Security Review


Force.com AppExchange & OEM Security Review

All applications enrolled in the AppExchange or OEM Partner Programs must go through a mandatory periodic security review. The Security Review has been developed to assess the security posture of partner offerings, to ensure that applications published on the AppExchange follow industry best practices for security, and to promote trust.


Scope

The scope of the security review depends greatly on the composition of the offering. Most offerings contain one or more parts that are classified as Native, Composite, or Client/Mobile. Our approach is to test all parts of the offering to ensure that our mutual customers and their data are not put at risk. The table below describes at a high level what types of testing is performed for each part.


Integration Part Description Scope
Native Force.com

  • Primary data, logic, or user interface is built on the Force.com Platform using Apex and Visualforce

  • Review all code using proprietary, semi-automated tools
  • Hands-on security assessments for Google, Amazon and Facebook web service integrations
  • Review of client side technologies (Flash, JavaScript, etc)

Composite (Hosted)

  • Part or all of the application runs in a 3rd party hosted environment and integrates with Salesforce leveraging the Force.com web-services API
  • Data, logic, & UI may be stored outside of Force.com

  • App development and architecture
  • Integration with Force.com
  • Network/host security review
  • Hands-on manual and automated application security testing
  • Review of client side technologies (Flash, JavaScript, etc)

Client (Installed software / plug-ins / mobile Apps)

  • Applications that run on a desktop, customer managed datacenter,customer managed cloud provider, or mobile device.

  • App development and architecture
  • Integration with Force.com
  • Hands-on manual and automated application security testing


Security Review Process Quick Guide

Here's a look at the Security Review Process steps:

1. Prepare for Security Review


2. Initiate Security Review

  • Initiate security review of your offering by logging into the AppExchange Publisher Profile (www.appexchange.com) and clicking "Start Review". For existing offerings that are due for a subsequent security review, log a case in the Partner Portal.
  • Pay the annual listing fee. Refer to the Listing Fee page to determine if this fee applies to your offering.


3. Participate in Security Review

  • Your technical team will be requested to complete a security questionnaire.
  • Provide Reports from security testing tools that are free from issues.
  • Provide the review team a fully configured Test Environment and Documentation (See the scope section above for more details on scope)
  • Manual and automated application and network security testing will be performed on the offering to identify vulnerabilities that may exist.

Random Testing: Salesforce.com reserves the right to conduct random on-site and off-site tests on published offerings. If during these tests, we find that the offering has deviated from any of our requirements, we will notify the publisher and provide a timeframe to remedy the issue. In extreme cases, we may pull the AppExchange listing from public viewing.


4. Review Results: Based on testing results, your offering will be Approved, Provisionally Approved or Not Approved.

  • Approved:
    • Meets Security Review Requirements.
    • You will be allowed to list your offering on the AppExchange.
    • You will qualify for a API token (clientID) to access Professional Edition (PE) accounts. (Please log a case in the partner portal)
  • Provisionally Approved:
    • Low risk issues as determined by the security review team.
    • Very rarely granted
    • You will be allowed to list your offering on the AppExchange temporarily. Note: failure to remedy the noted issues within the specified time period will result in removal of the listing from the AppExchange.
    • You will qualify for a API token (clientID) to access Professional Edition (PE) accounts. (Please log a case in the partner portal)


  • Not Approved:
    • Does not meet Security Review Requirements.
    • You will not be allowed to list your offering on the AppExchange or distribute through the OEM program until all issues have been addressed and re-reviewed by the AppExchange Security team. If the offering is already listed on the AppExchange, you will be given 60 days to address issues. Note: failure to remediate the noted issues within the specified time period will result in removal of the listing from the AppExchange.
    • You will not qualify for a API token (clientID) to access Professional Edition (PE) accounts.


5. Publish:

  • Publish your app on the AppExchange


Resources

  • Secure Cloud Development Resources - This page introduces Force.com Secure Cloud Development, a new suite of tools, training and processes to help all developers get started building trusted applications.
  • Security Review Costs - Understand the costs associated with the security review of various application types
  • Requirements Checklist - This checklist will help you prepare for your security review. Applications must meet these criteria in order to pass security review.
  • Secure Coding Guideline - These documents provide information on common security issues and provide guidance on effectively remediating these issues within your application.
  • Security Review FAQ - We have compiled all the frequently asked questions here. In particular, we recommend that you review the table that lists all the security attributes we look for to pass your application.
  • Sample Policy Template - Here's a sample policy template to guide you in creating your company security and operational policies.
Retrieved from "http://wiki.developerforce.com/page/Security_Review"