Get Ready for Dreamforce: Submit Your App for Security Review by September 8!

As the saying around the salesforce.com office goes “Dreamforce is just around the corner!” For ISV Partners this is particularly relevant because this year’s security review submission deadline (login required) is quickly approaching! All offerings must be submitted and processed into the Security team’s queue by September 8, 2013. Getting in by the deadline means you will get one test by Dreamforce. Retests are not guaranteed, so it’s better to submit much sooner to ensure there is time for any unexpected delays–like failure. With that in mind, we’ve created the following checklist to help ensure that your submission is complete and accurate

Before you click submit, have you…

Received confirmation from your ISV Account Executive that your offering is fully enrolled / contracted into the AppExchange Partner Program?
Attached clean Checkmarx results for apps with Native force.com components? If Checkmarx returns anything besides “code quality” issues, you must either resolve or provide a document detailing false positives.
Attached clean BURP results for apps with Composite components? If BURP returns anything besides “information” issues you will need to resolve or explain in a false positives document as well.

Note: The scans will not catch everything — Too much reliance on tools and not enough on secure design, secure development and manual testing will likely result in a fail.
Provided working credentials to an end-to-end test environment with only the package submitted for review installed? (exception if package depends on other packages to function). We recommend creating a new test org from the partner portal for this purpose.

Note: We cannot accept sandboxes, active production orgs, or packaging DE orgs where the app was developed.

Provided working credentials to all Composite components of your offering, such as web services?

Note: If you are not sure if something is in scope, include it anyway! If we determine something is missing there will be long delays.

Confident that you’ve met these requirements? Then hit that submit button! You will receive an email within 48 business hours to confirm that you’re submitted into the security team’s queue. See you at Dreamforce and as always if you have any questions feel free to leave a comment or log a case in the partner portal.

Get the latest Salesforce Developer blog posts and podcast episodes via Slack or RSS.