{"id":357,"date":"2016-04-29T20:59:04","date_gmt":"2016-04-29T15:29:04","guid":{"rendered":"https:\/\/www.dhruvsoft.com\/blog\/?p=357"},"modified":"2024-07-26T09:45:08","modified_gmt":"2024-07-26T09:45:08","slug":"what-to-consider-before-submitting-your-app-for-salesforce-com-security-review","status":"publish","type":"post","link":"https:\/\/www.dhruvsoft.com\/blog\/what-to-consider-before-submitting-your-app-for-salesforce-com-security-review\/","title":{"rendered":"What to consider before submitting your app for Salesforce.com Security Review"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-358\" src=\"https:\/\/www.dhruvsoft.com\/blog\/wp-content\/uploads\/2016\/04\/security-passed.png\" alt=\"Salesforce.com Security Review Passed\" width=\"293\" height=\"282\" srcset=\"https:\/\/www.dhruvsoft.com\/blog\/wp-content\/uploads\/2016\/04\/security-passed.png 682w, https:\/\/www.dhruvsoft.com\/blog\/wp-content\/uploads\/2016\/04\/security-passed-300x289.png 300w\" sizes=\"auto, (max-width: 293px) 100vw, 293px\" \/>This article is for you if you are a new ISV vendor or you are new to\u00c2\u00a0Salesforce.com Security Review process. If you are planning to submit your app for security review &#8211; here are few items that you must consider before submitting your app.<\/p>\n<p>Salesforce.com Security Review is the process of assessing your application&#8217;s security before it is listed on <a href=\"https:\/\/appexchange.salesforce.com\/\">Salesforce.com Appexchange<\/a>. Appexchange\u00c2\u00a0is prestigious Business to Business marketplace of Salesforce.com where over 2000 apps are listed. Security review is done by Salesforce.com Security review team. Think of security review as an additional benefit &#8211; with your app getting certified for Appexchange. Security review helps companies sell to enterprises by meeting their expectations of security.<!--more--><\/p>\n<p>Whether you have a native or composite app according to estimates almost 50% of the apps fail the security review the first time. A few simple steps will improve your chances of success multiple times.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 ez-toc-wrap-left-text counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.dhruvsoft.com\/blog\/what-to-consider-before-submitting-your-app-for-salesforce-com-security-review\/#1_DesignA_your_app_for_security\" >1. Design\u00c2\u00a0your app for security<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.dhruvsoft.com\/blog\/what-to-consider-before-submitting-your-app-for-salesforce-com-security-review\/#2_Set_the_Coding_standards\" >2. Set the Coding standards<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.dhruvsoft.com\/blog\/what-to-consider-before-submitting-your-app-for-salesforce-com-security-review\/#3_Plan_for_security_review\" >3. Plan for security review<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.dhruvsoft.com\/blog\/what-to-consider-before-submitting-your-app-for-salesforce-com-security-review\/#4_What_is_reviewed_in_Salesforce_security_review_process\" >4. What is reviewed in Salesforce security review process?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.dhruvsoft.com\/blog\/what-to-consider-before-submitting-your-app-for-salesforce-com-security-review\/#5_Do_Security_scans\" >5. Do Security scans<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.dhruvsoft.com\/blog\/what-to-consider-before-submitting-your-app-for-salesforce-com-security-review\/#6_Provide_all_the_information_required_to_do_review\" >6. Provide all the information required to do review<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.dhruvsoft.com\/blog\/what-to-consider-before-submitting-your-app-for-salesforce-com-security-review\/#7_Take_external_help\" >7. Take external help<\/a><\/li><\/ul><\/nav><\/div>\n<h4><span class=\"ez-toc-section\" id=\"1_DesignA_your_app_for_security\"><\/span>1. Design\u00c2\u00a0your app for security<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Your preparation for security review should start from the design stage itself. Keeping security in mind right from start has its advantages and saves a lot of valuable time. In the design stage itself analyze the application for security vulnerabilities and threats. We have experience that partners who have thought about security review from start have better chances of success in the first review itself.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"2_Set_the_Coding_standards\"><\/span>2. Set the Coding standards<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>If we know the vulnerabilities from the start we can provide the team with standards of coding so that the risk is controlled right from start. In many cases we have notices development team spending hours to rework on the code before the security review. This not only delays the whole process &#8211; but also increases the risk of additional bugs being introduced when the code is modified. It is much more difficult to identify and fix the issues after a release is committed. The development teams can refer to the <a href=\"https:\/\/partners.salesforce.com\/s\/education\/appvendors\/Security_Review\">Security Review Education<\/a> page on Partner portal for detailed information.