Start tracking your progress
Trailhead Home
Trailhead Home

Get Started with Application Security



Attention, Trailblazer!

Salesforce has two different desktop user interfaces: Lightning Experience and Salesforce Classic. This module is designed for Salesforce Classic.

You can learn about switching between interfaces, enabling Lightning Experience, and more in the Lightning Experience Basics module here on Trailhead.

Learning Objectives

After completing this unit, you'll be able to:
  • Describe the developer’s role in securing your Salesforce org and custom applications.
  • Sign up for a special Security Testing Developer Edition org.

Why Is Application Security Important?

Over the past five years, criminals have increasingly found ways to steal from businesses with applications—particularly web-based applications. You’ve most likely seen many news reports of stolen credit cards, exposed passwords, and defaced websites.

Latest Security Breaches in the News

So it’s important to make sure your custom web applications are secure. Salesforce is constantly striving to make our platform as secure as possible. Because we are a platform, we release some of that security control to you, so you have the flexibility you need to meet the business requirements of your organization. As a result, security for the apps you develop on the Lightning Platform is a joint responsibility between Salesforce and you.

Application Security Is Your First Line of Defense

Many think the Salesforce admin is responsible for protecting end users, but developers also have an important role to play. The admin configures many of the security policies to protect the org’s data and users, but it’s up to the developers to ensure that these configurations are enforced in custom applications.

If you’re developing applications to release on the AppExchange, your role in application security becomes even more significant. Before an application can be released, a Salesforce security expert must look at the application’s source code as well as any external integrations to ensure proper security standards are followed. This is called a security review. Only after an application passes the security review with zero security findings can it be released onto the AppExchange. The security review also prepares our partners and developers to meet the enterprise security standards that most of their future customers will ask for.

Application Security in the Kingdom Management App

To teach you how to handle different security issues you might encounter while developing on the Lightning Platform, we’ll use a sample app called Kingdom Management. In this module you’ll assume the role of the lead Apex developer for the app, which lets castle-dwelling users track their inventory. You follow news about security breaches across the globe, and you’re worried about all the custom code you’ve created. You know you’ll have to pass a security review by the Salesforce security team to list your app on the AppExchange. Are there vulnerabilities in your app that can be used to expose your customers’ data?

This module teaches you about the different security issues that you should consider when developing on the Lightning Platform. You’ll learn how to spot, exploit, and mitigate vulnerabilities in the Kingdom Management app with the hopes of passing the AppExchange security review on the first try!

Learning Application Security with a Developer Edition Org

A developer edition org is a safe environment where you can practice the skills you’re learning, and you’ll definitely need one as you work through the challenges here on Trailhead. Don’t worry—we’re not going to teach you how to write vulnerable Lightning Platform code. Instead, we’ve created a special org that has vulnerable applications already deployed for you to practice in. Your job will be to identify the vulnerabilities and to fix them.

To get set up in the Kingdom Management developer org, you’ll need to sign up:

  1. Go to the custom sign-up page for the Kingdom Management developer org.
  2. Fill out the form using an active email address and click Sign Me UpKingdom Management Developer Org Signup Page
  3. Check your email for an activation request.
  4. Click the link in the email, and complete your registration by setting a new password and challenge question

After you have your Kingdom Management developer username, you’ll be ready to start learning how to defend your users and data using application security.



The code in the Kingdom Management application is vulnerable to certain kinds of vulnerabilities. In the developer org, these vulnerabilities are benign, but they may pose more serious problems if replicated to a production Salesforce environment. Use the Kingdom Management application for educational purposes only.

Navigating the Kingdom Management Developer Org

Throughout this module and the other modules in this trail, the lessons will refer to the Kingdom Management application and the demos and challenges contained therein. Below are the various features for navigating the developer org:

Kingdom Management Developer Org Navigation Overview
  • On the upper right side, the application picker will contain apps that refer to various topics covered by the modules and units. Multiple units may refer to a single application as long as they share the same topic.
  • The tab bar for each app will contain tabs specific to demos and challenges. The content will refer to each of these demos and challenges by name.
  • Inside each tab, the Visualforce page will have a Demo section that will contain the contents of the issue being demonstrated.
  • Inside each tab, the Visualforce page will have a Code Links section that will contain quick links to the pieces of code relevant to the demo or challenge. Clicking the link will quickly take you to the Visualforce page, Apex controller, or other items associated to your demo or challenge.