Touted as the world’s #1 business app marketplace, the AppExchange is backed by Salesforce’s watertight protection. Today, AppExchange boasts over 7.5 million downloads, 5,000 solutions, and garnered more than 90,000 reviews. Expect zealously-enforced security on Salesforce’s range of products and the protection rendered to its users’ data.
The growth of AppExchange only solidifies the Salesforce Product Security team’s efforts to ensure the marketplace’s security remains uncompromised. It does so by conducting a rigorous, stringent review of any apps that are to be published. Therefore, you’ll want to make security a priority if you’re to publish your app on AppExchange.
You’ll get valuable information on the Salesforce AppExchange Security Review in this guide. It introduces you to the necessary steps needed to prepare for the review and increase the chance of passing. You’ll get an insight into how the process works and the contingency measures should you fail in your first attempt.
Read on and find out what’s required in getting approval in the Salesforce AppExchange Security Review.
An Introduction To The AppExchange Security Review
The AppExchange security review is a process where the Salesforce security team runs a series of stringent tests on submitted apps. It is meant to ensure that apps published on the marketplace are not susceptible to malicious attacks. Passing the security review isn’t easy, as it’s designed to ensure that customers’ data enjoy the highest protection possible.
If you’re publishing a free app, there are no fees involved. For paid apps, it’ll cost you the following amount to have one listed on AppExchange:
- One-time-fee of $2,550 for Security Review.
- An annual listing fee of $150.
AppExchange Review Preparation Checklist
1. Establish A Security Strategy
It’s pivotal to set up a sound security strategy for your app from the start. Whether it’s securing the app from attacks or complying with the review process, you’ll want to get your team on the same page. Security must be prioritized throughout the entire design cycle.
However, it isn’t unusual for some security flaws to slip through the watchful eyes of your team. Such incidences could happen, particularly if your team is stretched to the limits as they juggle multiple tasks.
As a precautionary measure, you should consider enrolling a security manager. Doing so ensures that someone is dedicated to spotting security issues in the app and effectively channeling the information to the development team prior to the review.
Here are what you ought to keep in mind when developing the app.
- Step into the users’ shoes and imagine how they would possibly interact with the app. Chances are, you’ll discover security issues that escape attention when you’re thinking like a developer. Hone into the vulnerabilities by setting up targeted use cases.
- Seek inputs from your team members and security manager in determining strategies to create secure codes and addressing vulnerabilities. Enforce the security guidelines in the code.
- Test, test, and test. Devise test methods that can be used routinely throughout the development cycle.
2. Read up on Salesforce and related security guidelines.
Before submitting your app to the Salesforce Security Review team, you’ll want to ensure that it complies with the relevant recommendations. Check out these guidelines that could help you spot potential security issues in the app.
- AppExchange Security Review
- Salesforce Security Guide
- Security Coding Guide
- Security Cloud Development Resources
- Open Web Application Security Project (OWASP)
- OWASP Top 10 Web Application Security Risks
- OWASP Testing Guide
- OWASP Secure Coding Practices-Quick Reference Guide
Don't forget to check out: The Open Web Application Security Project | Salesforce Developer Guide
3. Conduct Your Own Review with Security Scanners
You can take the initiative by running checks on your app with Salesforce-supported security scanners. The scanners are made available to ISV partners, and they are handy in discovering distinct security issues in the app.
Here are three scanners that proved to be useful
- Chimera - It’s a handy cloud-based app-scanning that runs on Heroku. Registered ISV-partners can use Chimera to run security checks on apps that are located on 3rd party platforms.
- Checkmarx - As Salesforce’s official security partner, Checkmarx provides comprehensive testing for apps that consist of Apex code, managed packages, and Visualforce components. It works by running scans on Salesforce AppCloud-hosted apps. Checkmarx offers a free but limited scanner and a paid version with access to all features. The scanner also allows scanning of all unpackaged codes in an organization, which requires the corresponding AuthorApex username.
