Steps in the Security Review

The security review process follows these steps.

1. Prepare for the security review.
   • Read the security guidelines in this chapter.
   • Review the free resources listed on our Secure Cloud Development site.
   • Check out our Security Review Webinar video for preparation tips.
   • Review the Requirements Checklist.
   • Review the OWASP Top Ten Checklist.
   • Run a free self-service source code analysis against code developed on the Force.com platform:
   • Run a free web-application scan against your external web-application that is integrated with Force.com.
   • Manually test your app to ensure it meets review requirements not found by tools. For details see: OWASP Testing Guide
   • Fix any issues found during testing.

   In general, be as thorough as you can in your testing as lack of preparation can delay approval. For example, during the development phase of your app, you should run the code scanner multiple times so you don’t spend a lot of time fixing issues towards the end. If you have additional questions, you can schedule office hours with the security review team at: http://security.force.com/security/contact/ohours.

2. Initiate the security review.
   1. Log in to the AppExchange using the credentials for your APO.
   2. Click your name in the upper right corner and from the dropdown menu, select Publishing Console.
   3. Click the Offering tab.
   4. Select one of these two options, as appropriate for your app.
      • Your application is a package (entirely or in part)
      • Your application is not a package and only uses the Salesforce API
   5. Click Save
   6. Click Start Review for your app. For existing applications that are due for a subsequent security review, log a case in the Partner Community.
   7. For each application, you'll complete a security checklist and questionnaire. Provide the review team with a fully-configured test account and grant login access to your publishing organization.
   8. You’ll be asked to provide a test environment and documentation for your offering and pay the annual listing fee.

   The review team will run tests to identify any potential vulnerabilities in the code, and might contact you for a follow-up discussion, if necessary. The review team will perform both application and network security testing, and provide you the results.

3. Review the results. There are three possible outcomes.
   • Approved: You will immediately be allowed to list your application on the AppExchange. You might be provided an API token to access Professional Edition accounts. For more information on the Partner Program, including eligibility requirements, please visit us at www.salesforce.com/partners.
   • Provisionally Approved: Low or medium risk issues were identified, which can be addressed fairly easily and do not pose significant risk to Salesforce or its customers. You will be allowed to create a public listing for your application on the AppExchange. However, failure to remedy the noted issues within the specified time period will result in removal of the application from the AppExchange. You might be provided an API token to access Professional Edition accounts.
   • Not Approved: High risk issues were identified during the testing phase. You will not be allowed to list your application on the AppExchange until all issues have been addressed and reviewed by the AppExchange security team. If the application is already listed on the AppExchange, you will be provided 60 days to address issues. You will not receive an API token to access Professional Edition accounts.

Key Steps to Follow after Passing the Security Review

Once you have passed the security review, you’re eligible to:

• List your app publicly on the AppExchange
• Request an API token