Security Review


Force.com AppExchange Security Review

All applications published on the AppExchange must go through an annual security review. The AppExchange Security Review has been developed to assess the security posture of partner organizations, and to ensure that all applications published on the AppExchange follow industry best practices for security standards.

  • Empowers customers to trust third-party apps to work securely with their Salesforce applications
  • Helps partners succeed in delivering apps that span multiple systems and meet the needs of salesforce.com customers
  • Allows salesforce.com to facilitate open relationships between customers, third-party developers, and application providers, by providing a secure ecosystem


Scope

The scope of this high-level security assessment varies based on the application type. Refer to the Requirements Checklist in the Resources section below for detailed information:


Application Type Description Scope
Force.com (Native & Mash-ups)

Applications where primary data, logic and user interface is built entirely on the Force.com Platform. The application may call out to approved 3rd party web-services such as Amazon, Google, Facebook, etc.

Review code (using semi-automated techniques) to identify the usage of high-risk functions and any potential vulnerabilities, such as cross-site scripting and SOQL injection.

Client (On-Premise)

Applications that run outside the Salesforce environment, typically running on a desktop or mobile device. These applications treat the Force.com platform as a data source, using the development model of whatever tool and platform they are designed for. Classic examples of this kind of app include the iPhone app and Microsoft Outlook connectors.

Application development and architecture

Integration with Salesforce

Composite (Hosted)

Applications that run in a third-party hosted environment and integrate with Salesforce leveraging the Force.com web-services API. Application data, logic and user interface may be stored outside of the Force.com Platform.

Application development and architecture

Integration with Salesforce

Network security review

Hands-on web-application assessment



Security Review Process Quick Guide

Here's a look at the Security Review Process steps:


1. Prepare for Security Review


2. Initiate Security Review

  • Ensure that you have signed the online AppExchange Master Agreement.
  • Pay the security review fee by faxing in the completed Credit Card Authorization form. Refer to the Security Review Costs page to determine if this fee applies to your application.
  • Inititate security review of your application by logging into the AppExchange Publisher Profile (www.appexchange.com) and clicking "Start Review"


3. Participate in Security Review

  • Force.com Applications:
    • Complete a brief self-evaluation checklist and questionnaire to provide us an overview of the application.
    • Provide the review team with a fully configured test account and grant login access to your publishing org.
    • The review team will run semi-automated tests to identify any potential vulnerabilities in the code.
    • You may be contacted for a follow-up discussion by the review team.
  • Composite and Client Applications:
    • Your technical team will be requested to complete a security questionnaire.
    • Provide a fully configured test environment to the review team
    • You may be contacted by the review team for a follow-up discussion.
    • Network and web-application penetration test will be conducted.

Random Testing: Although certification is an annual process, salesforce.com reserves the right to conduct random on-site and off-site tests on published applications. If during these tests, we find that the application has deviated from any of our best practices requirements, we will notify and provide the partner some time to remedy the issue. In extreme cases, we may pull the AppExchange listing from public viewing.


4. Review Results: Based on testing results, you may be granted Full Approval, Provisional Approval or Failure.

  • Full Approval:
    • No medium or high risk issues were identified within your organization and application.
    • You will immediately be allowed to list your application on the AppExchange.
    • API token to access Professional Edition accounts will be provided.
  • Provisional Approval:
    • Certain low and medium risk issues were identified, which can be addressed fairly easily and do not pose significant risk to salesforce.com or its customers.
    • You will be allowed to list your application on the AppExchange. However, failure to remedy the noted issues within the specified time period will result in removal of the application from the AppExchange.
    • API token to access Professional Edition accounts will be provided.
  • Failure:
    • High risk issues were identified during the testing phase.
    • You will not be allowed to list your application on the AppExchange until all issues have been addressed and reviewed by the AppExchange Security team.
    • API token to access Professional Edition accounts will be not provided.

Resources

  • Security Review Costs - Understand the costs associated with the security review of various application types
  • Requirements Checklist - This checklist will help you prepare for your security review. Applications must meet these criteria in order to pass AppExchange Security Review.
  • Security Review FAQ - We have compiled all the frequently asked questions here. In particular, we recommend that you review the table that lists all the security attributes we look for to pass your application.
  • Sample Policy Template - Here's a sample policy template to guide you in creating your company security and operational policies.
Retrieved from "http://wiki.developerforce.com/index.php/Security_Review"