An Introduction to the AppExchange Security Review (Part 1)
Security is what, that Salesforce values and never compromises with. When it comes to the security of customer information & data, the Product Security team of Salesforce makes every application go through a tight Security Review to check how well the app protects the customer data, before it becomes available publicly for all the end-users on the Salesforce AppExchange.
Salesforce gives us no guarantees regarding the quality or security of any Partner Application. Customers are responsible to evaluate that for any Partner Application.
How does Security Review work?
During a review, Salesforce’s Product Security team attempts to identify security vulnerabilities in your solution. If the team identifies vulnerabilities, App owners can have personalized technical guidance from technical review team members, to help them address the identified vulnerabilities. The review is helpful in locating weaknesses in Security that a hacker, virus, or other threats can take advantage of. The goal of the Security team is to extract or modify data that they don’t have permission to access, just as security threats attempt to do.
After testing a managed package or any solution for security review, Salesforce provides a review report documenting vulnerabilities. The security review team is also available to meet with app (managed package or solution) representatives and help them address vulnerabilities. One can address the issues in the report, then submit the revised solution for a follow-up review. Salesforce offers multiple reviews for each submission, which enables us to fine-tune the security of our solution.
Product Security team tests a resubmission of a solution that wasn’t previously approved and that shows progress in fixing security vulnerabilities.
Here’s a small sampling of the common security threats that Salesforce tests for.
- SOQL and SQL injection
- Cross-site scripting
- Non Secure authentication and access control protocols
- Salesforce platform vulnerabilities, such as record-sharing violations.
Salesforce retains the right to periodically examine the solutions already distributed on AppExchange to test the upgraded solution’s safeguards against the latest security vulnerabilities.
Different scanners for Security Review
Security Review and AppExchange listing fees
What is the Partner Security Portal ?
The Partner Security Portal is the main hub for everyone’s security review needs. This is the place where anyone can publicly list their solution on AppExchange. The Source Code Scanner (Checkmarx) and Chimera automated security scanning tools are available on the portal. Anyone can use these tools to identify security vulnerabilities in their solutions. Additionally, you may set up appointments with the security engineers for AppExchange and the Security Review Operations team during office hours.
Make sure the packaging org that holds your development work is a Developer Edition org, before you set up your Partner Security Portal account. Always include reports from your scans when you submit your solution for security review. For Marketing Cloud apps, the org and documentation are not necessary.
Steps to ensure that you’re ready to start Review
How to test your Solution?
Throughout the solution development lifecycle, use automated scanning tools and do manual testing on your solution. Security scanning tools provide the first-pass, but useful, insights into solution vulnerabilities. To find vulnerabilities that automated scanning tools don’t detect, you should also manually test your solution.
After you finish developing your solution, perform another round of manual testing and run the automated scanning tools that Product Security requires. The types of scans that you’re required to run depend on the architecture of your solution.
All security flaws that you discovered via manual testing and using the scanning tools should be fixed before submitting your solution for a review. Either change the code or provide an explanation of why issues that have been detected are false positives.
A problem is considered to be false positive if it looks to be a security threat but isn’t.
You have a far better chance of passing the review the first time if you test your answer before submitting it.
To know more about the AppExchange Security Review, Do Visit : An Introduction to the AppExchange Security Review (Part 2)
1. Image by Salesforce
2. Image by Freepik