security, cross-site scripting, app logic vulnerability prevention, data leak prevention, and security for Lightning components. 

Partner Security Portal

This is a centralised portal for Salesforce partners only, which gives them access to few security review tools such as Source Code Scanner, Chimera Scanner, and Office Hours. 

How to prepare for security review

You are aware that a security review process for your product is the next big step, and you can’t launch your product on AppExchange without passing the review. But how do you prepare for the security review in order to pass the review process? Here is a list of a few suggestions which can help you prepare for the security review.

Learn to recognize and neutralize security threats

The Salesforce product security team focuses on the vulnerability of an app to the most common threats. They will hit your app with a series of threats and try their best to get access to important data within your product. If you prepare your app against these attacks by recognizing them at an early stage and neutralize them, then the chances are they can't break-in, hence you pass the review. 

Protect your app against the list of attacks on the OWASP

The Open Web Application Security Project (OWASP) keeps a complete list of the most common web attacks such as injection, session hacking and cross-site scripting. Protecting your app against these and other web attacks on the OWASP list helps you pass the security review.  Additionally, you develop the least level of app security.

Prepare your app for Salesforce specific security

The most important and unique security feature of the Salesforce platform is CRUD/FLS - Create/Read/Update/Delete and Field Level Security. This feature determines who can access specific objects and fields within an org. Failing to implement CRUD/FLS security accurately is the main reason apps fail the security review. You should consider this while developing the app as CRUD/FLS  relates to how objects communicate within your app. 

Ownership of security

Security is indeed everyone’s responsibility, but developers get too engaged in the process. Every development team should have a person in charge who takes care of all the security elements of your app. Certain things can get missed in getting a product market-ready in the given timeline. To ensure security remains a primary concern, appoint a dedicated security advocate for the team.

Write secure code

The next step to prepare for security review is building secure software by following secure coding guidelines. Read more about it in Salesforce secure coding guidelines documentation which contains a collection of web security threats found during security audits. 

Security is the key

Nobody likes delays in a project, especially if it's because of a fundamental security flaw. If it's a minor issue, it can be fixed with ease. But if it's not, then you might have to go back and change your design, facing additional work and extra delay.  It can get tense if your launch date gets pushed because the Salesforce Product Security team identifies a security vulnerability in your solution.  Most of the businesses go for a Salesforce consulting companies to guide them through this. 

Evon Technologies specializes in bringing enterprise applications to the AppExchange. We take care of all the security and privacy implications that come with building a Salesforce app. Our expertise in the subject has enabled us to provide Salesforce development services in India to Salesforce partners by following Salesforce security guidelines. Our team applies secure design and programming practices at every stage of development and tests your app against threats. Before initiating the AppExchange security review, we make sure that every resource is utilized to pass it. No matter if you’re a startup looking to get into AppExchange or a serial entrepreneur aiming for better results, contact us today! or email us at This email address is being protected from spambots. You need JavaScript enabled to view it.