Salesforce’s AppExchange

Part 6 Security Review Process for AppExchange Applications


  • Guidelines, Checklists and other Resources to refer to
  • TheTrust Academy offers practical, hands-on experience in the fundamentals of application security on the platform, how-to guidance on penetration testing tools like ZAP and Burp, and detailed instructions for how to submit for Security Review. You might also want to take the Security Review Trailhead Module.
  • Scanning:
    • Self-Service Source Code Analysis:Source Scanner Portal can be used by AppExchange Partners developing integrations for the AppExchange. This can be used to perform a static analysis scan of all unpackaged code in your organization against code developed on the Platform. When you enter the username of your Development org, all the component (Apex, visualforce Page) will be scanned. Analyze this report, and act on all the problem points highlighted by the report. This free service is a partnership with Checkmarx. Once the issues are addressed and you get a clean chit by Checkmarx, proceed to the next tool. If Checkmarx returns anything besides “code quality” issues, you must either resolve or provide a document detailing false positives.
    • Scan External Integrations and Web Application Security
      • Web Application Security Scanner is a multipurpose web application security tool is based on a paid application called Burp Suite. It is recommended to create a new developer org and install the managed packed in the new developer Org. Once Burp scanner completes the scanning process, the report will be generated for the App in .html format. False positive report is created for all the medium and low issues. To know more about the Burp Security process, check here.
      • Run a free Web Application Security Scan with Chimera to help secure future AppExchange-listed web applications. Once your web-based application is ready to be scanned, use Chimera to take care of figuring out how to log in to your application and run a battery of different tests and scans. After the scan, a consolidated report with all issues, warnings, and informational notes is emailed to you.
      • You can also set up ZAP locally to run a Web Application Security Scan against any external web application that is integrated with
  • To seek help from Salesforce about the Submission Process and Security Review, sign up here.
  • If you create sample records for your custom objects, you figure it out quickly, if you’re missing something. Then a good trick is to clone records by clicking the Clone button on the record’s detail page. For importing (adding and loading) data, AppExchange Data Loader and the Excel Connector are available for free to Enterprise Edition customers. Professional Edition customers now can use Excel Connector.
  • You can test the beta package in a partner testing organization (Enterprise, Professional or Group Editions are available).
  • Manual and Automated code review, scan and testing: Manually test your app to ensure it meets review requirements not found by tools. You can use the OWASP Testing Guide for help.
  • Architecture review
  • Web server testing

Note: If you are not sure if something is in scope (e.g. credentials for web services), include it anyway. Provide access to any environments, packages, and external components your app uses and include any documentation that comes with your product. If the Security Review team determines something is missing there will be delays.

After all the above have been taken care of, you can submit your app for Security Review. You will receive an email within 48 business hours confirming submission. Please retain this email as evidence of your submission with the time/date stamp.


Post a Comment

Sign Up For Email Updates