« DupeCatcher is a Must Have | Main | Maintaining Data Quality in »

Preparing for Salesforce Security Review 

(Part 1 of 2)

Getting ready for the security review can be a little nerveracking. I've been through this process before so I want to share with you how I prepared for the security review and how the process goes. One of the best and worst things about development is how much documentation there is. This is fantastic for a Salesforce developer but it is also a struggle because you feel like you could be missing something. In addition, you might have to bounce around to three different documents before you find what you are looking for. This is all part of the fun though. When you find the answer you were looking for it's a great feeling!

When you start to plan for your Salesforce security review there is a lot of information to parse through. What I want to do here is provide some of the highlights to get your moving in the right direction.

Step 1- The very first thing you want to do when preparing for the Salesforce security review is to go through the Requirements Checklist in detail. Much of this is very standard web application development best practices. There are three areas though that I paid special attention to. They were A) making sure that all my triggers were bulkified,  B) my unit tests were up to par, C) protecting against SOQL injection. I mention the first two because the trigger aspect was something I wasn't as familiar with and I found gaps in my unit testing (unit testing best practices). They recommend that at least 75% of your code is covered in unit tests but I would shoot for higher than that. In your unit tests, make sure to use "System.asert" methods as much as possible - you want to prove that your code is working properly. I've changed my development style from when I started on to be more test driven.  

Step 2 - Take the time and add proper comments to your code. I don't know how much this plays into the security review but it is the best way to develop. As a general rule, I write the comments as if I have to hand this code over permanently to my friend and they will be maintaining it moving forward. The reason for this is sometimes programmers write code knowing they understand how it works and if someone has questions they can just ask.

I work under the assumption that I may be busy with another project and I don't have time to explain everything but I also don't want that person to struggle. I picture my best friend having to pick up where I left off and I don't want him stressed out trying to figure it out. The nice thing to do is write enough comments so they can smile when they look at the code and say, "cool, this guy did a great job of explaining what all of this does." It's a bit of a mental exercise but it seems to work well for me.

Step 3 - Go through the OWASP Top Ten ChecklistOWASP is a valuable resource to keep you up with the latest web application threats you need to guard against. Make sure you go through and check your code for all of these. In my case I needed to pay special attention to the injection and cross site scripting.

Step 4 - Take advantage of the free code scanners . I can't tell you how great these resources are.

Self-service source code analyzer (free) : scans your Apex and Visualforce and produces a nice report. It's important to know that it can take anywhere from 1 hour to a full day to get this back. I try to kick it off toward the end of the day knowing I've added a bunch of new code and made fixes. 

Web-application scan (free) : scans any web-servers you have that integrate with


Each time you go back and make changes to your code, you will want to check to make sure your unit tests still cover all of your code and that you have followed all the best practices. Each time I make changes I kick off the source code analyzer.

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (5)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.