June 12, 2026

From Development to AppExchange: Preparing Your Solution for Salesforce Security Review

AppExchange Success Starts with Security: A Complete Guide to Salesforce Security Review Submission

Prasunn Kumar Rai

4 min read

AppExchange Success Starts with Security: A Complete Guide to Salesforce Security Review Submission

Building an innovative Salesforce solution is only half the journey. The other half — often underestimated — is ensuring that your application meets Salesforce's stringent security requirements before it reaches customers through AppExchange.

The purpose of this article is to help ISVs, Salesforce developers, architects, and product owners understand what to expect and how to prepare for a successful security review submission.

Why Security Review Matters

Salesforce AppExchange is one of the world's most trusted enterprise software marketplaces. Every solution listed there must demonstrate that it can securely handle customer data and operate without introducing security risks into a customer's Salesforce environment.

The Salesforce Product Security Team performs extensive testing to identify vulnerabilities that could lead to:

  • Unauthorized data access
  • Authentication bypasses
  • Injection attacks
  • Cross-site scripting vulnerabilities
  • Insecure API implementations
  • Misconfigured integrations

Security review is not simply a compliance checkbox. It is an essential validation that your application is ready for enterprise customers.

When Does Your Solution Need a Security Review?

A security review is required before publishing:

  • Managed Packages
  • Salesforce Platform API Solutions
  • Marketing Cloud Engagement API Solutions
  • AgentExchange Applications

Many developers assume every new package version requires a new security review. Fortunately, that is not the case.

Once approved, you can typically release new package versions without undergoing a full review again, provided you complete the required security attestation during the listing update process.

However, Salesforce reserves the right to request a new review whenever necessary, particularly when significant changes or emerging security threats arise.

Preparing Before Submission

One of the biggest mistakes I see teams make is starting the submission process before gathering the required documentation and testing evidence.

Think like a security assessor.

The reviewers need everything required to understand, install, configure, and test your application.

Essential Documentation Checklist

Before starting your submission, prepare:

1.User Documentation 2.Administrator Documentation 3.Installation Guides 4.Architecture Documentation 5.Data Flow Diagrams 6.API Integration Documentation 7.External Service Documentation 8.Mobile Application Documentation (if applicable) 9.Chrome Extension Documentation (if applicable)

Security Documentation

Salesforce expects evidence that you have already performed security testing.

Include:

  • Salesforce Code Analyzer reports
  • Static code analysis reports
  • Dynamic testing reports
  • False-positive explanations
  • Penetration testing findings (if available)

The more transparent you are, the smoother the review process becomes.

Understanding Data Flow Documentation

One of the most important artifacts in a submission is the data flow diagram.

Your documentation should clearly answer:

  • What data enters Salesforce?
  • What data leaves Salesforce?
  • Which external systems are involved?
  • How is authentication handled?
  • Where is customer data stored?
  • How is data encrypted in transit and at rest?

A well-prepared architecture diagram can save days of back-and-forth clarification with reviewers.

Starting the Security Review Process

The submission process begins in the Salesforce Partner Console.

Steps

  1. Login to the Partner Community.
  2. Navigate to Publishing.
  3. Open the Partner Console.
  4. Select Technologies.
  5. Locate your solution.
  6. Click Start Review.

This launches the Security Review Wizard.

Step 1: Add Contacts

Provide:

  • Primary Contact
  • Backup Contact
  • Security Distribution List

These contacts will receive all communications and review results.

My recommendation is to use a team distribution list instead of relying solely on an individual email address.

Step 2: Technical Details

This section requires detailed information about your solution's architecture.

Be prepared to provide:

  • Solution overview
  • Authentication mechanisms
  • API usage
  • Mobile application details
  • External integrations
  • Hosting information

Accuracy is critical here. Inconsistent information often triggers additional review questions.

Step 3: Upload Documentation

This is where preparation pays off.

Upload:

  • Architecture diagrams
  • Installation guides
  • User manuals
  • Security scanner reports
  • Data flow diagrams
  • API documentation

For managed packages, Salesforce Code Analyzer reports are generally expected.

If you cannot provide them, include a clear justification.

Step 4: Provide Test Environments

The Product Security Team needs to validate your application in a working environment.

Provide:

Salesforce Access

  • Username
  • Password
  • MFA instructions
  • Test users

API Access

  • OAuth credentials
  • API keys
  • SAML configuration

External Applications

  • Web application URLs
  • Admin credentials
  • Test data

Mobile Applications

  • Installation links
  • APK/IPA files
  • Configuration instructions

The easier you make testing, the faster your review progresses.

Step 5: Review and Submit

Before submission:

✔ Verify all documentation uploads ✔ Validate credentials ✔ Confirm test environments are operational ✔ Review all responses for consistency

Once complete, submit your package for review.

Understanding Security Review Fees

Salesforce currently charges a fee for security review submissions.

An important point to remember:

If vulnerabilities are identified and you must resubmit after fixing them, a new submission fee may apply.

This is another reason why investing time in preparation and internal testing can significantly reduce overall costs.

What Happens After Submission?

Once submitted:

  1. Salesforce validates the submission.
  2. Product Security begins assessment.
  3. Findings are documented.
  4. Feedback is shared through the Security Review portal.

The average review cycle typically takes several weeks, depending on complexity and submission quality.

You can monitor progress directly from the Partner Console.

Common Reasons Applications Fail Security Review

After reviewing numerous enterprise security programs, the most common issues include:

Insecure API Endpoints

Missing authentication or authorization controls.

Cross-Site Scripting (XSS)

Improper output encoding in Lightning Components and web applications.

Insecure Data Storage

Sensitive information stored without proper protection.

Weak Access Controls

Privilege escalation opportunities.

Hardcoded Secrets

API keys, passwords, and tokens embedded in source code.

Insufficient Input Validation

Injection vulnerabilities and unsafe user input handling.

Addressing these areas before submission dramatically improves approval rates.

Security Review Best Practices

My recommendations for every Salesforce partner:

  • Integrate security testing into CI/CD pipelines.
  • Run Salesforce Code Analyzer regularly.
  • Maintain architecture and data flow documentation continuously.
  • Perform internal penetration testing before submission.
  • Establish a secure SDLC process.
  • Treat security review preparation as part of product development — not a final-stage activity.

Security should never be a last-minute exercise.

Final Thoughts

Publishing on AppExchange is a major milestone, but security approval is what builds trust with customers.

The Salesforce Security Review process is designed to protect customers, strengthen the ecosystem, and improve application quality. Teams that prepare thoroughly, document their architecture clearly, and prioritize secure development practices consistently achieve faster approvals and better customer confidence.

Build security early, document continuously, and treat the security review as an opportunity to validate the strength of your product — not as an obstacle to overcome.

The result will be a more secure application, a smoother AppExchange journey, and greater trust from your customers.

Helpful Links: