Periodic Security Re-Reviews on AppExchange

For Independent Software Vendors (ISVs) with apps on Salesforce’s AppExchange, the journey doesn’t end after passing the initial security review. The digital landscape is constantly changing, and so are the threats to application security. Salesforce recognizes this and requires periodic security re-reviews to ensure that applications remain secure and up to date. This blog post will highlight the ongoing nature of security maintenance, the importance of preparing for re-reviews, and strategies for ISV partners to stay ahead. Understanding the process and staying proactive can make all the difference in keeping your app listed and trusted on the AppExchange.

The Necessity of Periodic Security

Salesforce has long upheld the motto “Trust is our number one value,” recognizing that the foundation of its vast ecosystem rests on the security and reliability of its platforms and applications. In alignment with this principle, periodic security re-reviews for apps on the AppExchange are not just routine checks but essential mechanisms to uphold this trust. These re-reviews serve multiple critical functions. 

Firstly, they ensure that apps continually meet the high-security standards required by Salesforce, adapting to new threats and vulnerabilities as they arise. The digital threat landscape is ever-changing, with new risks emerging at a rapid pace. Periodic re-reviews are Salesforce’s proactive measure to keep the ecosystem safe and secure for all users. 

Secondly, the requirement for regular security assessments embeds a culture of continuous improvement among Salesforce ISV partners. Knowing that their applications will undergo scrutiny encourages developers to prioritize security in their development lifecycle, maintain clean and efficient codebases, and keep documentation current. This continuous vigilance helps prevent the accumulation of technical debt and ensures applications are built with security as a cornerstone, not an afterthought. 

Moreover, these re-reviews reinforce Salesforce’s commitment to its core value of trust. By ensuring that all applications on the AppExchange are regularly vetted against the latest security standards, Salesforce maintains a trusted platform where businesses and users can confidently rely on the applications they use. This trust is paramount, as it supports user confidence and contributes to the overall success and integrity of the ecosystem.

Salesforce’s Re-Submission Request

When it’s time for a periodic security re-review, Salesforce will notify ISV partners via email. This communication is crucial as it marks the beginning of the re-review process, giving you a clear timeline to prepare your application for submission. However, this system hinges on the accuracy of the contact information in your partner console.  Here’s where it gets spooky: the horror stories you’ve heard about partners missing these notifications aren’t just tales told around a campfire. They’re real. Imagine an email, the sole lifeline to your app’s presence on the AppExchange, lost in the digital void because it was sent to an ex-employee’s inbox. We’ve witnessed the chilling reality of partners discovering their app’s impending doom—removed from the AppExchange — all because of an outdated email. The consequence? Your app risks removal from the AppExchange for failing to comply with the re-review process. As if that wasn’t spine-chilling enough, consider the added terror of Salesforce disabling certain features like AppAnalytics and initiating push upgrades Therefore, keeping your contact details up to date in the partner console is not just administrative housekeeping; it’s a vital part of maintaining your app’s presence on the platform.

Preparing for Re-Submission

Upon receiving the re-review notification, ISV partners typically have a few months to prepare. This period should be used wisely to ensure that your app not only meets Salesforce’s current security standards but also any new functionalities or updates are thoroughly vetted for compliance. However, if your codebase is cluttered or lacks comprehensive documentation, this preparation can become a daunting task. Imagine juggling the development of new features your customers are eagerly awaiting with the need to address technical debts and security compliance issues. The situation can quickly escalate from manageable to a resource-draining fire drill, diverting your team’s focus away from innovation and towards firefighting.

Managing Technical Debt and Security

The key to avoiding last-minute scrambles is proactive management of technical debt and a continuous focus on security. Technical debt accumulates when quick fixes and suboptimal solutions pile up, making future changes more difficult and time-consuming. Implementing tools like PMD, Salesforce Code Scanner, and Checkmarx within your CI/CD pipeline ensures that code quality and security are evaluated continuously, helping to identify and rectify issues promptly.

Regularly refactoring your code, updating dependencies, and adhering to best practices can mitigate this risk. Similarly, integrating security considerations into the development lifecycle—from design through deployment—ensures that security isn’t an afterthought but a foundational aspect of your application. Moreover, maintaining comprehensive documentation is paramount. This includes keeping your Solution Design and User Guide up to date and in version control. Making the update of these documents part of every story’s Definition of Done ensures that your documentation evolves alongside your application, providing a clear and current overview of its architecture and functionalities. By maintaining a clean, well-documented codebase and staying ahead of security best practices, ISV partners can significantly ease the burden of preparing for a security re-review.

Seeking External Assistance

Sometimes, the expertise required to navigate the complexities of a security review surpasses the in-house capabilities of an ISV partner. This is where engaging with a Product Development Outsourcer (PDO) like Aquiva Labs can be invaluable. PDOs specialize in Salesforce solutions and are adept at conducting thorough audits of your product, identifying potential security vulnerabilities, and guiding you through the process of addressing them. We can offer fresh perspectives on your application’s architecture, help streamline your code, and ensure you’re employing the latest security measures. Partnering with us not only bolsters your preparation for the re-review but also enhances your application’s overall quality and security posture.

Additionally, proactively self-initiating a re-review can be a strategic move to ensure your application remains in compliance with Salesforce’s evolving security standards. This proactive approach can be particularly beneficial after major releases or on an annual basis, allowing you to stay ahead of potential issues and ensuring that you’re never caught off guard by Salesforce’s review process.

Your Checklist for Navigating
Security Re-Reviews on Salesforce AppExchange

To wrap things up, let’s condense our recommendations into a checklist. This way, you can quickly scan through and ensure you’re covering all bases to maintain your app’s presence and security on the AppExchange:

  • Keep Listing Email Up to Date: Always ensure the contact email in your partner console is current to avoid missing crucial notifications from Salesforce.

  • Make Security Part of DevOps, Not an Afterthought: Integrate security practices throughout your development lifecycle, from design to deployment, ensuring security is a foundational aspect of your app.

  • Constantly Keep Security Review Documentation Updated: Regularly update your security review documentation to reflect any changes or updates in your app, keeping it ready for submission at any time.

  • Automate Using Tools: Leverage automation tools within your CI/CD pipeline, such as PMD, Salesforce Code Scanner, and Checkmarx, to continuously monitor and improve code quality and security.

  • Partner with PDO: Engage with an Expert Product Development Outsourcer (PDO) like Aquiva Labs to benefit from expert guidance on aligning your app with Salesforce’s security standards and enhancing its overall quality.

  • Proactively Start Re-Review: Don’t wait for Salesforce to prompt you. Initiate a security re-review yourself, especially after major releases or on an annual basis, to stay ahead of potential issues and ensure compliance.

By following these steps, you can significantly mitigate risks, maintain high security and quality standards, and ensure a smooth experience on the Salesforce AppExchange. 

If you have any questions or you need help with passing your security review or preparing for re-review, make sure to contact us below!

Written by:

Picture of Jakub Stefaniak
Jakub Stefaniak

VP, Technology Strategy and Innovation

More posts

The Salesforce OEM program as a PaaS for your Enterprise SaaS

ISVs: The Clock is Ticking for Process Builder and Workflow Rules

What is a Process Driven Approach (PDA) and Why is it Important?

Are you interested?
if you want to join Aquiva, please take a look at our current offers. Join and start your Aquiva adventure!
Contact Aquiva Labs today for solutions that are as ambitious as your goals. Let us guide you to Salesforce success.