Submit Your Solution for Security Review
After completing this unit, you’ll be able to:
- Explain when your product needs a security review.
- List the materials you need to submit for a security review.
- Explain how to begin the security review submission process.
- Describe the security review submission process.
Know When You Need a Review
The security review process is critical, but it doesn’t have to be painful. We want to make it comfortable and familiar to you. We want it to be no big deal.
You know that your solution needs to go through a security review before you launch it on AppExchange. But new threats appear every day. So the Salesforce Product Security team can ask for your solution to be reviewed at any time, even after it’s been approved. Typically, AppExchange solutions are reviewed for security once a year.
Here’s the good news: You don’t have to go through a security review every time you release a new version of your solution. Just follow the same submission process in this unit, and it is automatically reapproved.
All solutions on AppExchange must pass our security review: Apps, Flow and Bolt solutions, Lightning data—all solutions. The process is the same, but the details may differ.
Assemble Your Materials
What you provide to the Product Security team depends on your product’s architecture. The folks reviewing your solution need everything a new customer needs to use it. After all, they are masquerading as attackers who have access to a running instance. So provide access to any environments, packages, and external components your solution uses and include any documentation that comes with your product. Our testers like to see complete customer, admin, and user documentation. When you submit your solution for review, make sure that you provide:
- User navigation steps for the Salesforce org
- Documentation of data flow between the Salesforce org and the composite site, mobile app, or chrome extension
- A full list of features for the composite component
- Valid requests and responses for any REST endpoint in the composite component, if present
The Product Security team also wants to know that you’ve done your homework. Include the reports you got from the scanners you ran on your product, along with explanations of any false positives.
To generate a security review checklist that is customized to your solution, use the Security Review Submission Requirements Checklist Builder in the Salesforce Partner Community. Select any combination of solution architecture elements, such as Lightning component, then click Compile Checklist to generate a list of security review materials.
You must meet several milestones before you submit your product for security review. To learn about each one, review our ISV Onboarding Guide.
The key prerequisite to submitting your product for security review is getting the Salesforce stamp of approval for your business plan.
Submit Your Materials
The Salesforce Product Security team knows that they’re asking you for a lot. So they created the handy security review interface.
Start the Review
Begin the security review submission process from the Publishing Console in the Partner Community. Let's walk through the process for a Lightning-compatible app developed as a 2GP managed package.
- From the Publishing Console, click the Listings tab.
- Click your product listing.
- Click your solution type tab: App.
- If you haven’t already, select the package associated with your solution. This step is required for package solutions only.
- Complete all required specifications and installation details.
- Click Save.
- Click Security Review. If you want more information about the security review process, click a tile, such as Trailhead AppExchange Security Review, to learn more.
- Click Start Review.
Keep Track of Your Progress
Use the security review progress bar to quickly see where you are in the process. After you complete a section, it will change from blue to green. You can jump around, but you must complete all sections before submitting.
Provide Company Information
The first step of the security review submission process is to provide your contact information.
- Provide contact information: a primary contact person who the Salesforce security team can contact with questions and distribution list as a backup contact. These contacts also receive your security review results.
- Click Save & Next.
Provide Compliance Information
Next, provide compliance information. If a question isn’t relevant to your solution, select N/A.
- Provide details about your company’s PCI compliance.
- Provide details about your company’s HIPPA compliance.
- Provide details about your company’s System and Organization Controls (SOC) compliance.
- Fill out your company’s general compliance details.
- Click Save & Next.
Fill Out the Questionnaire
Next, answer some general questions about your solution on the Questionnaire tab. The questions change depending on your solution type and architecture.
Provide your answers, then click Save & Next.
Remember when we asked you to assemble your materials earlier in this unit? It’s time to go get those files and reports. The documents you need vary depending on your solution type and architecture.
- Select Choose File to include your solution's architecture and usage documentation (1).
- Include the security scanner report you got from Checkmarx (2).
- If Checkmarx reported any false positives, you can attach a document explaining each one (3)
- If you’re using external services, that means you used ZAP or Chimera to scan them. If ZAP reported no issues, demonstrate that you’ve tested the correct external endpoint. You can include a screenshot of each tool scanning that endpoint (4).
- Click Save & Next.
Provide Test Environments
The Product Security team must test your app in every environment possible. Follow these steps to provide your solution’s test environments and credentials.
- Select sandbox or production for your dedicated Salesforce test org, and type in a username, the password with a security token appended, and a description. Make sure it’s a Developer Edition org. Click Add. The form verifies this information by logging in to the org.
- Enter credentials and a URL for each external web app or service your solution uses, clicking Add for each one. For web applications and services, be sure to select the appropriate authentication from the picklist.
- For each desktop client your product includes, enter an installation link, along with any credentials, license files, and configuration data. Click Add after you’ve finished entering each one.
- For each of your product’s mobile apps, provide the platform, an installation file or link, and any other helpful information. Click Add after each one.
- Enter any other test environment information.
- Click Save & Next.
Review Your Summary
The Summary section contains a read-only view of all information you provided in the previous sections. Be sure to scroll down to review every section before you click Save & Next.
Have Your Credit Card Ready
For every paid solution you sell on AppExchange, we ask for a $2,700 fee payment. This payment includes your one-time security review fee and your $150 first-year annual AppExchange listing fee. If your product is free, we waive both fees. Enter your billing information in the Payment section, then click Submit.
You’re All Set!
Congratulations—you made it! Take a deep breath, do some stretches. If anything is missing from your submission, the security review team contacts you. After everything is in place, you get an email confirming that your product is in line for a security review.
A solution typically takes 4–8 weeks to get through the review process. When the Product Security team finishes, they send you a report listing any issues that they found. If they find nothing wrong, they approve your product. Woo-hoo!
If the team does find issues and you have questions, get help at our office hours. Our technical office hours are very popular. To receive the best technical guidance from our security experts, we recommend that you meet for an office hour after you submit your product for security review and a few weeks before the review is complete. A little extra help is likely all that you need to get your product approved.
What happens next? Continue on to find out.
- Partner Community Chatter Group for Security Review
- Office Hours with AppExchange security engineers and the Security Review Operations team
- ISV Onboarding Guide
- Salesforce Partner Program
- Partner Account Manager
- Partner Community: Security Review
- Partner Community: AppExchange Listing
- ISVforce Guide