• Article
|
• Edit
|
• History

Force.com AppExchange Security Review

All applications published on the AppExchange must go through an annual security review. The AppExchange Security Review has been developed to assess the security posture of partner organizations, and to ensure that all applications published on the AppExchange follow industry best practices for security standards.

• Empowers customers to trust third-party apps to work securely with their Salesforce applications

• Helps partners succeed in delivering apps that span multiple systems and meet the needs of salesforce.com customers

• Allows salesforce.com to facilitate open relationships between customers, third-party developers, and application providers, by providing a secure ecosystem

Scope

The scope of this high-level security assessment varies based on the application type. Refer to the Requirements Checklist in the Resources section below for detailed information:

Application Type	Description	Scope
Force.com (Native & Mash-ups)	Applications built entirely on the Force.com Platform. This means all of the application data, logic and user interface code is stored on the Force.com Platform with no external data storage. Development can be done using a combination of Force.com Builder and Force.com Eclispe IDE.	Review code (using semi-automated techniques) to identify the use of high-risk functions and any potential vulnerabilities
Client (On-Premise)	Applications that run outside the Salesforce environment, typically running on a desktop or mobile device. These applications treat the Force.com platform as a data source, using the development model of whatever tool and platform they are designed for. Classic examples of this kind of app include apps designed for mobile devices such as the BlackBerry, desktop app integrations such as Microsoft Outlook connectors.	Security posture of the organization (IT Management, security policies, procedures, standards, etc.) Application development and architecture Integration with Salesforce
Composite (Hosted)	Applications that run in a third-party hosted environment and integrate with Salesforce leveraging the Force.com web-services API. Application data, logic and user interface may be stored outside of the Force.com Platform.	Security posture of the organization (IT Management, security policies, procedures, standards, etc.) Application development and architecture Integration with Salesforce Network security review Network and application penetration testing (if applicable*)

Note: Penetration testing is performed only when applications store sensitive Salesforce customer data (login credentials, credit card information, etc.)

Security Review Process Quick Guide

Here's a look at the Security Review Process steps:

1. Prepare for Security Review

• Review Requirements Checklist
• Attend one of our bi-monthly "How to Publish your app - Security Review and Listing Essentials" webinars (upcoming webinars).

2. Initiate Security Review

• Ensure that you have signed the online AppExchange Agreement.
• Pay the security review fee by faxing in the completed Credit Card Authorization form. Refer to the Security Review Costs page to determine if this fee applies to your application.
• Inititate security review of your application by logging a Support Request

3. Participate in Security Review

• Force.com Applications:
  • You will be requested to grant the review team login access into your developer (DE) org.
  • The review team will run semi-automated tests to identify any potential vulnerabilities in the code.
  • You may be contacted for a follow-up discussion by the review team.

• Composite and Client Applications:
  • Your technical team will be requested to complete a security questionnaire.
  • You may be contacted by the review team for a follow-up discussion.
  • If required, a network and application penetration test will be scheduled.

Random Testing: Although certification is an annual process, salesforce.com reserves the right to conduct random on-site and off-site tests on published applications. If during these tests, we find that the application has deviated from any of our best practices requirements, we will notify and provide the partner some time to remedy the issue. In extreme cases, we may pull the AppExchange listing from public viewing.

4. Review Results: Based on testing results, you may be granted Full Approval, Provisional Approval or Failure.

• Full Approval:
  • No medium or high risk issues were identified within your organization and application.
  • You will immediately be allowed to list your application on the AppExchange.
  • API token to access Professional Edition accounts will be provided.

• Provisional Approval:
  • Certain low and medium risk issues were identified, which can be addressed fairly easily and do not pose significant risk to salesforce.com or its customers.
  • You will be allowed to list your application on the AppExchange. However, failure to remedy the noted issues within the specified time period will result in removal of the application from the AppExchange.
  • API token to access Professional Edition accounts will be provided.

• Failure:
  • High risk issues were identified during the testing phase.
  • You will not be allowed to list your application on the AppExchange until all issues have been addressed and reviewed by the AppExchange Security team.
  • API token to access Professional Edition accounts will be not provided.

Resources

• Security Review Costs - Understand the costs associated with the security review of various application types

• Requirements Checklist - This checklist will help you prepare for your security review. Applications must meet these criteria in order to pass AppExchange Security Review.

• Detailed AppExchange Security Guidance - This detailed document explains security review requirements in depth.

• Security Review FAQ - We have compiled all the frequently asked questions here. In particular, we recommend that you review the table that lists all the security attributes we look for to pass your application.

• Application & Network Security: Penetration Test Guidance - As part of your application's certification review, we will conduct network and application penetration tests, where applicable. This document explains the process.

• Sample Policy Template - Here's a sample policy template to guide you in creating your company security and operational policies.