AppExchange Security Review
AppExchange Security Review is a mandatory evaluation process that all paid and certain free AppExchange listings must pass before being published.
Definition
AppExchange Security Review is a mandatory evaluation process that all paid and certain free AppExchange listings must pass before being published. Salesforce's security team examines the package's code for vulnerabilities such as SOQL injection, cross-site scripting (XSS), CRUD/FLS enforcement, and other security concerns to ensure it meets Salesforce's security standards.
In plain English
“AppExchange Security Review is Salesforce's safety check on apps before they go on the AppExchange. Salesforce's security team reads through the code looking for holes that could let hackers in, and if they find problems, the app doesn't get published until they're fixed.”
Worked example
An ISV at Larkmoor Software submits their managed package to AppExchange for publishing. Before listing approval, the package goes through AppExchange Security Review - Salesforce's security team analyzes the code for vulnerabilities: SOQL injection risk, XSS in Visualforce or LWC markup, missing CRUD/FLS enforcement, hardcoded credentials, insecure callouts. Two issues surface (a missing CRUD check on a custom controller, an unsanitized HTML render); the ISV fixes both, resubmits, and passes. The Security Review is a multi-week process but mandatory; without passing, the package can't be listed. The review is what protects subscribers from installing malicious code.
Why AppExchange Security Review matters
Every paid AppExchange package and most free packages that access sensitive data must pass Salesforce's Security Review before being published. The review is performed by Salesforce's internal security team, who scan the package code for common vulnerability patterns: SOQL injection, cross-site scripting (XSS), missing CRUD or field-level security enforcement, insecure deserialization, hard-coded credentials, and other issues outlined in the Salesforce security review guidelines.
The process involves submitting the package through the Partner Community along with documentation about its architecture, data flows, and third-party dependencies. The review can take several weeks and often includes back-and-forth remediation cycles where the ISV must fix findings and resubmit. Once passed, the listing displays a 'Security Review' trust badge and the package becomes publishable. Salesforce periodically re-reviews published packages, particularly when new vulnerability patterns emerge.
How organizations use AppExchange Security Review
Built a full pre-submission checklist based on the Salesforce security review guidelines and ran internal scans before submitting. This preparation cut their review cycles from three rounds down to one for their most recent release.
Discovered a SOQL injection vulnerability in their own code during a security review dry run and fixed it before submitting. The issue would have been flagged during the official review anyway, but catching it early saved a full review cycle.
Advises their ISV clients that security review preparation should start at the beginning of development, not at the end. Retrofitting code to pass review after it was written without security in mind is dramatically more expensive.
Trust & references
Straight from the source - Salesforce's reference material on AppExchange Security Review.
- How the AppExchange Security Review WorksSalesforce Developers
- Pass the AppExchange Security ReviewSalesforce Developers
Test your knowledge
Q1. What does the AppExchange Security Review evaluate?
Q2. Which packages must pass security review?
Q3. What should an ISV do to reduce the number of review cycles?
Discussion
Loading discussion…