The Salesforce security review team conducts a rigorous review of all products before they can be launched on AppExchange. This process is crucial for your product to be successful on AppExchange, as a “PASS” stamp from Salesforce allows end users to feel confident that your solution adheres to the highest security standards.
In this post, we’ll share each of the steps you’ll need to complete and documentation you’ll need to assemble as you prepare to submit your app for Security Review (aka Sec Rev). We’ve included several links to additional resources where you can find additional information on each item.
First things first: you’ll need to become a Salesforce partner and build your app!
- Join the Salesforce Partner Program and log into the Partner Community.
- Review the Salesforce Partner Program Agreement (SPPA) and agree to the terms & conditions. A sample SPPA can be found here.
- Build a Lightning Ready Solution.
- During the development phase, be sure to run a Checkmarx scan to look for — and fix — any security vulnerabilities.
Assemble the required documentation
Once development is complete, it is time to collect and organize the required documentation for Sec Rev. You will need to gather the following materials:
- Solution Architecture documentation. This documentation should include Package Details, Product Overview, Platform Features, and an overview of the Object Model and Integration.
- Documentation around how the product will be used, i.e. the various personas acting in the system
- User navigation steps in the Salesforce org where the package is installed
- Documentation of the data flow between the Salesforce org and the composite site, mobile app, or Chrome extension
- Checkmarx scan reports
- Chimera/Zap/Burp scan reports
- False positive documentation
- A Managed Package
- A Demo org with managed package installed and seed data loaded. Please note that this org must be fully configured and authenticated to any off-platform service, mobile app or client app.
Prior to submitting your app for review, it is generally a good idea to run this checklist builder, which will tell you the list of materials to be assembled based on the type of application being submitted:
One final key prerequisite is to get business plan approval from Salesforce. To achieve this, you’ll need to:
- Create a solution listing
- Upload business & product information
- Upload any compliance certifications (such as HIPPA, ISO 27001)
Now the listing can be submitted for Business Approval.
Once all of the above prerequisites are met, your app can be submitted for Sec Rev by navigating to Security Review Tab.
REMEMBER: Salesforce will charge $2700 for the security review (and $150/year thereafter). Be sure to keep your credit card information ready, as you’ll need to pay this fee when you submit your app. Generally, it is a good idea to use a company/corporate card to pay this fee. And don’t forget to keep the billing address handy!
You don’t need to go through Security Review alone! If you need guidance, CodeScience is here to help. Contact us today to learn how we can help you pass Sec Rev the first time!