#Security Review0 discussing

Hi Everyone,

We’re currently facing challenges with the AppExchange security review process for our managed package. The application integrates Salesforce with an external Node.js-based web application.

While we’ve addressed most issues within the Salesforce managed package, previous security reviews have flagged concerns with the external web application. We’re looking for guidance or expert assistance from someone familiar with navigating Salesforce security reviews, particularly in scenarios involving external web applications.

If you know of any professionals who can help, please share their contact information or point us in the right direction.

Any help or advice would be greatly appreciated. Thank you!

#AppExchange  #Security Review  #External Application  #Integration  #Hiring

 value="{!v.singleRec.Name}" /> 

<span class="slds-truncate" title="Name">{!v.singleRec.Name}</span> 

This is the code for the aura component. I am receiving a Client DOM XSS vulnerability in the Checkmarx report of the Force.com source code scanner for the security review. I am unable to identify the precise problem.

#TrailblazerCommunity  #Trailhead  #Security Review

I am having custom profile , I have assigned it to user , however after assigning all types of permission set and object setting to view and modify all for return order object. Return order owd is private #Security Review #Security #FSL Mobile

Hi - My app has recently failed a security review. I'm comfortable that I can make the required changes but I wondered if anyone knew how long Salesforce typically took to complete their second review once I've resubmitted?

Hey all, 

I am facing an issue while trying to submit security review for a package in salesforce.

ERROR: "Error occurred while loading a Visualforce page" at http://partners.salesforce.com at listing of security review stage. Please guide me a way how to proceed further.

Back when the whole Guest User Security thing started, I ran into an issue with queries to certain setup objects from Guest Users.  The metadata reported that the objects where inaccessible when should be.  In order to work around that issue, I have one class that is declared without sharing that does not do CRUD/FLS checks.  This class queries Group, GroupMember, UserRole, and OrgWideEmailAddress.

Anyone know if that issue has been fixed? 

We're about to go through security review and if the issue is fixed, I can change the class declaration and add WITH SECURITY_ENFORCED to the queries.  If the issue is not fixed, I'll have to document it as a false positive.

Hi, 

In the new design for security review updating the Billing information one every new release started to be a strange behaviour for us also the stringiest part it ask us for the address information not for card information, Is there away we can save the information?

@Salesforce Security Group 

We have developed one custom Salesforce app and before we submit for Salesforce security review, it would be good to have your feedback on below question.

As part of this app, we are fetching data using API from 3rd party website and storing some information on custom object in Salesforce and displaying information real time based on user selecting on Salesforce.

We have already scanned Salesforce app using Checkmarx: https://security.secure.force.com/security/tools/forcecom/scanner and worked on points, as identified and suggested by scanner.

Do we need to scan, 3rd party website using Chimera Scanner as per this page https://security.secure.force.com/sourcescanner/ ? As I mentioned above, we use this website for API calls and fetching data to be displayed on Salesforce app.

Looking forward to your feedback!

Thank you,

Brijesh

Hi. I am about ready to submit our app for security review. I am curious if Salesforce offers any voucher or discount to reduce the listing fees  ($2700) for small business affected due to COVID slow down. Thanks!

Fastcall is working in a new listing associated to a new managed package. Good opportunity to start with packaging 2. So we are exploring it, and successfully created some test packages v2.

The feature looks great, and we found It can really help us to automate our packaging creation process. 

We found that the packages created are not listed in the AppExchange packaging tab, event after promoting to managed release, and linking the dev hub org to the AppExchange organizations. This maybe because the feature is in beta? 

So given this, we should start with packaging 1, but not sure if It will be possible to do the upgrade in the future.

@Antonio Grassi @Maiquel Cabrera