Q: If I have a problem with the Secure Cloud Development resources, who should I contact?
A: We recommend starting out with our security discussion board to get your question answered quickly by your peers. If you do not receive an answer, you can reach out to securecloud(at)salesforce(dot)com

Q: Can the Force.com Security Source Code Scanner test my code in a Sandbox org?
A: Yes. Sandbox orgs are supported.

Q: How long does the Force.com Security Source Code Scanner take to test my code and email results?
A: Depending on your code size and number of applications in the scan queue, the scanner could take anywhere between 10 mins to a few hours.

Q: What permissions are required for the Force.com Security Source Code Scanner to successfully test the code in my org ?
A: The username submitted must be an active org with Author Apex permission.

Q: I am an AppExchange Partner. Do I need to submit every change to the salesforce.com security team for approval?
A: No. Salesforce.com conducts periodic reviews of AppExchange partner applications and you will be contacted when a review is needed. Any changes in the interim can be uploaded to the AppExchange without a manual approval process. The packages get auto-scanned upon being uploaded to the AppExchange, and you will be notified if any issues are identified.

Q: I write mostly Java and .Net code, are these resources useful?
A: While not all resources may apply to you, you will find useful information such as Secure Coding Guidelines on the Secure Cloud Development site. Additionally, you should reference www.owasp.org for other free tools and resources.

Q: I am not a commercial applications developer, rather I am just developing code for my own organization. Do these resources apply to me?
A: Absolutely.