Getting an app publicly listed on the AppExchange means the developers have submitted it to the Salesforce Security Review and has passed. Apps that have gone through this process have been tested for adherence to industry best practices as they relate to data and control security mechanisms.
Apps built on the Salesforce platform will need to perform a few different audits, including:
Force.com Security Scanner (aka Checkmarx) - this is a self-service tool that is ran against all unmanaged code in an organization. A passing report or report that can have its findings mitigated with a false-positive report is required within the AppExchange Security Review app submission process.
Chimera/ZAP -If the app contains any elements that connect to external, non-Salesforce endpoints (web services, SSO/SAML, etc) an additional scan will be required. Chimera is a web-based scanning tool that serves the same function of ZAP and can be used in lieu of ZAP if the remote endpoints are publically accessible. Otherwise, the ZAP tool will need to be downloaded, configured, and used to perform the audit. The output of either tool will be a findings report of best practice violations, exploits, etc that will need to be addressed.
Top 10 Development Tips for a Passing Grade
Processing single records isn't efficient
Perform DML on collections, not individual records
Method parameters accepting objects/sObjects should accept collections of objects/sObjects, not individual records (more efficient to call a method once and iterate through records as opposed to entering and exiting methods for every record)
Have Loop Awareness
Avoid DML within loops
Avoid SOQL/SOSL within loops
Avoid async invocations within loops
Respect Ownership/Sharing Rules
Only use "without sharing" when you have a good reason to
Respect Object and Field Level Permissions
Include CRUD and FLS checks before accessing/modifying/creating records
Usage of "Global" Access Modifiers
If customers can build customizations on components within your package, it's likely those components can never be removed.
Provide Adequate Test Coverage
Positive and Negative Test Scenarios
All test methods include asserts
Beware of Properties Defined by URL Parameters
No Hard Coding
Static Resource components
Salesforce Document URLs
Every SOQL Query Should...
Include filter criteria
Have a LIMIT set
One per object
Have customer toggle-able controls