ISVforce Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
PDF

Newer Version Available

This content describes an older version of this product. View Latest

The Security Review Questionnaire

Initiating the security review launches an online questionnaire that prompts you for all the information required to test your application. Allow sufficient time to complete the questionnaire as it’s detailed and comprehensive. You can save your answers at any time and return later to complete the process.

Be as comprehensive as possible in your responses. It’s better to err on the side of providing more information rather than less. The more information we have, the faster we can test and approve your app.

Note

The questionnaire consists of a series of screens that guide you through the information required, depending on the type of components in your application (that is, Force.com, web-based, hybrid, or mobile).
1. Preparation
Overview of the steps in the questionnaire and pointers to helpful information.
2. General Information
Your name and contact information.
3. Policies and Certifications
Details of your company’s information security policy and any certifications. You have the option of uploading a policy document.
4. Components
The components and technologies used by your application. You can select relevant items in a checklist based on the type of application. Some examples are:
  • Force.com — Apex, Visualforce, API, SSO
  • Web app — frameworks/languages (Java, .NET, Rails, etc.), SSO, Heroku
  • client app — desktop app, browser plugin, Salesforce CTI toolkit implementation
  • mobile app — iOS, Android, Blackberry, Windows
5. Test Environments
Access details such as login credentials, install links, and sample data for fully configured, working test environments. These depend on the type of application.
  • Force.com — usernames and passwords for all user levels (admin, end user, etc.) in a test organization
  • Web application — URLs, usernames, and passwords for all user levels, API keys, SSO, and OAuth/SAML settings
  • client app — install URLs, configuration data and instructions; include any required license files, associated sample data, config guides, credentials
  • mobile app — separate install link for each type of mobile app
6. Reports
Upload reports from your previous testing, for example:
  • Force.com — Security Code Scanner report

    The code scanner results should be clean before you submit for the review. If you’re aware of any issues in the scanner report that are false positives, please provide the details.

    Note

  • Web application — Web App Scanner report
  • Other — other report or documentation
7. Review Details
This consolidates all the information you’ve provided, so you can verify it’s correct and complete. You can return to any previous screen to modify its information.
8. Payment
This enables you to pay for the security review by using the Recurly payment service. Payment information is saved, so you only need to provide it once. If your app is free, no payment is required.

If you’ve already paid the security review fee for an app, you will not be charged again. However, you’ll still be asked to confirm the payment information.

Note