A Project Manager’s Guide to Salesforce Security Review

As a project manager at Appiphony, I have managed the Salesforce security review submission process for at least a dozen customers over the last 5 years. Due to the number of tactical steps involved in a Security Review, I developed a checklist to manage the process and will elaborate on the checklist items in this post. I hope by sharing my experiences, it will help you avoid some of the mistakes I made early on.

I want to be clear that this post will not cover how to build security and quality into your app. Salesforce has created an excellent set of resources and guidance documents on this topic. Most recently, Salesforce launched the Trust Academy (trustacademy.salesforce.com): this is a new set of free, self-service educational materials that you should familiarize yourself with.

Moving on…

Prep Work

✔ Ensure you have a contract in place with Salesforce. This sounds silly, but I can’t tell you how many times I have submitted an app for security review on behalf of a client, only to find out that they have not executed their ISV (Independent Software Vendor) contract. Salesforce will immediately notify you that your Security Review submission is “Incomplete” if you do not have a contract in place. If you are unsure if you have a contract in place, contact your Salesforce Partner Account Manager.

Run required security scans against your App

Scanning your total solution is a big part of the review process and I suggest doing this early and as often as you can. This includes the app you build on Salesforce along with any functionality that exists outside of Salesforce that connects back to your Salesforce app. If you do have a portion of your solution that lives outside of Salesforce and integrates with your offering, you will need to scan it as well. Do not wait until the last minute to perform this scan. It should be done months before, this is one of the biggest mistakes people make and often causes many delays to getting your app approved. It often takes longer to make changes to an app external to Salesforce because it typically has existing customers and a more stringent release process.

For scanning the portion of your app built on Salesforce use:

Force.com Security Scanner

✔ Submit your app through the Force.com Security Code Scanner. When you get your results, address any issues that get flagged.

✔ Document false positives from your force.com scan results. You will need to provide this information when you submit your app for security review.

For scanning the portion of your app built outside of Salesforce use:

ZAP or Chimera Scanner

✔ If the Salesforce App you are building includes an integration with an external App, you will have to run the ZAP or Chimera tool against the external app.

✔ Document false positives from your ZAP or Chimera scan results. You will need to provide this information when you submit your app for security review.

Create a Test Org. for the Security Review Team

✔ Package the final app you plan on submitting for Security Review.

✔ Create a Test Org. from the Environment Hub. Install your package(s) and configure an end to end testing environment for the security Review team.

Submit App for Security Review

✔ Initiate your Security Review submission from the Partner Community.

  1. Login to the Partner Community
  2. Click on the Publishing tab, then click the Packages tab
  3. Find the package version you want to submit and click the Start Review link
  4. If you can’t find your package, you might not have linked your Org. to the Partner Community. In this case, click on Organizations in the sub navigation. Link your Org. to the Partner Community so the packages display on the Packages page.

Finally, below is a list of items you will need to provide with your security review submission:

  • Technical/Security point of contact, including email address and phone number
  • Your company’s documented information security policy (if you have one)
  • A list of your company’s Information Security Certifications (if you have them)
  • The login credentials for a fully configured Test Org. Salesforce expects logins for the different types of users that will be using your app.
  • Force.com Security Code Scanner Report
  • Documentation of false positives from the Force.com Security Scan (if applicable)
  • Remember, if your App. includes integration with an external app, you are required to run a scan on the external app using ZAP or Chimera. Include the scan results from one of these tools. You must also include documentation of false positives from the scan results.
  • I hate to end this post on a bum note, but you will also have to pony up $2,700 for your initial submission. This is a one time fee, every year after you will be charged $150.

Post Submission

✔ Within 48 hours of submitting your app for security review, Salesforce will notify you of next steps

✔ The review process alone takes somewhere between 4–8 weeks. This estimate assumes your submission is complete and accurate. Plan accordingly.