ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Package and Test Your Solution
Pass the AppExchange Security Review
AppExchange Security Review
How Does AppExchange Security Review Work?
Partner Security Portal
Test Your Entire Solution
False Positives
Security Review Resources
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Managing Licenses for Managed Packages
Partner Licensing Platform (Developer Preview)
Manage Features in First-Generation Managed Packages
Provide a Free Trial of Your Solution
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

How Does AppExchange Security Review Work?

Before initiating an AppExchange security review, you perform your own testing and gather supporting materials that help us assess the security of your solution. During a review, our Product Security team attempts to identify security vulnerabilities in your solution. If the team identifies vulnerabilities, you have access to personalized technical guidance to help you address the identified vulnerabilities.

Every version of your managed package that you plan to list publicly on AppExchange must go through a security review. The review for a new version of a package that passed a security review is automated, and typically only takes a few minutes.

Important

The security review process has five stages: a partner submits a solution, the submission is verified, the submission is added to the Product Security team’s review queue, the submission is tested and validated, and the partner is notified of the results.

Ensure That You’re Ready to Start

Knowing when you're ready for a security review is as important as how it works. You’re ready to submit a solution for security review after you:

  • Confirm with a partner recruitment representative that your solution is enrolled in the AppExchange Partner Program, and that you have a distribution agreement.
  • Secure your solution according to industry best security standards.
  • Certify that your solution is Lightning Ready. All new solutions submitted for security review must be Lightning Ready.
  • In the Salesforce Partner Community Publishing Console:
    • Connect your packaging organization to AppExchange.
    • Create a provider profile.
    • Create a solution listing.
    • Submit a business plan for review, and receive Salesforce approval.

Test Your Solution

Run automated scanning tools and manually test your solution throughout the solution development lifecycle. Security scanning tools provide only first-pass, though useful, insights into solution vulnerabilities. To find vulnerabilities that automated scanning tools don’t detect, also manually test your solution.

We strongly recommend that you test your code throughout the development lifecycle. If you defer testing and remediation, you’re likely to encounter a larger accumulation of issues and greatly delay your time to market.

Tip

After you finish developing your solution, perform another round of manual testing and run the automated scanning tools that Product Security requires. The type of scans that you’re required to run depends on the architecture of your solution.

On the Partner Security Portal, you can access the Source Code Scanner, which is also referred to as the Checkmarx scanner, and the Chimera scanner. These two scanning tools meet the test requirements for many AppExchange solutions.

Before you submit your solution for review, address all security issues that you find with your manual testing and the scanning tools. Either fix the code or document how flagged issues are false positives. A false positive is an issue that appears to pose a security risk but does not.

Test your solution before you submit it and you’re much more likely to pass the review the first time. Applicants who don’t test beforehand rarely pass and must resubmit after addressing security vulnerabilities identified during a review. Resubmitting significantly delays the solution publishing process.

Gather the Required Materials for Security Review Submission

Assemble the materials that enable Product Security to perform a thorough manual review. For most submissions, you’re required to provide a Developer Edition org with the version of the solution that you intend to distribute installed and solution documentation. The security review team uses the Developer Edition org as the solution test environment. The org and documentation aren’t required for Marketing Cloud apps. Other required materials vary by solution type.

You’re likely to have questions as you prepare for security review and at other points during or after a security review. To discuss your concerns and get answers to your questions, visit the Partner Security Portal and schedule an office hours appointment. For help with submitting your solution for review, schedule an appointment with the Security Review Operations team. To troubleshoot issues in your solution that were identified during a review, make an appointment with the Product Security team.

Tip

Submit Your Solution for Review

After you complete testing and gather the materials required for your submission, you’re ready to submit your solution for an AppExchange security review. Use the security review submission interface to share your solution and required materials, and to pay the security review and annual AppExchange listing fees. If you plan to distribute your solution for free, you don’t pay the fees.

After you submit everything, expect these turnaround times.

Security Review Stage Typical Time Frame
Security Review Operations verifies that your submission is ready to review. A submission is ready to review if it includes everything required to test the security of your solution. 1–2 days
Product Security tests your solution for the first time. 3–4 weeks
Product Security tests a resubmission of a package that wasn’t approved previously and that shows progress in fixing security vulnerabilities. 2–3 weeks

Follow Up on the Security Review Report

When the security review is complete, you receive a report informing you that your submission is approved or not approved for public listing on AppExchange.

  • Approved: You can publicly list your solution on AppExchange and distribute it to customers immediately.
  • Not Approved: The security review team detected security issues in your solution. You can’t list your solution on AppExchange or distribute it to customers.

If your solution isn’t approved, the report includes information about the types of security issues that we detected. Keep in mind that the security review is a black-box, time-limited process. We can’t list every instance of a security issue, and we may not initially detect all issue types. Interpret the security review findings as representative examples of the types of issues you must fix. Then diligently find and fix all instances of each issue across your entire solution.

Address all detected security issues. Rerun the required automated scanning tools to generate reports for your revised solution. Then resubmit your revised solution with the updated scan reports.