Force.com ISV Security Review
All applications enrolled in the ISVForce or Force.com Embedded Partner Programs must go through a mandatory periodic security review. The Security Review has been developed to assess the security posture of partner offerings, to ensure that applications published on the AppExchange follow industry best practices for security, and to promote trust.
The scope of the security review depends on the composition of the offering. Most offerings contain one or more parts that are classified as Native, Composite (Web Applications), or Client/Mobile. Our approach is to test all parts of the offering to ensure that our mutual customers and their data are not put at risk. The table below describes at a high level what testing is performed for each part.
Security Review Process Quick Guide
Here's a look at the Security Review Process steps:
1. Prepare For The Security Review
2. Initiate The Security Review
3. Publish your Application On The AppExchange
Random Testing: Salesforce.com reserves the right to conduct random on-site and off-site tests on published offerings. If during these tests, we find that the offering has deviated from any of our requirements, we will notify the publisher and provide a timeframe to remedy the issue. In extreme cases, we may pull the AppExchange listing from public viewing.
- Secure Cloud Development Resources - This page introduces Force.com Secure Cloud Development, a new suite of tools, training and processes to help all developers get started building trusted applications.
- Best Practices to Create a Partner “Trust” Site This document describes best practices to build your own “Trust” site.
- Security Review Costs - Understand the costs associated with the security review of various application types
- Requirements Checklist - This checklist will help you prepare for your security review. Applications must meet these criteria in order to pass security review.
- Secure Coding Guideline - These documents provide information on common security issues and provide guidance on effectively remediating these issues within your application.
- Security Review FAQ - We have compiled all the frequently asked questions here. In particular, we recommend that you review the table that lists all the security attributes we look for to pass your application.
- Sample Policy Template - Here's a sample policy template to guide you in creating your company security and operational policies.