April 6, 2021
Whether you’re a new entrepreneur launching your first app, a seasoned AppExchange pro with multiple solutions on the marketplace, or somewhere in between, you can still relate to that feeling of accomplishment that sweeps over you with these words:
“Congratulations! Your application has passed our Security Review process.”
Salesforce requires all AppExchange and OEM applications to pass a security review before listing the app on AppExchange for distribution to any customers. The aim is to develop a culture of trust by ensuring that all apps meet a baseline set of security standards and best practices. Failure to pass the Salesforce security review could lead to major delays and revisions to the apps just before the full rollout.
Here are some guidelines to make sure your application cuts:
It is very important to create a structured security strategy to protect your app and prepare it for the ISV Security Review. Each team member must realize the importance of security when developing and testing the app. But it can and does happen that some issues go undetected among the hustle of building a product, besides other reasons. So it’s a perfect idea to assign a security manager to assume responsibility for due diligence and any lapses in the app’s security. A Salesforce professional сan recognize and communicate the issues to the developers before the Security Review.
Remember that your app should meet the Salesforce security requirements before you submit it for Security Review. The resources to examine your app for security vulnerabilities include Salesforce Security Guide, Security Coding Guide, and the OWASP (Open Web Application Security Project) Testing Guide.
Once you’re familiar with documentation, put yourself in your customer’s shoes and test your app from this perspective. First, create a Partner Developer Edition Org through Environmental Hub. Then you have to install the managed package in the Org and create needed user profiles. Enable My Domain if the package contains Lightning. Your external environments should be similarly prepared for security testing.
Salesforce does not allow storing secure data in an Apex class that prevents hard-coding secure data or putting it in a post-install script to place it in a protected custom setting. This poses problems in storing secret keys. One of the easiest solutions here is to store the secret key as the default value for the protected custom setting used.
The Salesforce security review isn’t just about unearthing security vulnerabilities. It is necessary to focus on the code quality and also the other non-essentials. These issues include checking whether trigger logic supports triggers, class, and triggers that do not reference any hardcore IDS(Intrusion Detection System), running a data loader for each trigger, and successfully applying validation logic to all records. Many of these considerations aren’t mandatory; nevertheless, checking for them is a good move from a quality standpoint.
You can consider speaking with the technical security team of Salesforce on the Salesforce Partner Security Portal for anything you need to know regarding some vulnerability in your app or a false positive you’re unsure of. You can also speak to them if you have questions about documenting these.
While performing the Security Review, the Salesforce security team would require access to all the packages and external elements used in your app. You’ll also need to prepare and provide usage instructions, a false positive document, and scan reports – make sure you have these on hand.
Error-free submission is the final step, along with a security review in the Partner Community Publishing Console. You can do the same with the Submission Wizard, where you can add the needed documents and provide the logins.
Once you submit your app for Security Review, the Security Review team should verify your submission. It usually takes 1-2 days before the submission is added to the product security queue. The entire ISV Security Review process takes approximately 4-6 weeks. During this time, the Salesforce security team performs a series of tests by using threat-modeling profiles.
This can make the process of clearing Security Review seem daunting, but with the help of the right professionals, you can get through it. Speak to us at firstname.lastname@example.org for Salesforce Consultation, and our experts will help you sail through the Security Review process to publish your app on AppExchange.