ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Create a Secure Solution
Prevent Common Violations of Secure Coding Guidelines
Overview of Packages
Components Available in Managed Packages
About API and Dynamic Apex Access in Packages
Architectural Considerations for Group and Professional Editions
Connected Apps
Environment Hub
Developer Hub
Notifications for Package Errors
Package and Test Your Solution
Pass the AppExchange Security Review
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Managing Licenses for Managed Packages
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Create a Secure Solution

Learn about practices and resources that help you develop a solution that resists common security threats. Designate a security expert on your development team. Review the AppExchange Security Requirements Checklist sections and Open Web Application Security Project (OWASP) guidelines that apply to your solution.

Designate a Security Expert

Protecting your solution from security threats is easier when you integrate security considerations into all stages of development. One of the best ways to ensure that your solution follows security guidelines is to designate a security expert on your development team.

Have your entire development team collaborate with the security expert through all stages of development: design, implementation, and testing. Postponing security considerations until the final stages of development increases the likelihood that your team unknowingly propagates security violations as they code.

Regular collaboration prevents needless accumulation of security violations, and helps avoid delays in preparing a successful AppExchange security review submission.

Learn How to Develop Secure Web Solutions

In Prevent Common Violations of Secure Coding Guidelines and in the Secure Coding Guide, learn how to identify, prevent, and remediate security violations in solutions built on or integrated with the Salesforce Platform. Find out which violations most commonly appear, why they pose security risks, and how to avoid them in your code.

Review the AppExchange Security Requirements

The AppExchange Security Requirements Checklist is our most comprehensive information resource for evaluating the security of your solution. To understand our baseline technical security requirements, review this checklist. As you develop your solution, meet the security requirements that apply to your code.

Be sure to parse through the entire AppExchange Security Requirements Checklist. Requirements that apply to your solution can be spread out in various sections. However, the Best Practices for Security section applies to all solutions.

In the checklist, composite submission refers to any solution that involves a third-party, non-Salesforce endpoint, system, or API.

Note

Follow Open Web Application Security Project Guidance

The Open Web Application Security Project (OWASP) website provides comprehensive information about web app security risks. It includes detailed guidance on how to test for, prevent, and resolve security issues. Familiarize yourself with the key resources on the OWASP website.

We recommend that you use the OWASP Top Ten Project as a primary reference for securing your solution. This section of the OWASP site documents the 10 most prominent security risks that appear in web apps. The guidelines are especially pertinent to web apps and services that aren’t hosted on the Salesforce Platform.

Aim to follow development practices and security guidelines that conform as closely as possible to the OWASP Secure Coding Practices - Quick Reference Guide.