Complete the Review Process and List Your Solution
Learning Objectives
After completing this unit, you’ll be able to:
- Describe how the Product Security team reports vulnerabilities.
- Explain how to resubmit your solution for review after fixing security issues.
- List the steps to take to launch your solution after it’s approved.
Face the Facts
You just got an email from the Salesforce security team. Your solution has been reviewed. You’ve been waiting for this email, so you’re excited. But in a way, you dread opening it: What if you didn’t pass?
If your solution doesn’t pass its security review, you get an email to let you know that there's new info available in the Security Review wizard. You can download your report from the Overview page. The report lists the vulnerabilities that the security team found, and has detailed instructions on how to fix these vulnerabilities.
Keep Your Chin Up
Because we’ve been talking about “passing” the security review, you might think of the security review as an exam that you pass or fail. But it’s not really so clear cut. Think of the review as feedback from the security team—feedback that helps you improve the quality of your solution and increases your chances of a successful launch.
If your solution doesn’t pass its security review, you get an email to let you know that there's new info available in the Security Review wizard. You can download your report from the Overview page. The report lists the vulnerabilities that the security team found, and has detailed instructions on how to fix these vulnerabilities.
The nice thing about the report is that it gives you specific descriptions of the issues it finds. It provides a hyperlinked table of contents at the top of the report that looks something like this:
- SOQL Injection Vulnerability...
- Sensitive Information in Debug Vulnerability...
- Information Disclosure Vulnerability...
- CRUD/FLS Enforcement Vulnerability...
Each entry is a type of security vulnerability. Beneath each entry is the name of the component where the vulnerability was discovered. Below the table of contents are detailed descriptions of each vulnerability. Clicking an entry takes you to the corresponding description.
We Go Wide. You Go Deep
The report lists every kind of vulnerability found in your solution, but not every instance. If you see a SOQL injection vulnerability on the list, review all your code—not solely the component mentioned—for SOQL injection opportunities.
We can also alert you to the types of vulnerabilities we exploited to break into your solution, but we can’t make an exhaustive list. Your team has a lot more expertise in your code base anyway. So you can find these vulnerabilities faster than we can once you know that they exist.
Testing Isn’t Perfect
We can only spend a limited amount of time finding vulnerabilities in your solution. Sometimes when a solution is re-reviewed, we find some new kinds of vulnerabilities we didn’t see the first time. Testing isn’t comprehensive, either in width or depth. So when you review your code base, keep your eyes peeled for all kinds of vulnerabilities, even those not in the report.
As you fix the vulnerabilities, don’t forget to reuse scanners and adversarial testing on your solution, just as you did before the review. They help prevent new vulnerabilities from sneaking into your code.
Review Your Practices as Well as Your Code
Sit down for a chat with your team to process the results of the security review. Here are some questions you can use to start a conversation.
- How did these vulnerabilities slip through your own security reviews?
- Were there things you could have done to find them sooner?
- Would more testing help?
- Would more staffing or more time help?
- Would more Salesforce security training help?
- Did you learn anything from the security review that can be applied to your development process?
- Did you use Salesforce Code Analyzer to scan our code?
There's no perfect strategy for achieving security—it takes dedication and determination. But you can always improve your overall strategy by incorporating what you learn from each security review.
And of course, your success is our success! If you need specific technical guidance on remediating vulnerabilities in your solution or if you need technical security advice, our Security Team holds office hours which you can sign up for on the Partner Security Portal.
Rinse, Repeat
You’ve fixed your solution and revamped your development process. You can’t believe how much more secure everything is, and you can’t wait for a security review rematch. Do your worst, Salesforce Product Security team!
The security team never backs down from a challenge. You need only get their attention. How you do that depends on whether you fixed code that runs on the Salesforce Platform.
If you changed code in a Salesforce Platform package, you must upload a new version of your managed package. If you also made changes external to the package, add that information when you go through the security review submission interface.
First, upload your new package version from your Dev Hub or Developer Edition org.
- From the Partner Console, click the Technologies tab.
- Find your new package version in the list.
- Click Start Review next to the Security Review field on your new package version.
- Click through the security review submission interface.
Next, connect your new managed package version to your listing.
- In the Partner Console, click the Listings tab.
- Click your listing.
- From the Listing Builder step tracker, click Link Your Solution.
4. In Select Version, choose your managed package version.
5. Review and check the Security message.
6. Review the installation method.
7. Click Save & Exit.
If you fixed only code that runs externally to Salesforce, or if you are submitting the same package version for another review, edit your existing security review submission information:
- From the Partner Console, click the Technologies tab.
- Click your solution.
- Click Edit Review next to the Security Review field on your package.
- Go through the security review wizard and update any information that has changed.
- To let the Product Security team know you’re resubmitting your product for review, log a support case in the Salesforce Partner Community.
Ship It
Check your solution’s security review status to learn when your submission passed.
You’ve done it! That wasn’t so bad, was it? Congratulate everyone on your team and enjoy the moment. Celebrate in your favorite way.
When that magic moment passes, it’s time to launch your solution. The Security Review Overview page gives you an idea of your next steps in this process. Finalize your listing in the Partner Console and get your marketing team ready.
Milestone 5 in the ISV Onboarding Guide covers how to publish your listing on AppExchange. The guide also highlights related, helpful resources.
Then sit back and watch your numbers grow.