If you are an ISV partner, you are always in one of three phases when it comes to Security Review: (1) you’ve been there, done that, and passed with flying colors (congrats!), (2) you are going through a review right now (good luck!), or (3) you are preparing your app for a review (you ARE preparing, right?!).  Without the right tools and resources, preparing for Security Review can feel like being stranded on a deserted island – with only a wifi hotspot, managed-released package, and a pocket knife.  Fortunately, your friendly Partner Operations team has come to the rescue with some tips and tricks to help you become a successful Security Review survivor.

      1. Signal your ISV Account Executive. Speak to your AE as soon as possible to avoid unnecessary delays. Each individual application must have a signed contract before we can initiate your Security Review. Enrolling in the AppExchange Checkout program is a sufficient alternative, but your AE will direct you to whichever program is best suited for each of your offerings.
      2. Utilize your Resources. The security team has created a robust and easy to navigate wiki full of useful information. This page outlines everything we’re looking for; master it and you’ll be able to go to market in no time. But don’t stop there–you can also access free Security Review training via the APP Academy!  (Partner Portal login required)
      3. Assess danger early and often. Internal testing and fixing issues early is key. After an app fails, it will reenter the same first-come-first-serve queue… in other words, retesting puts you at the end of the line. The upfront work WILL pay off so test, fix, and repeat before submitting.
      4. Grab a life vest. We’re here to help! Log a case in the partner portal with any process related questions. We are trying to work with you rather than “assessing” you so register for a time to speak with a technical contact in the security team via their office hours.
      5. Watch out for savages! If your BURP or Checkmarx scan results contain anything listed in this requirements checklist or doesn’t meet best practices like those described by OWASP, it will get rejected and you will stay stranded. Are the locals friendly? Great! Just attach a detailed explanation when prompted during the submission wizard.
      6. Enjoy the weather. Trust is everything at salesforce.com and ensuring the security of applications on our platform does take time. You can expect 4 to 6 weeks to receive results. Please make sure the credentials to your test environment do not expire within this time frame. Feel free to check the status of your review here in the partner portal at any time.

Have other tips to share? Please leave a comment!

 

tagged , , , , Bookmark the permalink. Trackbacks are closed, but you can post a comment.
  • Naveen Gabrani

    A question about point number 1. If an organization has multiple apps, do we need to have signed contract for each of the apps? Or one signed contract can cover all apps from an organization.
    Thanks,

    • Aaron Hoffmeyer

      Hi Naveen, Great question. Each application requires it’s own signed contract. This is the most common (and longest) delay we see in the process so it’s important to have a discussion with your ISV AE as early as possible. -Aaron

  • http://twitter.com/SFDC_Developer Mitesh Sura

    continuing on Naveen’s Q, could Salesforce not have one contract per company, rather per application.
    As guest user mentions in the comment, it is most longest process and total waste of ISV time.

    Sure, we can mutually make changes to agreement, as and when ISV releases new app.

    • Aaron Hoffmeyer

      Hi Mitesh, We’re constantly working to improve this process, but each application is considered a separate entity and has to go through an approvals process to be enrolled in the program. Speaking to your AE about your intentions early on is the best way to avoid waiting through this step when you’re ready to submit for security review.

      • http://twitter.com/SFDC_Developer Mitesh Sura

        Thanks Aaron. I already did that, and my app is under review since past 2 months now! Are you seeing flurry of new apps? I may not be surprised because the platform is just awesome!