Approximately 15 million data breaches occurred worldwide in the third quarter of 2022, up 167 percent over the previous quarter. Cybercrime poses a serious threat, with financial losses expected to top $10.5 trillion annually by 2025.
These alarming statistics underscore Salesforce’s commitment to data and product security. With over 5,000 solutions on the AppExchange, Salesforce pays close attention to the safety of the marketplace and its available apps. They manage this through the Salesforce Security Review.
To list your app on the AppExchange, Salesforce requires your app successfully pass a rigorous security review. As part of this process, Salesforce’s product security team will analyze your app’s protection against threats outlined in the Open Web Application Security Project (OWASP) list. The team will also check for possible horizontal attacks to determine whether your product could make Salesforce vulnerable.
At first, it sounds intimidating. After all, you have cybersecurity experts looking for flaws in your application—one you’ve worked hard to develop. But from a pragmatic standpoint, you need it to protect your customers’ sensitive data and avoid straying from best practices.
In this article, we’ll explain why the AppExchange security review is essential, how to prepare for it, and how to leverage Salesforce’s strict security requirements to ensure your product is ripe for the marketplace.
What To Expect During a Salesforce Security Review
Native apps and composite apps follow the same security review process. In both cases, you must verify your solution’s security before submitting it for AppExchange review.
Keep your technical documentation up-to-date and use testing tools like CheckMarx to scan your code for security flaws. If any issues arise, resolve them. Include flagged vulnerabilities that don’t pose a security threat in a false positives document.
These and the scan reports enable Salesforce’s product security team to evaluate your solution. Depending on the type of solution you’re submitting, you may also need other supporting materials. Lastly, ensure the security review team has access to every package, environment, and component you use.
If you pass, pat yourself on the back. Your app is up for publication.
If not, the team will send you their findings report and outline your next steps. Consider the findings as markers on a map, indicating where you need further investigation and correction.
How Long Does the Security Review Process Take?
While there’s no hard-and-fast timeline for Salesforce security reviews, Salesforce estimates the process generally takes six to eight weeks. But as an experienced Salesforce partner, we’ve also seen it take organizations up to three months.
Why the range? For starters, the clock doesn’t start ticking once you submit your application for review—it begins once the team confirms they’ve taken your review request on board. Salesforce’s timeline estimate also doesn’t factor in the back-and-forth. If you don’t pass the first attempt, you’ll have to repeat the process until you get it right.
Don’t let this dishearten you: Salesforce estimates 50 percent of applications fail the first time through the AppExchange security review. You’re not expected to be a cybersecurity expert as a software developer or architect.
Consider the review a collaboration with a Salesforce-competent cybersecurity team and lean into their expertise to improve your product.
How To Prepare for the AppExchange Security Review
You’ll have to wait a couple of weeks every time you fail. If this is the case, you won’t be able to launch your product as soon as you would like. That’s why it’s essential to be proactive in ensuring you’re ready for the security review—the first time around.
Here are three tips to help you prepare for the Salesforce security review:
1. Develop your product with the security review in mind
Don’t consider the security review a final requirement to publish your app. It should be top of mind at every stage of the development process—even before writing any code. Study your assets and data flow to identify security loopholes and potential exploits.
Run a vulnerability assessment regularly to check for flaws like script reflections. Observe and collect feedback from beta testers to discover security risks associated with your solution. Use automated security scanners and manual testing for comprehensive testing. And, of course, record and rate your findings.
2. Provide your team with information about security review procedures
Don’t go at it alone. As early as possible, hand your team the resources they need to understand how the Salesforce security review works.
Salesforce’s Partner Community contains a wealth of resources related to the topic, while their Trust Academy offers three security review courses. These are good places to start. For a comprehensive understanding of the security review, sites like OWASP.org are also worth exploring.
3. Be diligent and keep up with your checklists
Salesforce doesn’t have the same requirements for all apps. It will depend on the type of solution you’re building and your company’s size and maturity. The Security Review Submission Requirements Checklist Builder in the Salesforce Partner Community can help you prepare.
4. Work with a PDO to ensure security review success
Salesforce product development outsourcers (PDOs) help you accelerate your time to market. They’re experts in AppExchange app development, the Salesforce ecosystem, and the security review process. With the help of an experienced PDO, passing the Salesforce security review is much easier. And in most cases, they only need to do it once, shortening the review process so you can get your app on the AppExchange faster.
The role of a Salesforce PDO in security reviews
PDOs are your life jackets. You may know how to swim. But help is needed if the current is strong or you’ve been in the water long. You don’t have to struggle to swim to the finish line yourself when there’s an easier and more efficient way.
Here are three ways choosing the right PDO can help you ace your Salesforce AppExchange security review:
1. PDOs help you pass the review faster
Salesforce has a lot of security review resources for developers. But it’s difficult to keep track of them all—and the updates.
Understanding and preparing for the process could take considerable time, especially if you have to do it more than once. With a PDO’s expertise, you won’t have to sift through the mounds of resources. Experienced PDOs know the process like the back of their hands, down to the steps and time required to get your product approved.
2. PDOs make sure everything is in place
PDOs help you create a plan for passing security reviews. They understand that this preliminary work is necessary before application development takes place.
PDOs are adept at coding secure applications. They also know how to include safeguards in every step of the development process, taking precautionary measures as they go.
3. PDOs can resolve issues and resubmit your application if needed
If the first attempt doesn’t work out, PDOs can help you with iterations. Salesforce points you in the direction of your product’s weaknesses. They have a pretty detailed report on their findings, but the Security team doesn’t know your product like your developer and PDO partner.
PDOs can dig into these findings, analyzing and correcting issues beyond what the Salesforce Product Security team can offer. This way, you can ensure that your next submission exceeds expectations.
Simplify the Security Review Process For Your App
When you publish on the AppExchange, it’s not just your app and business on the line. Salesforce also stakes its reputation and security on it. For this reason, the company’s product security review team will thoroughly examine your product to ensure everything is in order.
The process can take some time, and many fail on their first try. But by working with an experienced PDO like Aquiva, you can minimize the time it takes to create a secure app and streamline the entire Salesforce security review process.
Need help passing the AppExchange security review?
No matter what stage of the development process you are in, Aquiva will help take care of the security process. But it’s best if we help you from the ground up. Contact one of our specialists today to learn how we can help make your project a success.