Security Review Overview


The Salesforce security team conducts rigorous reviews of all products before publicly listing them on AppExchange. Ensuring that all products go through security review means that customers can feel confident in knowing that any AppExchange offering provides the highest level of protection for their data.

Because the quality of the security review submission directly impacts the time it takes to review the application, please plan on 4-6 weeks from the time the app has been submitted to manage expectations accordingly.

/s/SecurityReviewProcess.png?v=2

How to Prepare for Security Review

1. Complete two Trailhead modules: 
Develop Secure Web Apps >
AppExchange Security Review >

2. Speak to a partner recruitment representative to confirm that your solution is fully enrolled and contracted into the AppExchange Partner Program >

3. Access the Partner Security Portal to: 
- Run the static code analysis scanner, Checkmarx, on your Salesforce package components to check for any preliminary vulnerabilities.
- Run web app scanners Chimera or ZAP (https://security.secure.force.com/security/tools/webapp/zapbrowsersetup) (a web app scanner if you do not own the external domain) on the external component of your solution. Please note that these scans do not catch everything. You must perform your due diligence in manual testing to ensure secure development.
- Book submission-related or technical office hours for security review. 

4. Watch the security review wizard walk-through demo below.