“Nothing is more important to our company than the privacy of our customers’ data” — Parker Harris, Salesforce co-founder
Photo by Marvin Meyer on Unsplash
What is a Security Review?
When you want to make a Salesforce solution publicly available on the AppExchange, your application needs to undergo a Security Review. Salesforce experts will dive deep into your application to make sure that your solution does not have any security flaws and vulnerabilities whereby checking how well your application conforms to security standards and protects sensitive customer data.
What you need to know to pass the Security Review?
Testing your Application
Before submitting for Security Review, assess your Solution on your side first to make sure that your architecture is secure. This includes permissions given to objects, components included, custom code, webservices, third party services being used. For short, ensure that hackers will not be able to exploit any entry points or vulnerabilities to access data.
Your application should also be robust and Salesforce best practices must be applied such as bulkifying your apex code when dealing with records in Triggers, avoid code injection either in SOQL, apex or cross-scripting.
If your solution involves third parties, it is good practice to test them as well. Test the endpoint to see if it contains any leaks in the headers or request being transmitted. One common tool is OWASP ZAP which provides a list of vulnerabilities and their severities. From my experience, every high and medium issues deserve consideration. Furthermore, a good SSL certificate goes a long way to make your endpoint more secure.
Salesforce Code Scan
Other than manual testing, Salesforce provides a static code analysis tool, developed by Checkmarx, which scans the code from your package. It can detect a lot of issues such as Create-Read-Update-Delete (CRUD), Sharing, Cross-Scripting (XSS), SOQL Injection, Field Level Security (FLS).
These errors are categorized into groups: Apex Critical Security Risk, Javascript Low Visibility, Javascript High Risk, Apex Serious Security Risk, Apex Code Quality.
Here is a sample code for CRUD and FLS check. These need to be performed each time your code is manipulating records.
Cross-Scripting in Visualforce pages can be resolved by using formula such as JSENCODE and HTMLENCODE to prevent XSS injection.var ids = JSON.parse(“{!JSENCODE(recordIds)}”);
SOQL Injection is another common issue which arises when user input is passed into dynamic SOQL queries. To protect yourself against such issue, you can sanitize the user inputs. A common method available to resolve such issue is String.escapeSingleQuotes.
External Application Scan
If you have an external application which is connected to the Salesforce solution or if you are using a third-party service, you require this scan also.
All endpoints being used must be secured and each connection must be authenticated. If you are storing Salesforce credential such as Refresh Token and Access Token, these must be saved in encrypted database.
Salesforce encourages you to scan your application with OWASP ZAP application. https://owasp.org/www-project-zap/
You should review all high and medium issues resulting from the ZAP scan. If some of them are false positive, you need to document them and provide necessary details as to why this is not a threat.
Common issues that can be identified with ZAP are:
- Sensitive data exposure
- Missing security headers
- Security misconfiguration
- Broken Access control
- Components with known vulnerabilities (javascript libraries)
- Insecure Deserialization
- Cross Site Scripting (XSS)
Note: You need to scan third party that your application is using even if it is hosting your documentation.
False Positives
Sometimes the security-scanning tool or code reviewer will flag code that can pose a security vulnerability. However, the flagged issue is not really one or is a non-exploitable or has already been catered for elsewhere. Thus, these kinds of issues can be considered as false positives.
To address these, you need to provide a document specifying why these are false positives. Explain what your code is doing and how it is not related to the issue given by the scanning tool. Also give examples and use cases to properly explain it. This will avoid the Security Review team from asking for more information which may delay the processing time of your Solution.
Submitting for Security Review
Now that all security concerns on the Application have been considered, we can submit for the Salesforce team to start the Security Review. You are almost ready to submit your application.
Next step will be to document how to test the application. This includes the following:
- a Salesforce environment with the Package Installed
- Admin level credential to the Salesforce Security team
- populate the Salesforce environment with sample data
- provide a thorough documentation of how your app will be used and how to use it so that it makes it easier to test and review.
Salesforce provides a checklist builder depending on what your solution contains. You can use it as a guideline to what is missing before submitting for the security review.
To complete the review, you need to log into your partner portal to fill in your app details and upload necessary documents. There is a fee that will be required at the end of the process.
There is an annual listing fee of $150 USD and a one-time upfront fee of $2,700 USD for a paid app submitted for security review (no fee for free apps).
Consult the Experts
If you have any question regarding the process, you can book office hours to speak directly with the team or even post your questions in the Security Review Group in the Partner Community.
You want assistant building your Salesforce Solution, Spoon Consulting is the right fit. We have accompanied numerous clients in building their Salesforce solution and making sure they passed the Security Review.
One of our most successful ISVs application is SharinPix (An Image-Management Solution built for Salesforce) which is available on any Salesforce cloud solution. We continue to add new features, maintain and update the application (Salesforce, Heroku and Mobile app).
Originally posted on Spoon Consulting website.
Leave a Reply