What to consider before submitting your app for Salesforce.com Security Review

Salesforce.com Security Review PassedThis article is for you if you are a new ISV vendor or you are new to Salesforce.com Security Review process. If you are planning to submit your app for security review – here are few items that you must consider before submitting your app.

Salesforce.com Security Review is the process of assessing your application’s security before it is listed on Salesforce.com Appexchange. Appexchange is prestigious Business to Business marketplace of Salesforce.com where over 2000 apps are listed. Security review is done by Salesforce.com Security review team. Think of security review as an additional benefit – with your app getting certified for Appexchange. Security review helps companies sell to enterprises by meeting their expectations of security.

Whether you have a native or composite app according to estimates almost 50% of the apps fail the security review the first time. A few simple steps will improve your chances of success multiple times.

1. Design your app for security

Your preparation for security review should start from the design stage itself. Keeping security in mind right from start has its advantages and saves a lot of valuable time. In the design stage itself analyze the application for security vulnerabilities and threats. We have experience that partners who have thought about security review from start have better chances of success in the first review itself.

2. Set the Coding standards

If we know the vulnerabilities from the start we can provide the team with standards of coding so that the risk is controlled right from start. In many cases we have notices development team spending hours to rework on the code before the security review. This not only delays the whole process – but also increases the risk of additional bugs being introduced when the code is modified. It is much more difficult to identify and fix the issues after a release is committed. The development teams can refer to the Security Review Education page on Partner portal for detailed information.

3. Plan for security review

We have noticed that many partners do not plan for security review in their project plan. It takes somewhere between 4-8 weeks for security review depending on complexity of your application and timing. Partners must take about a week for preparation of security review and give 6-8 weeks to Salesforce team to complete review from their side. During this period ISV partners must keep their key technical persons available for any clarification or rework.

4. What is reviewed in Salesforce security review process?

Salesforce security review team generally checks for injection (Like SQL,SOQL etc), issues with authentication and session management, XSS – Cross site scripting, CSRF – Cross site Request Forgery, insecure references to objects, access control, reference vulnerabilities and misconfigured security among other things. A list of OWASP top 10 will be a great reference point to know what will be checked in security review.

5. Do Security scans

ISV partners must do a Checkmarx scan of their apps before submitting. Checkmarx is a cloud security app that gives a report on Force.com code related issues. If there are any issues then partners are advised to either resolve those issues or they submit a report of ‘False Positive’ – as to why they are not a concern. False Positive are the items that Checkmarx has reported as issues but they are actually false alarms.

in addition to Checkmarx there are BURP or ZAP or Chimera scans typically used to scan external integrations and web application security.

6. Provide all the information required to do review

Make sure you provide salesforce.com Security review team all the information they need to do the review. Primarily you should give them access to a testing environment of your solution (that has all the components) where they can test the app. If you have an hybrid app you might provide access to both sides of the test account as well as web app. Also provide access to both administrator and standard user access to the environments. In addition to this provide the scan reports like Checkmarx, BURP, ZAP and if any issues provide the False Positive report.

7. Take external help

If you are a new ISV partner and do not have internal resources for going through Security review – it makes sense to find someone who knows. We (Dhruvsoft) or partners like us have who have experience in security review process can ensure that your app passes the security review. The earlier you involve the partner in your development lifecycle – the better. Bringing them just before submitting for review may not result in great benefits.


  1. Chandrasekhar says:

    Hi Team,

    Thanks for the content, it is very helpful. Can you please clarify my query, we have integration from salesforce to Oracle. We have issues with ZAP Scanner report submission.

    We have Oauth authentication and invoking multiple webservices from Salesforce. Do we need to run zap scanner report on all the web services endpoints or Login URL of the application. Could you please help us on this.


  2. DigitSec, Inc. says:

    Thanks for sharing this it is really great information.

Speak Your Mind