Dreamforce 2019 drew more than 170,000 people to downtown San Francisco last year. While this year’s Dreamforce will be remote-only, building on the success of Salesforce’s first fully-virtual event, TrailHeaDX, many people are excited about what’s to come November 9-12.
For ISVs, Dreamforce traditionally marks the opportunity to debut shiny new apps for an audience of attendees who live and breathe all things Salesforce. And, for all intents and purposes, this year won’t be any different. As happens every other year, there are firm deadlines ISVs must meet to get their apps reviewed and listed on the AppExchange. This process, of course, includes passing Salesforce’s security review.
Salesforce security review is a detailed process designed to ensure the security of every app listed on the AppExchange. It validates that your application is architected and coded with security best practices.
The Ins and Outs of Security Review
“Security review” is a phrase that’s been known to strike fear in the hearts of new and experienced ISVs. Just mentioning this step in the app listing process can bring to mind a black hole of never ending diagnoses and testing.
But it doesn’t have to be this bad.
For starters, Salesforce does a fantastic job of outlining the security issues for which they test. Most notably, these include:
- SOQL and SQL injection
- Cross-site scripting
- Nonsecure authentication and access control protocols
- Vulnerabilities specific to the Salesforce platform, such as record-sharing violations
For non-technical audiences, these topics can quickly become overwhelming. In short, each of these vulnerabilities poses a significant risk to business and user data should they enter the wild. So, what can ISVs do to help understand what Salesforce is looking for and maximize their chances of passing review?
The answer is a resource you’re probably already very familiar with — Trailhead. Salesforce has designed specific Trailhead content around the security review process. The learning path covers everything from the basics of app security and developing a security strategy to submitting your app for review and beyond. What’s more is Salesforce has created a Security Specialist Superbadge. This path outlines everything ISVs need to become experts in Salesforce security.
But it’s important to keep in mind that Salesforce’s security requirements are only half of the approval battle.
Doing Your Part
Outside of the core standards Salesforce sets for apps to pass security review, there are aspects ISVs must be keenly aware of to help maintain security. Each of these issues not only represents the opportunity for a failed security review, but may also point to opportunities for better security practices across a business. These topics include:
- API security
- Password enumeration
- Using outdated third-party libraries
- Transport layer security (TLS) issues
The challenge with these security weaknesses is that there’s no set playbook for how to identify and manage them. Organizations such as OWASP, however, offer community-based resources businesses can use to test apps and make them more secure.
And this doesn’t mean that the security review process has to be any more difficult. If anything, this helpful reminder can help you get in front of any issues that could prevent your app from failing. Also, it’s never a bad idea to stay on top of security best practices.
A Final Word
Passing security review is a vital component for listing an app on the AppExchange. While it can seem like a large task, Salesforce is very clear about the vulnerabilities they look for in the review process. By educating yourself, learning about the risks and how to prevent them, and adhering to security best practices, you can get your app approved and listed in time to wow attendees at Dreamforce 2020.
To learn how CodeScience can help you navigate the AppExchange, visit www.codescience.com/services.