ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Quick Start Tutorials: Become a Partner and Build a Simple AppExchange Solution
Design and Build Your AppExchange Solution
Package and Test Your AppExchange Solution
Pass the AppExchange Security Review
AppExchange Security Review
How Does AppExchange Security Review Work?
Partner Security Portal
Test Your Entire Solution
False Positives
Security Review Resources
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Report Orders to Salesforce with the Channel Order App
Managing Licenses for Managed Packages
License Your AppExchange Solution
Provide a Free Trial of Your AppExchange Solution
Update Your AppExchange Solution
User License Guides for Salesforce Partners
PDF

Newer Version Available

This content describes an older version of this product. View Latest

AppExchange Security Review

Before you can publicly list your managed package, Salesforce Platform API solution, or Marketing Cloud API solution on AppExchange, it must pass a security review. The AppExchange security review tests the security posture of your solution, including how well it protects customer data.

The security review helps you identify security vulnerabilities that a hacker, malware, or other threat can exploit. Salesforce security review teams test your solution with threat-modeling profiles that are based on the most common web vulnerabilities. The teams attempt to penetrate the defenses programmed in your solution. Their goal is to extract or modify data that they don’t have permission to access, just as security threats attempt to do.

Here’s a small sampling of the common security threats that we test for.
  • SOQL and SQL injection
  • Cross-site scripting
  • Nonsecure authentication and access control protocols
  • Vulnerabilities specific to the Salesforce platform, such as record-sharing violations

For more information about the most critical web application security risks, read the Open Web Application Security Project (OWASP) Top Ten awareness document. OWASP is a nonprofit foundation that works to improve the security of software.

We give you a report documenting the security vulnerabilities found during the review. We’re also available to meet with you and help you address vulnerabilities. Address the issues in the report, then submit the revised solution for a follow-up review. We offer multiple reviews for each submission, which enables you to fine-tune the security of your solution.

To test the extent that upgraded solutions safeguard against the latest security vulnerabilities, Salesforce reserves the right to conduct periodic re-reviews of solutions distributed on AppExchange.

Important

View the security review process as enforcement mechanisms paired with personalized advice and tools. You have access to office hours where you can directly connect with a security review team member to get guidance catered to your solution. And, the security review team points you to security-scanning tools that help automate the process of vetting the security of your solution.

Partner Applications are Non-SFDC Applications as defined in Salesforce’s Main Services Agreement (available at https://www.salesforce.com/company/legal/agreements/ or successor URL). Notwithstanding any security requirements set forth herein or any security review of a Partner Application that may occur, Salesforce makes no guarantees regarding the quality or security of any Partner Application and Customers are solely responsible for evaluating the quality, security, and functionality of Partner Applications to determine their adequacy and appropriateness for Customers’ installation and use.

Important