Launching an app on Salesforce AppExchange is an exciting opportunity for SaaS companies, but before your solution can go live, it must pass the Salesforce Security Review. This step ensures your app meets Salesforce’s standards for security, reliability, and data protection. While the process can seem daunting, understanding what's involved and preparing strategically can make all the difference.
What is the AppExchange Security Review?
The Security Review is a mandatory process for any app listed publicly on the AppExchange. Salesforce’s team conducts a deep technical audit of your application to evaluate how it handles authentication, data access, code vulnerabilities, and platform compliance.
Passing the review is essential not only for listing approval, but also for customer trust. It signals to prospects that your app follows security best practices and is safe to install in their Salesforce environment.
What Does the Review Cover?
Salesforce’s review is extensive and includes:
- OWASP Vulnerabilities: Salesforce checks for known issues like cross-site scripting (XSS), injection flaws, broken access controls, and more.
- Authentication & Authorization: Secure login mechanisms, session management, and user role protections.
- Data Handling: Proper encryption, secure storage, and field-level access control.
- Code Quality: Apex, Visualforce, Lightning components, and any third-party integrations are reviewed for best practices.
- API Usage: APIs must be used securely and efficiently, with rate limiting and error handling in place.
- User Permissions: Your app should honor and respect Salesforce's built-in user access levels and sharing rules.
How to Prepare for a Successful Review
Preparation is key. Here’s how to set your app up for a smooth review process:
1. Follow Salesforce’s Secure Coding Guidelines
Salesforce provides a Secure Coding Guide and Checklist. Use them to audit your code early and often.
2. Build with Least Privilege in Mind
Avoid giving your app or its users excessive permissions. Ensure field-level and object-level security (FLS and OLS) are respected in every query and transaction.
3. Validate and Sanitize All Inputs
Don’t assume inputs are safe. Always validate data coming into your app, whether from users, external systems, or Salesforce itself.
4. Conduct a Pre-Review Security Scan
Use tools like Salesforce’s scanner CLI (previously called Checkmarx) or other static code analysis tools to identify vulnerabilities before you submit.
5. Document Everything
Include detailed documentation in your submission, such as user access controls, permission set configurations, data flow diagrams, and your test plan.
Common Pitfalls to Avoid
- Hard-coded credentials or API keys
- Bypassing field-level security checks in Apex code
- Failing to handle CRUD/FLS enforcement across profiles
- Lack of proper logging or error handling
- Poor session or token management in external integrations
What Happens After Submission?
Once submitted, Salesforce will:
- Conduct a static and dynamic code analysis.
- Review your documentation and test plan.
- Provide a detailed report with pass/fail status and remediation requirements if needed.
The timeline varies but generally takes 2–6 weeks, depending on the complexity of your app and whether revisions are needed.
How Zaghop Can Help
At Zaghop, we’ve helped our clients prepare for and pass the Salesforce Security Review. We build apps with security in mind from day one, and we know how to avoid common pitfalls that can delay your listing.
Whether you need help auditing your app, preparing documentation, or guiding your internal dev team, Zaghop is your partner for a successful AppExchange launch.
Contact us today to take the stress out of the Security Review process and get your app live faster and more confidently.