- OWASP Zed Attack Proxy (ZAP) - This downloadable, free web scanning app is useful for testing security issues on app components that run on 3rd-party platforms.
As useful as they are, the scanners may not always discover all vulnerabilities in the app. Therefore, it’s still crucial to run manual tests on the app.
Occasionally, you’ll encounter a false positive error. The scanner may identify a known security issue but failed to detect the protective measures established. In such instances, you’ll need to document the problem in detail and enclose it in your review submission.
- Configure Security Testing External Environments
- You’ll need to test the app from the standpoint of end-users. To do that, follow these steps.
- Use Environmental Hub to set up a Partner Developer Edition org.
- Install the managed package in the org.
- Create multiple user profiles.
- Turn on My Domain for packages that have Lighting.
You’re now ready to proceed with security testing.
4. Hold A Discussion with the Salesforce Team
It doesn’t hurt to get in touch with the Salesforce security team before submitting the app. Reach out via the Salesforce Partner Security Portal to clarify issues that involve setting up custom elements. You can also clear doubts about documenting false positives or security issues in the discussion.
5. Get the Required Documentation and Credentials Ready
Help make the review smoother by ensuring the Salesforce security team has access to the environments, elements, and packages used in the app. Do so by providing concise and complement documentation and necessary credentials.
It’ll also be helpful to provide any usage guides, scanned security reports, and false positives documentation.
6. Security Review Submission
Upon completing the preparation, you’ll now need to submit the app for review. This can be done through the Partner Community Publishing Console. Use the Submission Wizard and attach the required documentation and credentials.
How Does The Salesforce AppExchange Security Review Work
Upon submission, your app will be verified by the Security Review Ops in 1-2 days. Once verified, it is lined-up in the submission queue. It takes about 4-6 weeks for the entire review process to complete.
During the review, the Salesforce security team will use threat-modeling profiles to run various tests on the app. The test checks for common vulnerabilities like:
- Possible SQL/SOQL injections.
- Threats from weak access control protocols and authentication.
- Platform-specific security issues. (e.g. record-sharing violations)
After completing the tests, the security team will compile known vulnerabilities in a report and send it over to you.
Check out an amazing Salesforce tutorial video here: What are Permission Sets (Object Level Security) in Salesforce?
What If You Failed?
The Salesforce AppExchange Security Review is a tough nut to crack. Approximately 50% of apps failed in the first submission. Rather than being disheartened, take the failure as an opportunity to improvise and create a better app that aces the test a second time around.
It starts by getting a more in-depth look at the review report. You’ll find known vulnerabilities described in detail in the report. Look up the table of contents to find out the types of security issues discovered. You’ll find an accompanying detailed description at the bottom of the tab.
Keep in mind that the Security Team has limited time to test the app and may miss out on particular vulnerabilities. To prevent new vulnerabilities from popping up in the subsequent review, you’ll want to try the app for possible issues that are not included in the report.
Teamwork is crucial in passing the resubmission review. So, bring your team together and run through existing security practices and strategies. Have your team members look through the report, figure out ways to fix the vulnerabilities, and extensively improvise the apps’ security.
Once you’re confident that security issues are ironed out, you’ll need to resubmit the app for review. You’ll need to resubmit the managed package on the Salesforce platform if you’ve made changes to it. If you’ve revised components on external platforms, be sure to submit the updated information via the wizard.
Thankfully, a resubmission is free as long as you’re using the same package ID and name.
If you’ve been meticulous in the resubmission process, you’re likely to pass the Security Review process. This is followed by an approval email, which contains specific instructions for publishing the app on AppExchange.
Both protection and security are crucial for data protection, and you’ll need to keep that in mind when building an app. Ensure that you test and rectify known vulnerabilities before submitting your app to the Salesforce AppExchange Security Review team.
Are you confident in passing the SalesForce AppExchange Security Review? If you’re not, our team is ready to help you through the tedious process. We’ve been assisting other clients to do the same, and our experience will be handy to ensure that you achieve the same positive results.