Security Review Overview

The Salesforce security team conducts rigorous reviews of all products before publicly listing them on AppExchange. Ensuring that all products go through security review means that customers can feel confident in knowing that any AppExchange offering provides the highest level of protection for their data.

Because the quality of the security review submission directly impacts the time it takes to review the application, please plan on 4-6 weeks from the time the app has been submitted to manage expectations accordingly.


How to Prepare for Security Review
1. Complete two Trailhead modules:
Develop Secure Web Apps >
AppExchange Security Review >

2. Speak to a partner recruitment representative to confirm that your solution is fully enrolled and contracted into the AppExchange Partner Program >

3. Access the Partner Security Portal to:
- Run the static code analysis scanner, Checkmarx, on your Salesforce package components to check for any preliminary vulnerabilities.
- Run web app scanners Chimera or ZAP (https://security.secure.force.com/security/tools/webapp/zapbrowsersetup) (a web app scanner if you do not own the external domain) on the external component of your solution. Please note that these scans do not catch everything. You must perform your due diligence in manual testing to ensure secure development.
- Book submission-related or technical office hours for security review.

4. Watch the security review wizard walk-through demo below.

See the video timestamps below to jump to a specific topic
1:10: What is security review?

5:23: Security Documentation

9:00: Security Scans

11:58: Testing Environments

14:08: Partner Security Portal

15:56: Submission Wizard Intro

26:45: What Happens After You Submit?

27:55: Passing the Review
SR Requirements Checklist

Security Review Submission Requirements Checklist Builder

Tell Us About Your App

Select All That Apply

    On Salesforce Platform
  • Apex/Visualforce Package
  • Lightning Component
  • Quip App
  • Marketing Cloud App
    • External to Salesforce Platform
  • Website
  • API Endpoints
  • Mobile App
  • Browser Extension
  • Desktop/Client App

Your Checklist

There is a one-time upfront fee, and a small subsequent annual fee for this process:
- The initial Security Review fee is $2,700 USD for each paid app submitted (no fee for free apps).  

- The annual listing fee of $150 USD

If you have questions, speak with your Partner Account Manager (AppExchange Partner) about Security Review fees

Q: How long does security review take?
A: The review process takes about 4-6 weeks from when we receive a complete submission. Please ensure the following to prevent any delays:
- Your documentation is complete and accurate
- The test environment is complete, fully configured, and includes all necessary information
- You have met the requirements
- You are within the agreement guidelines

Q: After I pass a security review, when I create a new managed package version (effectively an upgrade of my first application), will I need to go through the full security review process again? Do I need to re-pay the security review fee?
A: No. If you develop a new version in an already approved package, once you click Start Review on the new version, it will be automatically approved and you can associate the new version to your listing. You must complete the payment step in the Security Review Wizard each time and re-enter your card information, but you won't be double-charged. 

However, we reserve the right to conduct random security penetration tests on your application throughout the year. A full security periodic re-review is normally conducted by Salesforce anywhere between 6 months to 2 years. This allows Salesforce to ensure that your app meets the latest enterprise security standards. We will send you a notification when the time comes.

Q: Why can’t the review team send me every instance of every finding for my review?
A: The security review is a time-boxed process. Due to the time and resource constraints the testing team has for each review, it is not feasible to share this information. The vulnerability findings are not a comprehensive list and should be interpreted as representative examples. All issues in the provided categories should be fixed across the offering.

Q: What if I don’t own the external endpoints or services integrated with my app? Are they still in the scope of my security review?
A: Yes. Our approach is to test all parts of every offering to ensure that our mutual customers and their data are not put at risk. This includes any external web applications or services that are integrated with your solution, even if they are owned by a third party. You will also need to contact the third party for a written consent that permits Salesforce to test their endpoint.

Q: Do I need to run ZAP, Burp or Chimera on APIs? If so, how? 
A: Yes, you do. In order to use ZAP to scan web services, you'll need to proxy your client through ZAP and invoke all of the services so that ZAP knows what to scan. After that, you should run the active scanner against your service and receive the results. You can also use ZAP to test the web services manually, by intercepting and changing requests, fuzzing, etc.


Learn more about ZAP >

Learn more about OWASP >


NOTE: Please make sure the third party web service whitelists the following IPs:


182.72.29.238, 182.71.125.154, 182.71.125.155


Target application being on third party hosting may block our source IP during testing.


More Questions?
Still have questions? Ask us in our Security Review collaboration group >