If you are an ISV partner, you are always in one of three phases when it comes to Security Review: (1) you’ve been there, done that, and passed with flying colors (congrats!), (2) you are going through a review right now (good luck!), or (3) you are preparing your app for a review (you ARE preparing, right?!).  Without the right tools and resources, preparing for Security Review can feel like being stranded on a deserted island – with only a wifi hotspot, managed-released package, and a pocket knife.  Fortunately, your friendly Partner Operations team has come to the rescue with some tips and tricks to help you become a successful Security Review survivor.

      1. Signal your ISV Account Executive. Speak to your AE as soon as possible to avoid unnecessary delays. Each individual application must have a signed contract before we can initiate your Security Review. Enrolling in the AppExchange Checkout program is a sufficient alternative, but your AE will direct you to whichever program is best suited for each of your offerings.
      2. Utilize your Resources. The security team has created a robust and easy to navigate wiki full of useful information. This page outlines everything we’re looking for; master it and you’ll be able to go to market in no time. But don’t stop there–you can also access free Security Review training via the APP Academy!  (Partner Portal login required)
      3. Assess danger early and often. Internal testing and fixing issues early is key. After an app fails, it will reenter the same first-come-first-serve queue… in other words, retesting puts you at the end of the line. The upfront work WILL pay off so test, fix, and repeat before submitting.
      4. Grab a life vest. We’re here to help! Log a case in the partner portal with any process related questions. We are trying to work with you rather than “assessing” you so register for a time to speak with a technical contact in the security team via their office hours.
      5. Watch out for savages! If your BURP or Checkmarx scan results contain anything listed in this requirements checklist or doesn’t meet best practices like those described by OWASP, it will get rejected and you will stay stranded. Are the locals friendly? Great! Just attach a detailed explanation when prompted during the submission wizard.
      6. Enjoy the weather. Trust is everything at salesforce.com and ensuring the security of applications on our platform does take time. You can expect 4 to 6 weeks to receive results. Please make sure the credentials to your test environment do not expire within this time frame. Feel free to check the status of your review here in the partner portal at any time.

Have other tips to share? Please leave a comment!

Get the latest Salesforce Developer blog posts and podcast episodes via Slack or RSS.

Add to Slack Subscribe to RSS