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"3_Plan_for_security_review\"><\/span>3. Plan for security review<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>We have noticed that many partners do not plan for security review in their project plan. It takes somewhere between 4-8 weeks for security review depending on complexity of your application and timing. Partners must take about a week for preparation of security review and give 6-8 weeks to Salesforce team to complete review from their side. During this period ISV partners must keep their key technical persons available for any clarification or rework.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"4_What_is_reviewed_in_Salesforce_security_review_process\"><\/span>4. What is reviewed in Salesforce security review process?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Salesforce security review team generally checks for injection (Like SQL,SOQL etc), issues with authentication and session management, XSS &#8211; Cross site scripting, CSRF &#8211; Cross site Request Forgery, insecure references to objects, access control, reference vulnerabilities and misconfigured security among other things. A <a href=\"https:\/\/www.owasp.org\/index.php\/Category:OWASP_Top_Ten_Project\">list of OWASP top 10<\/a> will be a great reference point to know what will be checked in security review.<\/p>\n<h4><\/h4>\n<h4><span class=\"ez-toc-section\" id=\"5_Do_Security_scans\"><\/span>5. Do Security scans<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>ISV partners must do a <a href=\"https:\/\/security.secure.force.com\/security\/tools\/forcecom\/scanner\">Checkmarx <\/a>scan of their apps before submitting. Checkmarx is a cloud security app that gives a report on Force.com code related issues. If there are any issues then partners are advised to either resolve those issues or they submit a report of &#8216;False Positive&#8217; &#8211; as to why they are not a concern. False Positive are the items that Checkmarx has reported as issues but they are actually false alarms.<\/p>\n<p>in addition to Checkmarx\u00c2\u00a0there are\u00c2\u00a0<a href=\"https:\/\/security.secure.force.com\/security\/tools\/webapp\/burpabout\">BURP<\/a> or <a href=\"https:\/\/security.secure.force.com\/security\/tools\/webapp\/zapbrowsersetup\">ZAP<\/a>\u00c2\u00a0or <a href=\"https:\/\/developer.salesforce.com\/page\/Security\/Chimera\">Chimera<\/a> scans typically used to scan external integrations and web application security.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"6_Provide_all_the_information_required_to_do_review\"><\/span>6. Provide all the information required to do review<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Make sure you provide salesforce.com Security review team all the information they need to do the review. Primarily you should give them access to a testing environment of your solution (that has all the components) where they can test the app. If you have an hybrid app you might provide access to both sides of the test account as well as web app. Also provide access to both administrator and standard user access to the environments. In addition to this provide the scan reports like Checkmarx, BURP, ZAP and if any issues provide the False Positive report.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"7_Take_external_help\"><\/span>7. Take external help<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>If you are a new ISV partner and do not have internal resources for going through Security review &#8211; it makes sense to find someone who knows. We (Dhruvsoft) or partners like us have who have experience in security review process can ensure that your app passes the security review. The earlier you involve the partner in your development lifecycle &#8211; the better. Bringing them just before submitting for review may not result in great benefits.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article is for you if you are a new ISV vendor or you are new to\u00c2\u00a0Salesforce.com Security Review process. If you are planning to submit your app for security review &#8211; here are few items that you must consider before submitting your app. Salesforce.com Security Review is the process of assessing your application&#8217;s security [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55],"tags":[133,127,138,137],"class_list":["post-357","post","type-post","status-publish","format-standard","hentry","category-force-com","tag-app-development","tag-appexchange","tag-isv-partner","tag-salesforce-com-security-review","entry"],"_links":{"self":[{"href":"https:\/\/www.dhruvsoft.com\/blog\/wp-json\/wp\/v2\/posts\/357","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dhruvsoft.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dhruvsoft.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dhruvsoft.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dhruvsoft.com\/blog\/wp-json\/wp\/v2\/comments?post=357"}],"version-history":[{"count":0,"href":"https:\/\/www.dhruvsoft.com\/blog\/wp-json\/wp\/v2\/posts\/357\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dhruvsoft.com\/blog\/wp-json\/wp\/v2\/media?parent=357"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dhruvsoft.com\/blog\/wp-json\/wp\/v2\/categories?post=357"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dhruvsoft.com\/blog\/wp-json\/wp\/v2\/tags?post=357"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}