ISVforce Guide

Introduction
ISVforce Quick Start
Designing and Building Your App
Packaging and Testing Your App
Passing the Security Review
Security Review
Security Review Steps
Security Review Wizard
Submit a Client or Mobile App for Security Review
Submit an Extension Package for Security Review
Security Review Resources
Security Review FAQ
Publish Your Offering on the AppExchange
Manage Orders
Managing Licenses
Provide a Free Trial
Supporting Your Customers
Upgrading Your App
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Security Review

The security review ensures that the app or component you publish on the AppExchange meets industry best security standards. For the latest information on the security review, visit: http://p.force.com/security.

The AppExchange security review:
  • Assures customers that your app or component works securely with Salesforce.
  • Helps you deliver apps and components that span multiple systems and meet the needs of AppExchange customers.
  • Allows Salesforce to facilitate open relationships between customers, developers, and providers by providing a secure ecosystem.

The scope of the security review depends on the type of offering.

Type Description Scope of Review
Force.com Offerings where the data, logic, and user interface is built entirely on the Force.com platform.
  • Automated code scan
  • Manual code review and black-box testing
  • Client-side components (Flash, JavaScript)
  • Integrations and web services
Client and Mobile Apps Offerings that run outside of the Salesforce environment. It treats the Force.com platform as a data source, using the development model of the tool and platform for which it’s designed. Examples include iPhone apps and Microsoft Outlook connectors.
  • Manual hands-on testing
  • Integrations and web services
  • Architecture review and web server testing
Web Apps Offerings that run in a third-party hosted environment and integrate with Salesforce, leveraging the Force.com Web-services API. The data, logic, and user interface can be stored outside of Force.com.
  • Automated testing and manual black-box testing
  • Client-side components (Flash, JavaScript)
  • Integrations and web services
  • Architecture review and web server testing