function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Chamil MadusankaChamil Madusanka 

Questions on Salesforce Security Audit

Hi All,

 

I have heard about security audit in salesforce and I got below link for that.

 

http://wiki.developerforce.com/index.php/Requirements_Checklist

 

I have few questions on that.

 

  1. Is there really security audit from salesforce team?
  2. Is it automatical process or manual process?
  3. In Which point they perform this audit?
  4. How long they take for that process?
  5. What is the output of security audit?
  6. What if we fail the audit?
  7. Can we request for re-audit?

Thanks in Advance

 

Best Answer chosen by Admin (Salesforce Developers) 
JdolphJdolph

 

 

Thanks for reaching out please see my replies inline below.

 

1. Is there really security audit from salesforce team?

 

Yes, we perform security testing and evaluation of every AppExchange application before it can be publically listed.

 

2. Is it automatical process or manual process?

 

We perform both manual and automated testing of the application.

 

3. In Which point they perform this audit?

 

The application will be tested after you have initiated the security review from the AppExchange, paid the listing fee (for commercial apps), completed a security questionnaire, and provided a fully configured test environment.

 

4. How long they take for that process?

 

This depends greatly on the volume of applications being submitted, and the complexity and composition of your application.

 

5. What is the output of security audit?

 

We will either send an approval notice if you pass, or a listing of issues that you must fix before we can approve the application.

 

6. What if we fail the audit?

 

We will provide you with a list of issues that you must fix before we will approve the application.  Once you have fixed the issues, we request that you perform a round of internal testing to verify that the fixes were complete.  When you are confident that the application meets the AppExchange requirements you can re-submit the application for another review.

 

7. Can we request for re-audit?

 

Yes.  Please see above.

 

 

The best advice that I can give is to prepare upfront. It helps to avoid surprises in increases your chances of passing the review the first time.

 

1. Look at the requirements checklist (http://wiki.developerforce.com/index.php/Requirements_Checklist) and security resources that are available on Force.com Secure Cloud Development. (http://developer.force.com/security)

 

2. Test your application first to identify issues using the Force.com Security Source Scanner (http://security.force.com/sourcescanner) for Apex and Visualforce and the Web Application Security Scanner (http://security.force.com/webappscanner) for composite apps.  It's also important to perform own manual testing to find issues that automated tools might not find. (CSRF on composite apps, business logic flaws, etc.)

 

3. Fix any issues that you find and test again.

 

4. Once you are confident the application meets the requirements initiate the review.

 

I hope that this helps.  Please let me know if you need anything else.

All Answers

JdolphJdolph

 

 

Thanks for reaching out please see my replies inline below.

 

1. Is there really security audit from salesforce team?

 

Yes, we perform security testing and evaluation of every AppExchange application before it can be publically listed.

 

2. Is it automatical process or manual process?

 

We perform both manual and automated testing of the application.

 

3. In Which point they perform this audit?

 

The application will be tested after you have initiated the security review from the AppExchange, paid the listing fee (for commercial apps), completed a security questionnaire, and provided a fully configured test environment.

 

4. How long they take for that process?

 

This depends greatly on the volume of applications being submitted, and the complexity and composition of your application.

 

5. What is the output of security audit?

 

We will either send an approval notice if you pass, or a listing of issues that you must fix before we can approve the application.

 

6. What if we fail the audit?

 

We will provide you with a list of issues that you must fix before we will approve the application.  Once you have fixed the issues, we request that you perform a round of internal testing to verify that the fixes were complete.  When you are confident that the application meets the AppExchange requirements you can re-submit the application for another review.

 

7. Can we request for re-audit?

 

Yes.  Please see above.

 

 

The best advice that I can give is to prepare upfront. It helps to avoid surprises in increases your chances of passing the review the first time.

 

1. Look at the requirements checklist (http://wiki.developerforce.com/index.php/Requirements_Checklist) and security resources that are available on Force.com Secure Cloud Development. (http://developer.force.com/security)

 

2. Test your application first to identify issues using the Force.com Security Source Scanner (http://security.force.com/sourcescanner) for Apex and Visualforce and the Web Application Security Scanner (http://security.force.com/webappscanner) for composite apps.  It's also important to perform own manual testing to find issues that automated tools might not find. (CSRF on composite apps, business logic flaws, etc.)

 

3. Fix any issues that you find and test again.

 

4. Once you are confident the application meets the requirements initiate the review.

 

I hope that this helps.  Please let me know if you need anything else.

This was selected as the best answer
Chamil MadusankaChamil Madusanka

Hi Jdolph,

 

Thanks for your reply. It helps me to continue my works. If there any problem relates to security audit, I'll contact you.

Thanks again.

 

Devendra@SFDCDevendra@SFDC

 

Hello Chamil, Jdolph,

 

I have received list of errors from salesforce security review team.

 

Now i am confused, where to start with:

 

To solve those errors i need to change visualforce pages code.

 

I assume, i need to make those changes into the developer org from where i have created managed package. But, Do i need to once again create Release Package and upload it on appExchange and Start Review process once again?

 

I am confused, how to handle fix issue process?

 

Thanks,

Devendra

 

Chamil MadusankaChamil Madusanka

Yes Devendra, You have to upload your released package after you fix your issues.

Amit Singh1989Amit Singh1989

Hi Chamil,

Thank you for your response.

I have uploaded my JS Package (version 1.0) into my dev org,Then initiated security review process for my package.

salesforce responded with some issues into my package.

But i dont know how to move further.

Please correct me if I am wrong,

1) I will update the VF page code from my developer org (in which issues are there).


2)Then again upload my JS package (this time it might be numbered as 2.0)

 

3)then will log a case from partner portal to resubmit my package for security review. (will they again ask for payment).

 



A help would be highly appreciated.

Thanks,
Amit singh

JdolphJdolph

You are correct. The steps you mentioned will get you back in the testing queue for a re-test. Just make sure to send the reports showing no issues, and updated testing credentials with the case. If you have already paid you listing fees for the year you will not be asked to pay again.  Best of Luck!

Chamil MadusankaChamil Madusanka

Hi Amit,

 

Your steps are correct.

Amit Singh1989Amit Singh1989

Thank you Jdolph , chamil.

de54874de54874

How many times can we submit our application for re-review. Is there a limited number of times after which it is considered as a fresh review?