ISVforce Guide

Introduction
ISVforce Quick Start
Grow Your AppExchange Business
Designing and Building Your App
Packaging and Testing Your App
Passing the Security Review
Security Review
Security Review Steps
Security Review Wizard
Submit a Client or Mobile App for Security Review
Submit an Extension Package for Security Review
Security Review Resources
Security Review FAQ
Publish Your Offering on the AppExchange
Manage Orders
Managing Licenses
Manage Features
Provide a Free Trial
Supporting Your AppExchange Customers
Upgrading Your App
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Security Review Wizard

Use the online security review wizard to submit information about your offering to Salesforce for testing. The wizard is comprehensive, so give yourself plenty of time to respond to the questions. Be as thorough as you can, and remember that your responses are saved as you go—you can always return later to complete the process. The more information you provide, the faster we can test and approve your app or component.

The wizard consists of a series of screens that guide you through the information required.
1. Preparation
View tips and links to resources to help you prepare for the security review.
2. General Information
Add information for the person at your company who we can contact with security-related questions.
3. Policies and Certifications
Attach your company’s information security policy and certifications that you’ve earned. For example, ISO 27001.
4. Components
List the technologies used by your app or component. You can select relevant items in a checklist based on the type. Examples include:
  • Force.com — Apex, Visualforce, API, SSO
  • Web app — frameworks and languages (Java, .NET, Rails, SSO, Heroku, and so on)
  • Client app — desktop app, and browser plug-in
  • Mobile app — iOS, Android, BlackBerry, Windows
5. Test Environments
Provide fully configured environments for testing, including login credentials, install links, and sample data.
  • Force.com — usernames and passwords for all user levels (admin, end user, and so on) in a test organization
  • Web app — URLs, usernames, and passwords for all user levels, API keys, SSO, and OAuth/SAML settings
  • Client app — install URLs, configuration data and instructions, required license files, associated sample data, config guides, credentials
  • Mobile app — separate install link for each type of mobile app
6. Reports
Upload reports from your testing.
  • Force.com — Security Code Scanner report

    Makes sure that the code scanner results are clean. If you’re aware of issues in the scanner report that are false positives, provide the details.

    Note

  • Web — Web App Scanner report
  • Other — any other reports or documentation that you want to provide
7. Review Details
Review a summary of the information you’ve provided to verify that your submission is correct and complete. If there’s something you’d like to change, you can modify it.
8. Payment
Pay for the security review using Recurly. Salesforce saves your payment information, so you only need to provide it once. If your app or component is free, no payment is required.

If you’ve already paid the security review fee for your offering, you aren’t charged again. However, you’re still asked to confirm the payment information every time you run the security review wizard.

Important