Salesforce Partner Community

Blog: 10 Tips to Passing Security Review from Trailhead

Jan 25, 2017

by Amanda Nelson

If you’re reading this, you likely went through — or are about to go through — the legendary Security Review process. All applications enrolled in the ISV Partner Programs must go through a mandatory periodic security review. Why? Because without security, there is no trust. As Parker Harris, Salesforce co-founder and EVP of technology says, “Nothing is more important to our company than the privacy of our customers’ data.” Trust requires security.

The security review process is critical, but it doesn’t have to be painful. Just as a Salesforce career is undoubtedly championed by Trailhead badges and superbadges, future app partners can be best prepared for the magical moment of passing Security Review with Trailhead. The latest Trailhead Module, ISV Security Review, helps you devise an app security strategy and prepares you for a security review.

Here are the highlights of how to pass Security Review, but for the complete roadmap, take this Trailhead module. This is all part of the 3 E’s:

Education - New Trailhead ISV Security Review Module and Develop Secure Web Apps
Enablement - App Cloud Security Center and Security Review for Partners
Engagement - Security Review Collaboration Group

1. Appoint a security advocate
Your company has rules about who gets access to what information. Perhaps you used a key or a badge to enter the office. Specific people are in charge of setting and enforcing these rules. The customer data in your app or component also needs protection, just like the information in your company. It’s true that security is everyone’s responsibility, but to make sure security remains a priority, consider appointing a security advocate to your team. A security advocate is your team’s chief security officer—they think about your product’s security all the time.

2. Build with secure code
Nobody wants to be the one standing between a product and its release. So imagine how tense things can be if your launch date gets pushed back because the Salesforce Product Security team finds a vulnerability. If it’s a minor issue, it’s easy to fix. But if you have to go back and change your design because of a fundamental security flaw, you’re facing extra work and a potentially long delay.

3. Consider security in each stage of development
Whatever methodology you use to write your software, make sure that your team thinks about security from the beginning. Apply secure design patterns and programming practices at every stage of development, and test your app against attacks.

4. Prepare for the Security Review
You wouldn’t claim that a feature in your app worked properly without testing it, would you? Of course not. One of your app’s most important features is its protection of customer data. In a security review, our Product Security team tests your product’s defenses against the attacks. Our testers put on their burglar masks and try to break into your app in an intensive session that lasts several hours. Their mission is to steal data that they don’t have permission to access.

5. Bring everything to the table
When you submit your app for review, make sure that you provide a complete test setup and instructions for using it. If your solution includes a native mobile app, include the installation link for it. If you’re integrating an external web-based accounting service, set up an instance that hosts it.

6. Try to hack your own app
After you’ve fixed all the security problems you know about, try to find some more! Stock up on black T-shirts and sugary soda, and convert your testers into hackers. With your team’s security advocate, devise a plan for adversarial testing, or attacking your own product and trying to steal its data. The OWASP Testing Guide is a great resource for this.

7. Submit your app for Security Review
You know that your product needs to go through a security review before you launch it on AppExchange. But new threats appear every day. So the Salesforce Product Security team can ask for your product to be reviewed at any time, even after it’s been approved. Typically, AppExchange products are reviewed for security once a year. Here’s the good news: You don’t have to go through a full security review every time you release a new version of your product. Just follow the same submission process in this Trailhead unit, and it will go through an automated approval process.

8. Assemble your materials
What you provide to the Product Security team depends on your product’s architecture. The folks reviewing your product need everything a new customer needs to use it. After all, they are masquerading as attackers who have access to a running instance. So provide access to any environments, packages, and external components your app uses and include any documentation that comes with your product. The Product Security team also wants to know that you’ve done your homework. Include the reports you got from the scanners you ran on your product, along with explanations of any false positives.

9. Submit through the Security Review Wizard
The Salesforce Product Security team knows that they’re asking you for a lot. So they created the handy Security Review Wizard to help you submit everything. Once you’re done submitting, take a deep breath, do some stretches. Maybe walk around a bit. If anything is missing from your submission, the security review team will contact you. Once everything is in place, you get an email confirming that your product is in line for a security review. A product typically takes 6 to 8 weeks to get through the review process. When the Product Security team finishes, they’ll send you a report listing any issues that they found. If they find nothing wrong, they approve your product. Woo-hoo! (If you don’t pass, no worries! Go back and take the ISV Trailhead Module to learn how to re-submit.)

10. Ship it
You’ve done it! That wasn’t so bad, was it? Congratulate everyone on your team and enjoy the moment. Celebrate in your favorite way. When that magic moment passes, it’s time to launch your product. Finalize your listing in the Publishing Console (on the Partner Community) and get your marketing team ready. Salesforce can help with your launch. The Partner Community has several great resources on distributing, marketing, selling, and supporting your products on AppExchange. Then sit back and watch your numbers grow. Now that you’ve aced the Education component, check out Enablement on the new App Cloud Security Center and on the Partner Community, and Engagement in the Security Review Collaboration Group. And once you get that sweet new Trailhead badge, share it out. You’ve got this.