Force.com ISV Security Review

All applications enrolled in the ISVForce or Force.com Embedded Partner Programs must go through a mandatory periodic security review. The Security Review has been developed to assess the security posture of partner offerings, to ensure that applications published on the AppExchange follow industry best practices for security, and to promote trust.


Scope

The scope of the security review depends on the composition of the offering. Most offerings contain one or more parts that are classified as Native, Composite (Web Applications), or Client/Mobile. Our approach is to test all parts of the offering to ensure that our mutual customers and their data are not put at risk. The table below describes at a high level what testing is performed for each part.


ScopeAndTestsSmall.png


Security Review Process Quick Guide

Here's a look at the Security Review Process steps:


SRFlow.png

1. Prepare For The Security Review

  • Review the free resources listed on our Secure Cloud Development site
  • Review the Requirements Checklist
  • Review the OWASP Top Ten Checklist
  • Run a free self-service source code analysis against code developed on the Force.com Platform
  • Run a free Web Application Security Scan with Chimera or set up ZAP locally to run a Web Application Security Scan against any external web application that is integrated with Force.com.
  • Manually test your app to ensure it meets review requirements not found by tools. For details see: OWASP Testing Guide
  • Fix any issues found during testing.


    2. Initiate The Security Review
  • Before submitting for security review your application must be enrolled in either the ISVforce or Force.com Embedded program. If you are not enrolled please contact your ISV AE or log a case in the partner portal
  • Initiate security review for your offering by logging into the AppExchange Publishing Console and clicking "Start Review" on your offering. For existing offerings that are due for a security re-review, you must also submit a case in the Partner Portal.
  • You will be asked to provide a Test Environment and Documentation for your offering and pay the Annual Listing Fee.
  • Manual and automated application and network security testing will be performed by the security review team and you will receive your review results. (see the results section below for details)


    3. Publish your Application On The AppExchange
  • Once you have passed the security review you may login to the AppExchange and make your listing live.







    Random Testing: Salesforce.com reserves the right to conduct random on-site and off-site tests on published offerings. If during these tests, we find that the offering has deviated from any of our requirements, we will notify the publisher and provide a timeframe to remedy the issue. In extreme cases, we may pull the AppExchange listing from public viewing.


    Review Results


    ReviewOutcome.png





    Resources


    • Secure Cloud Development Resources - This page introduces Force.com Secure Cloud Development, a new suite of tools, training and processes to help all developers get started building trusted applications.
    • Security Review Costs - Understand the costs associated with the security review of various application types
    • Requirements Checklist - This checklist will help you prepare for your security review. Applications must meet these criteria in order to pass security review.
    • Secure Coding Guideline - These documents provide information on common security issues and provide guidance on effectively remediating these issues within your application.
    • Security Review FAQ - We have compiled all the frequently asked questions here. In particular, we recommend that you review the table that lists all the security attributes we look for to pass your application.
    • Sample Policy Template - Here's a sample policy template to guide you in creating your company security and operational policies.