Top 3 Tools to Ace the AppExchange Security Review

salesforce data migration services

Top 3 Tools to Ace the AppExchange Security Review

Posted by Seethu Maria Mathew

minutes read

If there is one thing you cannot overlook while gearing up to launch your first born app on the touted AppExchange, it’s the security review process. Your talented developers may shriek in fear on hearing the term, but let’s face it. The AppExchange security review is not a buzzword, but a necessary next-to-evil that every app must go through. Salesforce considers this as the epitome of trust they have with their customers and they will not compromise their security standards at any cost. Your only choice is to devise a security plan that’s airtight, conforms to Salesforce standards and will be adored by your customers.

To say that it’s a herculean mission is an understatement. Did you know that over 50% of apps fail their first attempt at the AppExchange security review? The security review process can take several weeks, and it may not be what you anticipated. The product review team goes through each and every line of code written and hunts down every mistake you’ve considered as insignificant. These unexpected snowballs can dampen your spirits unless you have a trusted AppExchange development partner to back you up with prompt actions taken by the security champions in your team. ISVs who are vying for the limelight at the Dreamforce event need to meet tight deadlines to get reviewed and listed on AppExchange. So not getting it right the first time may not only take a toll on your bottom line, but also the valuable time of your development team.

Conducting a security check on your own is one of the most crucial steps while preparing for the AppExchange security review. You can make use of security scanners to discover security risks that may hamper the Salesforce platform and its users. These tools may not be an exact simulation of the AppExchange review program. But it does help you prevent rookie mistakes that lead to unnecessary review rounds. Our in-house experts recommend these three scanners as most suitable for Salesforce and third party applications preparing for the review submission:

  1. Chimera
  2. Checkermax
  3. ZAP


It is a fully featured cloud based web security scanner that runs on Heroku. You can conduct a free security scan using Chimera. The main highlight of this Salesforce supported scanner is its ‘fire and forget’ scanning ability. Once you have assigned a target, it will be able to guide itself to complete the testing process. This is best used to conduct security checks on external applications that run on third party platforms. 

What to know about Chimera?

  • Chimera checks for security risks in external endpoints of a solution and you can only scan web applications that you have developed or have ownership of. Chimera assumes that you have access to the root of the application. You can upload a token to the root of the external server in this case.  Download an abusive prevention token by clicking on ‘Download Token’.
  • It runs security scans from a Salesforce IP address.
  • You must be registered as an AppExchange partner for using Chimera. 
  • The remote system should be publicly accessible through the internet and shouldn’t call for any additional network configuration.   
  • Expect 4-16 hours of scanning to get the final report.


It is Salesforce’s official security partner and hence offers extensive testing for apps that comprises Apex code, Visualforce components and managed packages. Unlike Chimera, you cannot run checks on external solutions using Checkmarx. You can use this scanner for apps entirely native to Salesforce platform. It does offer free scanning services, but it’s limited to three Checkmarx runs per solution. If you wish to scan unmanaged packages, you’ll have to buy a license which can be a costly affair.

What to know about Checkmarx?

  • It is a Static Application Security Testing tool (SAST) that checks for vulnerabilities within source code such as SQL injection, cross site scripting, access control issues, forgery attacks etc.
  • It checks for threats in Apex coding such as DML statements inside loops, SOQL/SOSL inside loops,Hardcoding IDs etc.
  • It is compulsory for any security review submission that would include a Salesforce package or component. Although it is not needed for mobile clients or API solutions.
  • After submitting for scanning, you will get the result through email.
  • The company using Checkmarx to scan must have less than 2 million lines of code (limited to 360,000 lines of code)  and should be metadata API enabled. 
  • They should not use IP access control that hinders access from Salesforce IP.
  • Unmanaged packages will be scanned. But source code which is within managed or unmanaged packages will not be scanned so as to prevent the scanning of code unrelated to your application


Zed Attack Proxy (Zap) is another security tool which can be used to run security checks on apps that are on third party platforms. The OWASP’s tool is absolutely free, has a simple interface which encourages  smaller companies and beginners to make use of it before submission.

What to know about ZAP?

  • It is an open source web application security scanner which can be used by both amateur and professional penetration testers alike.
  • Being a  cross platform tool written in Java, it is available on multiple platforms. 
  • It can be configured as a proxy and can act like an attacker by recording and manipulating traffic to change parameters. 
  • You can use ZAP if your solution connects to external endpoints that you don’t own.

Limitations to consider

While all these three scanners are excellent for your AppExchange security review preparatory phase, do note that it’s not entirely free from false negatives and positives. A false negative is when a scanner cannot identify an existing vulnerability or a threat in an app. Whereas a false positive occurs when a scanner misinterprets irrelevant errors as an actual bug. This means it does not provide a 100% replica of the report you are going to receive from the product security review team. But getting a ‘Pass’ through these tools is certainly a signal of your security review success. 

What’s your favorite tool among the three? If there is any additional info you’d like to share, please feel free to comment below. Or if you have a Salesforce project in mind, contact our expert Salesforce consultants to transform your Salesforce application idea to reality.


Notify of
Inline Feedbacks
View all comments