Before a company can list an application on the Salesforce AppExchange, the company needs to go through the Salesforce Security Review process.
The Salesforce Security Review process is really comprehensive and as a result is pretty expensive and very time consuming. I don’t think it’s necessarily a bad thing as we all really do need to do our best to make sure that confidential information stays confidential.
The Salesforce Security Review has a really broad scope. For example, Salesforce will review native Salesforce Apps, any web applications, any endpoints / apis, and then any mobile applications. They will even ask questions during the security review regarding what your companies policies are for Information Security, etc.
Coding Practices
The biggest thing to understand is that Salesforce is really looking for secure coding practices. One of the resources I most often see referenced is the OWASP Top 10.
I found this video to be really helpful about understanding secure coding and making sure that I was validating input, output, etc.
Native Salesforce App
One of the biggest gotchas with the security review is that you will be expected to enforce Field Level Security because Salesforce hasn’t actually done this when apex runs. This doesn’t really sound like a big deal until you start trying to do it.
I’ve put together a blog post with details about how to do this called Enforcing Security in Apex There’s also a free library that’s available called Force.com ESAPI.
Mobile Clients
In mobile applications, Salesforce will check for things like what’s being cached, where it’s being cached, and etc. During one of our first reviews at Spinify they found that we weren’t securely storing some credentials that were received from Salesforce during a single sign on process.
APIs
For testing APIs, Salesforce basically looks to see what happens when garbage data has been sent to the endpoint and what sort of validation is being done. They also do basic tests like trying to access the API unauthenticated and whether another client can see another client’s data, etc.
The one big gotcha with APIs is that Salesforce tests for CORs and automatically fails endpoints that return “*” back. Instead they expect it to return back only one url which can be painful to implement on services like AWS Gateway.
Security Reviews Take a Long Time
If your company is going to be launching a new app at Dreamforce be prepared for a pretty long wait time. Six to ten weeks isn’t unheard of before Dreamforce. Normally, the security review takes about three weeks.