ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Package and Test Your Solution
Pass the AppExchange Security Review
AppExchange Security Review
How Does AppExchange Security Review Work?
Partner Security Portal
Test Your Entire Solution
False Positives
Security Review Resources
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Manage Licenses
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Test Your Entire Solution

Test the full scope of your solution using manual testing and automated security scanner tools. When you perform security scans, include all external endpoints that run independently of the Salesforce platform. Document false positive security violations and fix all code that doesn’t meet Salesforce security guidelines.

Testing Scope

Test all pieces of the solution that you submit for security review. Ensure that the solution architecture is secure, including endpoints that aren’t hosted on the Salesforce platform. Your attention to all components and layers of your solution helps minimize the risk of hackers or malware exploiting potential entry points.

The full scope of your solution is subject to security review testing. For example, we can perform penetration tests that attack your Development Edition test org and attempt to access sensitive data or authenticate with false credentials.

To determine testing scope, use a follow-the-data approach. Wherever the customer or data goes is in scope. For example, your Salesforce customer is required to log in to your company website, or data is synced to a third-party server. Test these pieces to ensure that they’re securely transferring credentials and data.

When either of the following criteria is true, external endpoints are within the scope of the security review and a required part of your security testing.
  • The endpoint plays a role in authenticating the end user as part of buying, getting support for, or using your solution. This definition includes a connected app that doesn’t require manual credential entry.
  • Salesforce data is transferred to or from the endpoint.

Before you perform security testing on external endpoints that you don’t own, complete two actions. First, obtain any necessary permission to perform security testing from the third parties that own the external endpoints. Second, follow the guidelines in What are the Salesforce IP Addresses & Domains to Whitelist?.

Important

Automated Scanning Tools

To identify security vulnerabilities in your solution and external endpoints, we require that you run specific automated security scanning tools.

We strongly recommend that you run security scans on your code and any connected endpoints throughout the development lifecycle. Run periodic scans and fix flagged issues as you go to prevent security vulnerabilities from piling up and creating more work for you later.

Tip

On the Partner Security Portal, you can access two Salesforce-supported security scanners: the Source Code Scanner, also referred to as the Checkmarx scanner, and the Chimera scanner. You can, and sometimes are required to, use scanners that aren’t on the Partner Security Portal.

This table summarizes the automated security scanner tools that we require or recommend.

Security Scanner Tool Scan Targets Considerations Results Accepted with Submission Hosted on the Partner Security Portal
Source Code Scanner (Checkmarx) Apex, Visualforce, and Lightning code
  • This static scanning tool uses Checkmarx security technology.
  • Mandatory for any security review submission that includes a Salesforce package or component. Not required for mobile clients or API solutions.
  • You’re provisioned three Source Code Scanner runs per solution version with the security review fee.
  • If you want the flexibility and freedom to scan unpackaged code, or bypass the three scan limit and package linking requirements, purchase a license from Checkmarx.
 Yes Yes
PMD Source Code Analyzer Apex code
  • The PMD scanner is a free, open-source tool.
  • This tool is an alternative to the Source Code Scanner for solutions that contain Apex code.
  • Run PMD scans an unlimited number of times as you prepare your solution for security review and as a supplement to the Source Code scanner.
  • PMD typically reports more false positives than Source Code Scanner tool.
 No No
Chimera External endpoints on domains that you own
  • Checks external endpoints of a solution.
  • Scans solutions from a Salesforce IP address.
  • Doesn’t require a download.
  • Isn’t usable with endpoints on domains that you don’t own because it requires upload of a token to the root of the external server.
  • If your solution connects to external endpoints that you don’t own, use OWASP ZAP or Burp Suite.
 Yes Yes
OWASP Zed Attack Proxy (ZAP) External endpoints
  • The ZAP Scanner is a free, community-driven proxy for web app security testing.
  • Requires a download.
  • Setting Up ZAP for Browser provides guidance for initiating security scans with this tool.
 Yes No
Burp Suite External endpoints
  • Salesforce doesn’t provision Burp Suite licenses for security review. Purchase a license independently.
  • Requires a download.
 Yes No