Skip to main content

Complete the Review Process and List Your Solution

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe how the Product Security team reports vulnerabilities.
  • Explain how to resubmit your solution for review after fixing security issues.
  • List the steps to take to launch your solution after it’s approved.

Face the Facts

You just got an email from the Salesforce security team. Your solution has been reviewed. You’ve been waiting for this email, so you’re excited. But in a way, you dread opening it: What if you didn’t pass?

If your solution doesn’t pass its security review, you get an email to let you know that there's new info available in the Security Review wizard. You can download your report from the Overview page. The report lists the vulnerabilities that the security team found, and has detailed instructions on how to fix these vulnerabilities.

Keep Your Chin Up

Because we’ve been talking about “passing” the security review, you might think of the security review as an exam that you pass or fail. But it’s not really so clear cut. Think of the review as feedback from the security team—feedback that helps you improve the quality of your solution and increases your chances of a successful launch.

If your solution doesn’t pass its security review, you get an email to let you know that there's new info available in the Security Review wizard. You can download your report from the Overview page. The report lists the vulnerabilities that the security team found, and has detailed instructions on how to fix these vulnerabilities.

Your security report

The nice thing about the report is that it gives you specific descriptions of the issues it finds. It provides a hyperlinked table of contents at the top of the report that looks something like this:

  1. SOQL Injection Vulnerability...
  2. Sensitive Information in Debug Vulnerability...
  3. Information Disclosure Vulnerability...
  4. CRUD/FLS Enforcement Vulnerability...

Each entry is a type of security vulnerability. Beneath each entry is the name of the component where the vulnerability was discovered. Below the table of contents are detailed descriptions of each vulnerability. Clicking an entry takes you to the corresponding description.

We Go Wide. You Go Deep

The report lists every kind of vulnerability found in your solution, but not every instance. If you see a SOQL injection vulnerability on the list, review all your code—not solely the component mentioned—for SOQL injection opportunities.

We can also alert you to the types of vulnerabilities we exploited to break into your solution, but we can’t make an exhaustive list. Your team has a lot more expertise in your code base anyway. So you can find these vulnerabilities faster than we can once you know that they exist.

Testing Isn’t Perfect

We can only spend a limited amount of time finding vulnerabilities in your solution. Sometimes when a solution is re-reviewed, we find some new kinds of vulnerabilities we didn’t see the first time. Testing isn’t comprehensive, either in width or depth. So when you review your code base, keep your eyes peeled for all kinds of vulnerabilities, even those not in the report.

Keep calm and fix your code

As you fix the vulnerabilities, don’t forget to reuse scanners and adversarial testing on your solution, just as you did before the review. They help prevent new vulnerabilities from sneaking into your code.

Review Your Practices as Well as Your Code

Sit down for a chat with your team to process the results of the security review. Here are some questions you can use to start a conversation.

  • How did these vulnerabilities slip through your own security reviews?
  • Were there things you could have done to find them sooner?
  • Would more testing help?
  • Would more staffing or more time help?
  • Would more Salesforce security training help?
  • Did you learn anything from the security review that can be applied to your development process?
  • Did you use Salesforce Code Analyzer to scan our code?

There's no perfect strategy for achieving security—it takes dedication and determination. But you can always improve your overall strategy by incorporating what you learn from each security review.

And of course, your success is our success! If you need specific technical guidance on remediating vulnerabilities in your solution or if you need technical security advice, our Security Team holds office hours which you can sign up for on the Partner Security Portal.

Rinse, Repeat

You’ve fixed your solution and revamped your development process. You can’t believe how much more secure everything is, and you can’t wait for a security review rematch. Do your worst, Salesforce Product Security team!

The security team never backs down from a challenge. You need only get their attention. How you do that depends on whether you fixed code that runs on the Salesforce Platform.

If you changed code in a Salesforce Platform package, you must upload a new version of your managed package. If you also made changes external to the package, add that information when you go through the security review submission interface.

First, upload your new package version from your Dev Hub or Developer Edition org.

  1. From the Partner Console, click the Technologies tab.
  2. Find your new package version in the list.
  3. Click Start Review next to the Security Review field on your new package version.
  4. Click through the security review submission interface.

Next, connect your new managed package version to your listing.

  1. In the Partner Console, click the Listings tab.
  2. Click your listing.
  3. From the Listing Builder step tracker, click Link Your Solution.

The Link Your Solution Listing Builder step with Select Solution and Select Version textboxes.

4. In Select Version, choose your managed package version.

5. Review and check the Security message.

6. Review the installation method.

7. Click Save & Exit.

If you fixed only code that runs externally to Salesforce, or if you are submitting the same package version for another review, edit your existing security review submission information:

  1. From the Partner Console, click the Technologies tab.
  2. Click your solution.
  3. Click Edit Review next to the Security Review field on your package.
  4. Go through the security review wizard and update any information that has changed.
  5. To let the Product Security team know you’re resubmitting your product for review, log a support case in the Salesforce Partner Community.
Note
Each security review re-test costs $999. And as in the first round, the follow-up security review process takes 2—3 weeks. For more information on our fees, see AppExchange Security Review Fees.

Ship It

Check your solution’s security review status to learn when your submission passed.

A sample AppExchange Security Review status page with Prepare & Submit, Submission Verification, Testing, and Done stages, an approved note, and a Your submission passed status

You’ve done it! That wasn’t so bad, was it? Congratulate everyone on your team and enjoy the moment. Celebrate in your favorite way.

Note

Don’t forget about the listing approval process we mentioned earlier. You need listing approval plus the security review before you publish your listing and distribute your solution.

When that magic moment passes, it’s time to launch your solution. The Security Review Overview page gives you an idea of your next steps in this process. Finalize your listing in the Partner Console and get your marketing team ready.

Milestone 5 in the ISV Onboarding Guide covers how to publish your listing on AppExchange. The guide also highlights related, helpful resources.

Then sit back and watch your numbers grow.

Resources

Keep learning for
free!
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities