ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Create a Secure Solution
Overview of Packages
Components Available in Managed Packages
About API and Dynamic Apex Access in Packages
Architectural Considerations for Group and Professional Editions
Connected Apps
Environment Hub
Developer Hub
Notifications for Package Errors
Package and Test Your Solution
Pass the AppExchange Security Review
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Manage Licenses
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Create a Secure Solution

Learn about practices and resources that help you develop a solution that resists common security threats. Designate a security expert on your development team. Review the AppExchange Security Requirements Checklist sections and Open Web Application Security Project (OWASP) guidelines that apply to your solution.

Designate a Security Expert

Protecting your solution from security threats is easier when you integrate security considerations into all stages of development. One of the best ways to ensure that your solution follows security guidelines is to designate a security expert on your development team.

Have your entire development team collaborate with the security expert through all stages of development: design, implementation, and testing. If your team postpones security considerations until the final stages of development, it increases the likelihood that the team unknowingly propagates security violations as they code.

You don’t want the number and complexity of embedded security violations to needlessly accumulate. When you’re in such a scenario, you encounter delays in preparing a successful AppExchange security review submission.

Learn How to Develop Secure Web Apps

Learn the basics of developing secure code for an AppExchange solution in the Develop Secure Web Apps trail on Trailhead. Discover how to identify, prevent, and remediate the security violations you’re most likely to encounter when developing a solution on the Salesforce platform.

Salesforce wrote the Develop Secure Web Apps trail with a focus on securing solutions built with the Lightning Platform architecture. In the trail, you get hands-on training on how to produce secure code.

Pay particular attention to the Data Leak Prevention module. The violations detailed in this module are among the most common security violations.

Review the AppExchange Security Requirements

The AppExchange Security Requirements Checklist is our most comprehensive information resource for evaluating the security of your solution. To understand our baseline technical security requirements, review this checklist as you develop your solution and identify the security requirements that apply to your code.

Be sure to parse through the entire AppExchange Security Requirements Checklist document. Requirements that apply to your solution can be spread out in various sections. However, the Best Practices for Security section applies to all solutions.

In the checklist, composite submission refers to any solution that involves a third-party, non-Salesforce endpoint, system, or API.

Note

Follow Open Web Application Security Project Guidance

The Open Web Application Security Project (OWASP) website provides comprehensive information about web app security risks. It includes detailed guidance on how to test for, prevent, and resolve security issues. Familiarize yourself with the key resources on the OWASP website.

We recommend that you use the OWASP Top Ten Project as a primary reference for securing your solution. This section of the OWASP site documents the 10 most prominent security risks that appear in web apps. The guidelines are especially pertinent to web apps and services that aren’t hosted on the Salesforce platform.

Aim to follow development practices and security guidelines that conform as closely as possible to the OWASP Secure Coding Practices - Quick Reference Guide.