{"id":351,"date":"2021-06-01T16:31:00","date_gmt":"2021-06-01T12:31:00","guid":{"rendered":"https:\/\/spoonconsulting.com\/?p=351"},"modified":"2025-08-22T16:36:44","modified_gmt":"2025-08-22T12:36:44","slug":"salesforce-security-review-can-be-intimidating","status":"publish","type":"post","link":"https:\/\/spoonconsulting.com\/fr\/salesforce-security-review-can-be-intimidating\/","title":{"rendered":"Salesforce Security Review can be intimidating"},"content":{"rendered":"

What is a Security Review?<\/h3>\n\n\n\n

When you want to make a Salesforce solution publicly available on the AppExchange, your application needs to undergo a Security Review. Salesforce experts will dive deep into your application to make sure that your solution does not have any security flaws and vulnerabilities whereby checking how well your application conforms to security standards and protects sensitive customer data.<\/p>\n\n\n\n

What you need to know to pass the Security\u00a0Review?<\/h4>\n\n\n\n

Testing your Application<\/h4>\n\n\n\n

Before submitting for Security Review, assess your Solution on your side first to make sure that your architecture is secure. This includes permissions given to objects, components included, custom code, webservices, third party services being used. For short, ensure that hackers will not be able to exploit any entry points or vulnerabilities to access data.<\/p>\n\n\n\n

Your application should also be robust and Salesforce best practices must be applied such as bulkifying your apex code when dealing with records in Triggers, avoid code injection either in SOQL, apex or cross-scripting.<\/p>\n\n\n\n

If your solution involves third parties, it is good practice to test them as well. Test the endpoint to see if it contains any leaks in the headers or request being transmitted. One common tool is OWASP ZAP which provides a list of vulnerabilities and their severities. From my experience, every high and medium issues deserve consideration. Furthermore, a good SSL certificate goes a long way to make your endpoint more secure.<\/p>\n\n\n\n

Salesforce Code Scan<\/h4>\n\n\n\n

Other than manual testing, Salesforce provides a static code analysis tool, developed by Checkmarx, which scans the code from your package. It can detect a lot of issues such as Create-Read-Update-Delete (CRUD), Sharing, Cross-Scripting (XSS), SOQL Injection, Field Level Security (FLS).<\/p>\n\n\n\n

These errors are categorized into groups: Apex Critical Security Risk<\/strong>, Javascript Low Visibility<\/strong>, Javascript High Risk<\/strong>, Apex Serious Security Risk<\/strong>, Apex Code Quality<\/strong>.<\/p>\n\n\n\n

Here is a sample code for CRUD and FLS check. These need to be performed each time your code is manipulating records.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Cross-Scripting in Visualforce pages can be resolved by using formula such as JSENCODE<\/strong> et HTMLENCODE<\/strong> to prevent XSS<\/strong> injection.<\/p>\n\n\n\n

var ids = JSON.parse(\u201c{!JSENCODE(recordIds)}\u201d);<\/p>\n\n\n\n

SOQL Injection is another common issue which arises when user input is passed into dynamic SOQL queries. To protect yourself against such issue, you can sanitize the user inputs. A common method available to resolve such issue is String.escapeSingleQuotes<\/strong>.<\/p>\n\n\n\n

External Application Scan<\/h4>\n\n\n\n

If you have an external application which is connected to the Salesforce solution or if you are using a third-party service, you require this scan also.<\/p>\n\n\n\n

All endpoints being used must be secured and each connection must be authenticated. If you are storing Salesforce credential such as Refresh Token <\/strong>et Access Token<\/strong>, these must be saved in encrypted database.<\/p>\n\n\n\n

Salesforce encourages you to scan your application with OWASP ZAP application. https:\/\/owasp.org\/www-project-zap\/<\/a><\/p>\n\n\n\n

You should review all high and medium issues resulting from the ZAP scan. If some of them are false positive, you need to document them and provide necessary details as to why this is not a threat.<\/p>\n\n\n\n

Common issues that can be identified with ZAP are:<\/p>\n\n\n\n