In one of our most recent Road to the AppExchange series’ webinars, Sean Hogan, CodeScience CRO, and Ron Kiker, Manager of Expert Services, discussed how to build a plan for submitting for Security Review. We’re following up on that post with some additional tips to ensure a smooth experience from Efren Maldonado, one of our Product Owners.

Tip 1: Security Review Prep Must Happen From Day 1

This was the first point we hit on in our Road to the AppExchange series, and as Efren puts it, it is worth saying again,

“Security Review prep does not happen at the end of your project!”

From a project owner’s perspective, it is helpful to think of Security Review like release plan — there are certain milestones that should be met along the way; such as keeping track of your partner agreement and making sure that appropriate time is baked in to meet expected launch time frames.

We see time and again, that new partners underestimate the time needed to contract with Salesforce. Check out FullStory’s experience here.

Tip 2: Prepare for Your Scans

When preparing for Security Review, there is due diligence that must take place to understand what your vulnerabilities are and how to solve them. Plus, you need to capture false positives early and create the documentation Salesforce requires. Our philosophy is to scan early and scan often.

At CodeScience, we provide not only provide an in-depth output and analysis of the scans, but formal documentation of the tests being conducted and what to expect.

  • Because these tests are searching for vulnerabilities in your application, you will see unusually high traffic volumes which may appear to mimic a Denial of Service attack. It is important to advise your hosting and securities teams of the planned testing to avoid inadvertently setting off alarms.
    • Pro-tip: Scan at different times. We recommend you run tests at three times: during business hours, during weekend support hours, and during evening hours.
  • Use a non-production environment for preliminary scans to help minimize any degradation or interruption of service for your production clients. Data loss may occur as a result of the scans.
  • For your security review submission, you must use an exact replica of your production environment. We recommend working with your PAM to coordinate that the scan runs at off-peak times or at a slower rate. It is important to note that if you run at a slower rate, this can cause the scan to run slightly longer.

Tip 3: Use a Checklist to Keep Track of the Process

Because there are so many pieces, we find it helpful to create a checklist to help project owners keep track of the many moving pieces and ensure that the project is staying on track. Here is an example of a timeline we recently used with a client as they headed into the final phase of their security review process.

It is important to note that the Security Review and Partner Process is different for every company, and there is no one size fits all approach. Use the checklist above as a starting point for the final steps of your own process.

  • Pro-tip: As you walk through the steps to submit for Security Review, it is important to note that there is a fee associated for set up if your application is paid. The fee is $2,700 which covers the review itself and the first $150 annual AppExchange fee. Be sure that whoever is submitting the application for security review has the authorization and method to pay to prevent any delays in the process.

For many clients we talk with, Security Review is met with the most anxiety as part of the process. However, with a bit of planning and understanding of the process, you’ll be able to navigate smoothly. If you’d like to learn more about what it takes to make it to the AppExchange, check out our Road to the AppExchange webinar series — register once and receive access to all 8-parts of the series.


CodeScience helps companies thrive on the AppExchange. No matter if you’re building an app for the first time or are a veteran hoping to drive better results, contact us today!