ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Release Notes
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Design Your AppExchange Solution
Pass the AppExchange Security Review
AppExchange Security Review
How Does AppExchange Security Review Work?
Partner Security Portal
Test Your Entire Solution
Scan Your Solution with Salesforce Code Analyzer
False Positives
Security Review Resources
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Report Orders to Salesforce with the Channel Order App
Manage Licenses for Managed Packages
Manage Features in First-Generation Managed Packages
Provide Free Trials of Your AppExchange Solution
User License Guides for Salesforce Partners
PDF

Newer Version Available

This content describes an older version of this product. View Latest

AppExchange Security Review

Before you can publicly list your managed package, Salesforce Platform API solution, or Marketing Cloud API solution on AppExchange, it must pass a security review. The AppExchange security review tests the security posture of your solution, including how well it protects customer data.

The security review helps you identify security vulnerabilities that a hacker, malware, or other threat can exploit. Salesforce security review teams test your solution with threat-modeling profiles that are based on the most common web vulnerabilities. The teams attempt to penetrate the defenses programmed in your solution. Their goal is to extract or modify data that they don’t have permission to access, just as security threats attempt to do.

Here’s a small sampling of the common security threats that we test for.
  • SOQL and SQL injection
  • Cross-site scripting
  • Nonsecure authentication and access control protocols
  • Vulnerabilities specific to the Salesforce platform, such as record-sharing violations

For more information about the most critical web application security risks, read the Open Web Application Security Project (OWASP) Top Ten awareness document. OWASP is a nonprofit foundation that works to improve the security of software.

We give you a report documenting the security vulnerabilities found during the review. We’re also available to meet with you and help you address vulnerabilities. Address the issues in the report, then submit the revised solution for a follow-up review. We offer multiple reviews for each submission, which enables you to fine-tune the security of your solution.

To test the extent that upgraded solutions safeguard against the latest security vulnerabilities, Salesforce reserves the right to conduct periodic re-reviews of solutions distributed on AppExchange.

Important

View the security review process as enforcement mechanisms paired with personalized advice and tools. You have access to office hours where you can directly connect with a security review team member to get guidance catered to your solution. Also, the security review team points you to security scanning tools that help automate the process of vetting the security of your solution.