What does the AppExchange Security Review evaluate?

The security review evaluates a package's code for known vulnerability patterns and security best practices.

What should an ISV do to reduce the number of review cycles?

Following the security guidelines from the start and running scanners before submission catches most findings early and reduces review cycles.

AppExchange Security Review

Q: Which packages must pass security review?

All paid packages and most free packages that access sensitive data must pass Salesforce's security review before publication.

Administration🟢 Beginner

Definition

AppExchange Security Review is a mandatory evaluation process that all paid and certain free AppExchange listings must pass before being published. Salesforce's security team examines the package's code for vulnerabilities such as SOQL injection, cross-site scripting (XSS), CRUD/FLS enforcement, and other security concerns to ensure it meets Salesforce's security standards.

Real-World Example

Consider a scenario where a Salesforce administrator at Coastal Health is working with AppExchange Security Review to maintain data quality and enforce organizational policies across the platform. By properly setting up AppExchange Security Review, they prevent common data entry errors and ensure that users follow established business processes, which saves the support team hours of cleanup work each week.

Why AppExchange Security Review Matters

Every paid AppExchange package and most free packages that access sensitive data must pass Salesforce's Security Review before being published. The review is performed by Salesforce's internal security team, who scan the package code for common vulnerability patterns: SOQL injection, cross-site scripting (XSS), missing CRUD or field-level security enforcement, insecure deserialization, hard-coded credentials, and other issues outlined in the Salesforce security review guidelines.

The process involves submitting the package through the Partner Community along with documentation about its architecture, data flows, and third-party dependencies. The review can take several weeks and often includes back-and-forth remediation cycles where the ISV must fix findings and resubmit. Once passed, the listing displays a 'Security Review' trust badge and the package becomes publishable. Salesforce periodically re-reviews published packages, particularly when new vulnerability patterns emerge.

How Organizations Use AppExchange Security Review

•Vertex Global — Built a full pre-submission checklist based on the Salesforce security review guidelines and ran internal scans before submitting. This preparation cut their review cycles from three rounds down to one for their most recent release.
•NovaScale — Discovered a SOQL injection vulnerability in their own code during a security review dry run and fixed it before submitting. The issue would have been flagged during the official review anyway, but catching it early saved a full review cycle.
•Skyline Consulting — Advises their ISV clients that security review preparation should start at the beginning of development, not at the end. Retrofitting code to pass review after it was written without security in mind is dramatically more expensive.