How To Pass Salesforce AppExchange Security Review
Table of Contents
Salesforce doesn’t joke when it comes to the security of their products and users’ data. With the growing popularity of AppExchange, a trusted marketplace that had nearly 7.5 million installs, 4,000+ solutions, 90,000 reviews in 2019, Salesforce still keeps its security standards in the same (great) shape.
Salesforce Product Security team carefully monitors the security of the marketplace and the provided products in it by conducting a Salesforce Security Review. So, if you’re going to publish your solution on the AppExchange, security has to be a key feature.
In this article, you’ll find all the necessary information about the Salesforce AppExchange Security Review. You’ll learn how to prepare for this process to complete it successfully. You’ll get to know how the Security Review works and what to do if you didn’t pass it on your first try. And, the icing on the cake will be a comprehensive checklist that will help you prepare and pass the Security Review triumphantly.
What Is Salesforce AppExchange Security Review?
Security Review is the process of verifying the app’s vulnerability to the most common attacks. The Salesforce security team conducts various meticulous tests before adding the app to the AppExchange marketplace. There are Salesforce’s strict security requirements, which the app has to meet. It’s important to ensure customers that any AppExchange app has the highest level of protection for their data.
- The Initial Security Review fee is $2550.
- The Annual Listing fee is $150.
- There is no cost for free apps.
How to Prepare for the Security Review
1. Devise your security strategy. Creating a coherent and structured security strategy is a helpful thing in protecting your app and preparing for the ISV Security Review. It’s important that each team member considers the priority of security when developing and testing the app. But it can and does happen that some issues aren’t detected because of the hustle of building a product and many other reasons.
In this case, it’s a perfect idea to assign a security manager, who is responsible for your app’s security. He or she сan recognise and transmit the issues to the developers before the Security Review.
There are some points that you have to pay attention to in each stage of development:
- Design. Think about how users will interact with your app, what features they’ll mostly use, and make sure you find out all vulnerabilities. Also, you can specify the particular use cases to focus on these vulnerabilities.
- Implementation. Discuss secure coding strategies and security issues with your security manager and team members. Enrich your coding style guide with secure coding guidelines.
- Test. Create repeatable tests and use them during the process of developing the app.
2. Review the Salesforce security documentation. Make sure your app meets the Salesforce security requirements prior to submitting it to the Security Review. Here are the main resources that you can use to examine your app for security vulnerabilities:
- AppExchange Security Review
- Salesforce Security Guide
- Security Coding Guide
- Security Cloud Development Resources
- Open Web Application Security Project (OWASP)
- OWASP Top 10 Web Application Security Risks
- OWASP Testing Guide
- OWASP Secure Coding Practices-Quick Reference Guide
3. Use security scanners to conduct your own review. Utilise scanners to perform your own review. Security scans are available for ISV partners and allow testing of your app for specific vulnerability patterns. There are three scanners supported by Salesforce:
- Checkmarx. It’s a crucial Salesforce security scanner for you if your app has Visualforce components, Apex Code, and managed packages. Its scan applications are hosted on the Salesforce AppCloud. You get three free scans for your package version. If you need more tests, contact the Checkmarx team. Using this Salesforce scanner, you can perform a static analysis scan of all unpackaged code in your org.
- Chimera. It’s a useful scanner for you in case the parts of your app are located on an external platform that you manage. This service is powered by Heroku, Cloud Application platform. It offers the best of open-source scanning technology for testing your app.
- ZAP. Use this free online scanner, if you have the parts of your app, which you don’t control on the external domain. It does require installation on the local system.
It’s important to understand that these security programs help to find the most vulnerabilities in your product, but not 100%. Therefore, it’s also recommended to conduct manual testing.
It can happen that a scanner finds a false positive error that isn’t a real problem. For example, if you have protected against some vulnerability pattern and a scanning program hasn’t identified your protection approach. In this case, you need to prepare a document, where you describe and explain this case in detail and add it to the security review materials.
4. Test and prepare your environments for security testing. At this stage, you should put yourself in your customer’s shoes and test your app from this perspective. First of all, create a Partner Developer Edition org via Environmental Hub. Then, install your managed package in the org and create as many users as you have profiles. Enable My Domain if the package contains Lighting. Your external environments should be prepared for security testing as well.
5. Book office hours with the security team. You can chat with the Salesforce technical security team on the Salesforce Partner Security Portal if your app has a custom element that requires extra configuration. Or, for instance, you have a vulnerability issue, but you have doubts about whether it is a false positive or how it has to be documented.
6. Prepare all the necessary documentation and provide valid credentials. During the Security Review, the Salesforce security team will need access to all your packages, environments, and external elements included in your app. Also, you need to provide usage instructions, a false positive document, and scan reports.
7. Submit to Security Review. The last but not the least step is to submit to a security review in the Partner Community Publishing Console. You can do that via the Submission Wizard, where you add necessary documents and give logins.
Security Review Process
After you submit your app for Security Review, the Security Review Ops should verify your submission. It usually takes 1-2 days. Then, the submission is added to the product security queue. The whole ISV Security Review process takes approximately 4-6 weeks.
During this time the Salesforce security team performs different tests by using threat-modelling profiles. Here are the most common security threats they check for:
- SOQL and SQL injection
- Non-secure authentication and access control protocols
- Vulnerabilities that are specific to the Salesforce platform, such as record-sharing violations
Finally, the Product Security team validates the test results and creates the report with the security vulnerabilities of your app. After that, Security Review Ops send you the results of the Security Review.
What to Do If You Didn’t Pass the Security Review?
Security Review isn’t an easy test for your app. Half of all submitted offerings fail their first security test. Look at this “fail” as perfect feedback for improving the quality of your app and to pass the security review one more time, but more successfully.
In the report, you can see specific descriptions of the issues found in your product. Also, there is a hyperlinked table of contents where each entry identifies the kind of security vulnerability. You can find a detailed description of each issue below the tab.
The Security team has a limited amount of time to find vulnerability issues in your app. So, they can find new vulnerabilities when the app is re-reviewed. In turn, you need to test your app carefully on all kinds of vulnerability, not only that covered in the report.
Gather together with your team, and review your practices and security strategy. This meeting helps to discuss the Security Review report, find out the ways to fix vulnerabilities and improve your overall approach to the security of your app.
When you’ve improved the security of your app and eliminated the security issues, it’s time to submit to a security review again. In case you fixed and changed code that runs on the Salesforce platform, you have to upload a new version of your managed package. Also, if you made external changes, update information in the wizard.
The great news is that you don’t have to pay a setup fee again. Your resubmissions are considered as the same offering if your package ID and name don’t change.
When your app passes the Security Review successfully, you’ll get an approval email. There you’ll find information about the next steps to do to launch your product on the AppExchange marketplace.
When designing your app, you have to remember its security and comprehensive protection of the data. Testing and fixing common vulnerabilities are must-do steps before submitting your solution to the Salesforce AppExchange Security Review.
Do you still have concerns regarding passing the security review? MagicFuse can assist you in preparing and handling this process seamlessly. Professionals, who have great experience in releasing AppExchange apps, will provide you with the confidence and full support necessary for passing the Security Review.