The Reimagined Trailblazer Community is Here! Learn More.

Complete the Review Process and List Your Solution

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe how the Product Security team reports vulnerabilities.
  • Explain how to resubmit your solution for review after fixing security issues.
  • List the steps to take to launch your solution after it’s approved.

Face the Facts

You just got an email from the Salesforce security team. Your solution has been reviewed. You’ve been waiting for weeks for this email, so you’re excited. But in a way, you dread opening it: What if you didn’t pass?

If your product doesn’t pass its first security review, it’s in good company. Half of all submitted offerings fail their first security review. Security isn’t easy! If it were, we wouldn’t actually need the security review process.

Let’s explore both possible security review outcomes—not passing, and passing—since you’re likely to encounter both as you develop your solutions.

Keep Your Chin Up

Because we’ve been talking about “passing” the security review, you might think of the security review as an exam that you pass or fail. But it’s not really so clear cut. Think of the review as feedback from the security team—feedback that helps you improve the quality of your product and increases your chances of a successful launch.

If your product doesn’t pass its security review, you get this feedback as a report that lists the vulnerabilities that the security team found. The email you receive also has detailed instructions on how to fix these vulnerabilities.

Your security report

The nice thing about the report is that it gives you specific descriptions of the issues it finds. It provides a hyperlinked table of contents at the top of the report that looks something like this:

  1. SOQL Injection Vulnerability...
  2. Sensitive Information in Debug Vulnerability...
  3. Information Disclosure Vulnerability...
  4. CRUD/FLS Enforcement Vulnerability...

Each entry is a type of security vulnerability. Beneath each entry is the name of the component where the vulnerability was discovered. Below the table of contents are detailed descriptions of each vulnerability. Clicking an entry takes you to the corresponding description.

We Go Wide. You Go Deep

The report lists every kind of vulnerability found in your product, but not every instance. If you see a SOQL injection vulnerability on the list, review all your code—not solely the component mentioned—for SOQL injection opportunities.

We can also alert you to the types of vulnerabilities we exploited to break into your solution, but we can’t make an exhaustive list. Your team has a lot more expertise in your code base anyway. So you can find these vulnerabilities faster than we can once you know that they exist.

Testing Isn’t Perfect

We can only spend a limited amount of time finding vulnerabilities in your product. Sometimes when a solution is re-reviewed, we find some new kinds of vulnerabilities we didn’t see the first time. Testing isn’t comprehensive, either in width or depth. So when you review your code base, keep your eyes peeled for all kinds of vulnerabilities, even those not in the report.

Keep calm and fix your code

As you fix the vulnerabilities, don’t forget to reuse scanners and adversarial testing on your product, just as you did before the review. They help prevent new vulnerabilities from sneaking into your code.

Review Your Practices as Well as Your Code

Sit down for a chat with your team to process the results of the security review. Here are some questions you can use to start a conversation:

  • How did these vulnerabilities slip through your own security reviews?
  • Were there things you could have done to find them sooner?
  • Would more testing help?
  • Would more staffing or more time help?
  • Would more Salesforce security training help?
  • Did you learn anything from the security review that can be applied to your development process?

There's no perfect strategy for achieving security—it takes dedication and determination. But you can always improve your overall strategy by incorporating what you learn from each security review.

And of course, your success is our success! If you need guidance in fixing vulnerabilities or examining your processes, contact your partner account manager or technical evangelist. If you need technical security advice, our Trust Team holds office hours.

Rinse, Repeat

You’ve fixed your solution and revamped your development process. You can’t believe how much more secure everything is, and you can’t wait for a security review rematch. Do your worst, Salesforce Product Security team!

The security team never backs down from a challenge. You need only get their attention. How you do that depends on whether you fixed code that runs on the Salesforce platform.

If you changed code that runs on the Salesforce platform, you must upload a new version of your managed package. If you also made changes external to the package, add that information when you go through the security review submission interface:

  1. From the Publishing Console, click the Listings tab.
  2. Click your listing.
  3. Click your solution type tab, such as App or Bolt.
  4. Upload your new managed package to your listing by clicking Select Package.
  5. Click Start Review next to the Security Review field on your package.
  6. Click through the security review submission interface.

If you fixed only code that runs externally to Salesforce, edit your existing security review submission information:

  1. From the Publishing Console, click the Listings tab.
  2. Click your listing.
  3. Click Edit Review next to the Security Review field on your package.
  4. Go through the security review interface and update any information that has changed.
  5. To let the Product Security team know you’re resubmitting your product for review, log a case in the Partner Community. Include your package name, ID, and version in the comments.

Either way, you don’t have to pay another setup fee. As long as your package ID and your namespace don’t change, we consider your resubmission as the same offering as before. And as in the first round, the follow-up security review process takes 2—3 weeks.

Ship It

When your product passes its security review, you get a nice email saying that it's approved. You’ve done it! That wasn’t so bad, was it? Congratulate everyone on your team and enjoy the moment. Celebrate in your favorite way.

When that magic moment passes, it’s time to launch your product. The security review email gives you an idea of your next steps in this process. Finalize your listing in the Publishing Console and get your marketing team ready.

Milestone 6 in the ISV Onboarding Guide covers how to publish your listing on AppExchange. The guide also highlights related, helpful resources.

Then sit back and watch your numbers grow.

Resources

Keep learning for
free!
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities