Undergoing the Salesforce Security Review

Sharing is Caring

Before a company can list an application on the Salesforce AppExchange, the company needs to go through the Salesforce Security Review process.

The Salesforce Security Review process is really comprehensive and as a result is pretty expensive and very time consuming. I don’t think it’s necessarily a bad thing as we all really do need to do our best to make sure that confidential information stays confidential.

The Salesforce Security Review has a really broad scope. For example, Salesforce will review native Salesforce Apps, any web applications, any endpoints / apis, and then any mobile applications. They will even ask questions during the security review regarding what your companies policies are for Information Security, etc.

Coding Practices

The biggest thing to understand is that Salesforce is really looking for secure coding practices. One of the resources I most often see referenced is the OWASP Top 10.

I found this video to be really helpful about understanding secure coding and making sure that I was validating input, output, etc.

Native Salesforce App

One of the biggest gotchas with the security review is that you will be expected to enforce Field Level Security because Salesforce hasn’t actually done this when apex runs. This doesn’t really sound like a big deal until you start trying to do it.

I’ve put together a blog post with details about how to do this called Enforcing Security in Apex There’s also a free library that’s available called Force.com ESAPI.

Mobile Clients

In mobile applications, Salesforce will check for things like what’s being cached, where it’s being cached, and etc. During one of our first reviews at Spinify they found that we weren’t securely storing some credentials that were received from Salesforce during a single sign on process.


For testing APIs, Salesforce basically looks to see what happens when garbage data has been sent to the endpoint and what sort of validation is being done. They also do basic tests like trying to access the API unauthenticated and whether another client can see another client’s data, etc.

The one big gotcha with APIs is that Salesforce tests for CORs and automatically fails endpoints that return “*” back. Instead they expect it to return back only one url which can be painful to implement on services like AWS Gateway.

Security Reviews Take a Long Time

If your company is going to be launching a new app at Dreamforce be prepared for a pretty long wait time. Six to ten weeks isn’t unheard of before Dreamforce. Normally, the security review takes about three weeks.

Sharing is Caring

Brian is a software architect and technology leader living in Niagara Falls with 13+ years of development experience. He is passionate about automation, business process re-engineering, and building a better tomorrow.

Brian is a proud father of four: two boys, and two girls and has been happily married to Crystal for more than ten years. From time to time, Brian may post about his faith, his family, and definitely about technology.