Getting through Developers’ Hell: How to pass the AppExchange Security Review?
Posted by Seethu Maria Mathew
Salesforce is unforgiving when it comes to data security and for good reasons. They consider customer trust as pivotal for their enormous success created over the decades. Now with the growing popularity of AppExchange which recently marked 9 million installs and 5,000+ solutions as of April 2021, there has not been not an iota of doubt regarding Salesforce’s high standards when it comes to product quality and it continues to be so. No wonder developers dread the AppExchange security review!
This blog covers all the necessary information you need to know about the Salesforce AppExchange Security Review process and how to bag that approval status.
What is AppExchange Security Review?
AppExchange Security Review is the process of monitoring an app’s vulnerability to security issues in various scenarios like data breach, phishing attacks and so on. It is a compulsory process every app must go through before being listed on AppExchange. The Salesforce security Review is conducted by the Salesforce product security team who tests all security aspects of your app in detail using threat modeling profiles. The cost for initial Security Review is $2,700 USD for paid apps and nil for free apps.
STAGE 1: Preparing for Security Review
1. Focus on security strategy
You should focus on establishing a detailed security strategy while developing your application. Salesforce adheres to the Open Web Application Security Project(OWASP) document, which is a guideline for developers on a list of software security and risks. Make sure to be thorough with these guidelines as this will be strictly enforced in the Salesforce AppExchange Security Review. Also, don’t forget to implement CRUD/FLS Create/Read/Update/Delete permissions as this helps you have a control on who accesses specific objects within an org. If you can, it’s best to hire a dedicated security manager to supervise your development team. A security manager is familiar with high level security risks and other vulnerabilities associated with your product and will be a helpful resource in winning the security review process.
2. Conduct self review with essential scanners.
Here are some automated tools that will come in handy during the process:
- Chimera- It runs on Heroku. Use this scanner to conduct security checks on applications that run on third party platforms.
- Checkmarx- It is Salesforce’s official security partner and hence offers extensive testing for apps that comprises Apex code, Visualforce components and managed packages.
- ZAP: Zed Attack Proxy (Zap) is a free security tool which can be used to run security checks on apps that run on third party platforms.
3. Keep your documentations ready
Make sure that the Salesforce security review team has access to packages, environments, and external elements in your app.
STAGE 2: Submitting for Review
After you’re fully prepared, the next step is to submit the app for review. You can submit the app through the Partner Community Publishing Console. Use the Security Review Wizard and upload the required documentation and other credentials.
STAGE 3: The Security Review Process
The security review process takes about 4-8 weeks to complete. The security review team works from a ‘hacker’s perspective’ and tries to penetrate the security layers you have built for your app. They will detect all possible vulnerabilities such as:
- Violation of Apex code best practices
- SQL/SOQL injections
- Cross-site scripting (XSS) software attacks
- Unauthorized authorization and access to data
- Insecure Cryptographic storage
The review process is extremely rigorous and can take upto a month to complete. You will get a status report once the review is completed.
Possible outcomes of the Security Review Report
After your product is completely reviewed, you will be notified with one of the following statuses:
Pass: You have cracked the review and can immediately get listed on AppExchange
Provisionally approved: The report suggests a couple of low to moderate risks that can be solved within a particular time period.
Not approved: The security review team has identified high risk issues which can potentially harm the Salesforce platform and its users.
What if you fail the Review?
Don’t be disheartened if you fail the first time. Salesforce review is most certainly not a cakewalk. Talk to your team on what may have gone wrong. Discuss the report in detail. After you have corrected all the issues, submit for a re-review. You do not have to pay a set-up fee again. You will get an approval mail if you have passed the review this time.
Speaking of which, how prepared are you for the AppExchange Security Review?
If you feel you need help, don’t hesitate to hit us up for some expert advice on AppExchange development services.