Test Your Entire Solution
Testing Scope
Test all pieces of the solution that you submit for security review. Ensure that the solution architecture is secure, including endpoints that aren’t hosted on the Salesforce platform. Your attention to all components and layers of your solution helps minimize the risk of hackers or malware exploiting potential entry points.
The full scope of your solution is subject to security review testing. For example, we can perform pen tests that attack your Developer Edition test org and attempt to access sensitive data or authenticate with false credentials.
To determine testing scope, use a follow-the-data approach. Wherever the customer or data goes is in scope. For example, your Salesforce customer is required to log in to your company website, or data is synced to a third-party server. Test these pieces to ensure that they’re securely transferring credentials and data.
External endpoints are within the scope of the security review and a required part of your security testing when either of these criteria are true.
- The endpoint plays a role in authenticating the end user as part of buying, getting support for, or using your solution. This definition includes a connected app that doesn’t require manual credential entry.
- Salesforce data is transferred to or from the endpoint.
Automated Scanning Tools
To identify security vulnerabilities in your solution and external endpoints, we require that you run specific automated security scanning tools.
To distribute managed packages, Salesforce Platform API solutions, or Marketing Cloud Engagement API solutions on AppExchange, they must pass our security review. If your solution is a managed package, you’re required to scan it using Salesforce Code Analyzer and submit comprehensive scan results in the AppExchange Security Review Wizard. If you’re unable to use Code Analyzer, you must provide a clear justification for why you didn’t run Code Analyzer on your code.
If your solution isn’t a managed package, or you choose not to use Code Analyzer, you can access two Salesforce-supported security scanners on the Partner Security Portal: the Chimera scanner and the Source Code Scanner, sometimes referred to as the Checkmarx scanner.
This table summarizes the automated security scanner tools that we require or recommend.
Security Scanner Tool | Scan Targets | Considerations | Results Accepted with Submission | Hosted on the Partner Security Portal |
---|---|---|---|---|
Salesforce Code Analyzer | Apex, JavaScript, Lightning, TypeScript, and Visualforce code |
|
Yes | No |
Source Code Scanner (Checkmarx) | Apex, Visualforce, and Lightning code |
|
Yes | Yes |
PMD Source Code Analyzer | Apex code |
|
No | No |
Chimera | External endpoints on domains that you own |
|
Yes | Yes |
Zed Attack Proxy (ZAP) | External endpoints |
|
Yes | No |
Burp Suite | External endpoints |
|
Yes | No |