Security Minded Development Practices

June 6, 2017





Getting an app publicly listed on the AppExchange means the developers have submitted it to the Salesforce Security Review and has passed.  Apps that have gone through this process have been tested for adherence to industry best practices as they relate to data and control security mechanisms.


Apps built on the Salesforce platform will need to perform a few different audits, including:

  • Security Scanner (aka Checkmarx) - this is a self-service tool that is ran against all unmanaged code in an organization.  A passing report or report that can have its findings mitigated with a false-positive report is required within the AppExchange Security Review app submission process.

  • Chimera/ZAP -If the app contains any elements that connect to external, non-Salesforce endpoints (web services, SSO/SAML, etc) an additional scan will be required.  Chimera is a web-based scanning tool that serves the same function of ZAP and can be used in lieu of ZAP if the remote endpoints are publically accessible.  Otherwise, the ZAP tool will need to be downloaded, configured, and used to perform the audit.  The output of either tool will be a findings report of best practice violations, exploits, etc that will need to be addressed.


Top 10 Development Tips for a Passing Grade

  1. Bulkify

    1. Processing single records isn't efficient

    2. Perform DML on collections, not individual records

    3. Method parameters accepting objects/sObjects should accept collections of objects/sObjects, not individual records (more efficient to call a method once and iterate through records as opposed to entering and exiting methods for every record)

  2. Have Loop Awareness

    1. Avoid DML within loops

    2. Avoid SOQL/SOSL within loops

    3. Avoid async invocations within loops

  3. Respect Ownership/Sharing Rules

    1. Only use "without sharing" when you have a good reason to

  4. Respect Object and Field Level Permissions 

    1. Include CRUD and FLS checks before accessing/modifying/creating records

  5. Usage of "Global" Access Modifiers 

    1. If customers can build customizations on components within your package, it's likely those components can never be removed.

  6. Provide Adequate Test Coverage

    1. No seeAllData=true

    2. Positive and Negative Test Scenarios

    3. All test methods include asserts

  7. Beware of Properties Defined by URL Parameters

    1. SOQL/SOSL injections

    2. URL redirect

  8. No Hard Coding

    1. Ids

    2. Static Resource components

    3. Salesforce Document URLs

  9. Every SOQL Query Should...

    1. Include filter criteria

    2. Have a LIMIT set

  10. Triggers

    1. One per object

    2. Have customer toggle-able controls


Please reload

Recent Posts
Please reload

CRM Science is an award-winning, strategic Salesforce Silver Consulting Partner focused on delivering practical end-to-end solutions to financial services institutions, manufacturing companies, senior living providers, and other industries. We partner with you throughout your Salesforce journey, specializing in developing business processes, implementation across the different Salesforce clouds, and integrating third-party solutions so you can innovate faster, better engage with customers and improve your bottom line with a unified system. 

We are recognized by Salesforce and were awarded the 2016 Partner Innovation Award for Connected Ecosystem, 2017 Partner Innovation Award for Einstein Analytics, 2018 Partner Innovation Award for Lightning Leadership, and 2019 Partner Innovation Award for Community Cloud.

Ready to find the solution to your Salesforce puzzle? Contact us at! 

Partner Innovation Award 2018
Partner Innovation Award 2017
Partner Innovation Award 2016
Philadelphia 100 fastest growing companies

Copyright © 2011-2019 CRM Science, Inc. All rights reserved.