Security Review Steps

Follow these steps to have your offering reviewed for security compliance.

1. Prepare for the security review.
   • Read the security guidelines.
   • Review the preparation tips found at http://p.force.com/security.
   • Review the free resources listed on our Secure Cloud Development site.
   • Review the Requirements Checklist.
   • Review the OWASP Top Ten Checklist.
   • Run a free self-service source code analysis against code developed on the Force.com platform.
   • Run a web-application scan against your external web application that is integrated with Force.com.
   • Manually test your offering to ensure that it meets review requirements not found by tools. For details, see the OWASP Testing Guide.
   • Fix any issues found during testing.

   In general, be as thorough as you can in your testing. During the development phase of your app or component, run the code scanner several times to avoid fixing issues at the end. If you have questions, schedule office hours with the security review team at: http://security.force.com/security/contact/ohours.

2. Initiate the security review.

   Before you initiate the security review, configure a test environment that Salesforce can use to test your offering. For information about setting up a test environment, see Required Testing Information for the ISV Security Review.

   Note

   1. Log in to the Partner Community.
   2. Open the security review wizard.
      • If your offering is a managed package, launch the wizard as follows.
        1. On the Publishing page, click the Packages tab.
        2. Find the offering that you want to submit and click Start Review.
      • If your have an API-only offering, launch the wizard as follows.
        1. On the Publishing page, click the Listings tab.
        2. Find the offering that you want to submit and click it to open the AppExchange publishing console.
        3. Click the App tab and choose the API-only option.
        4. Click Start Security Review.
   3. Follow the steps outlined in the security review wizard, which guides you through the rest of the submission.
   4. If this is a paid offering, pay the annual listing fee and the one-time security review fee. If your app or component is free, these fees are waived.

   After you submit your package, the security review team runs tests to identify potential vulnerabilities. If necessary, they will contact you to discuss their findings. The review team performs both application and network security testing and sends you the results.

3. Review the results. There are three possible outcomes.
   • Approved—You can list your app or component on the AppExchange and distribute it to customers immediately.
   • Provisional Pass—The security review team identified low- or medium-risk issues that can be addressed easily and do not pose significant risks. You can create a public listing for your offering on the AppExchange and distribute it to customers. If you don’t fix the issues identified within the specified time period, your app or component is removed from the AppExchange.
   • Not Approved—The security review team identified high-risk issues during the testing phase. You can’t list your offering on the AppExchange or distribute it to customers until all issues have been addressed and your offering has been reviewed again. If the app or component is already listed on the AppExchange, you must address the issues within 60 days. Because the security review is a black-box, time-limited process, we can’t list every instance in which a particular issue occurred. Interpret these findings as representative examples of the types of issues you must fix across the offering.

Key Steps to Follow after Passing the Security Review

When you have passed the security review, you can:

• List your offering publicly on the AppExchange and distribute it to customers.
• Request API access for your offering in Professional and Group Editions.