Security Minded Development Practices

June 6, 2017





Getting an app publicly listed on the AppExchange means the developers have submitted it to the Salesforce Security Review and has passed.  Apps that have gone through this process have been tested for adherence to industry best practices as they relate to data and control security mechanisms.


Apps built on the Salesforce platform will need to perform a few different audits, including:

  • Security Scanner (aka Checkmarx) - this is a self-service tool that is ran against all unmanaged code in an organization.  A passing report or report that can have its findings mitigated with a false-positive report is required within the AppExchange Security Review app submission process.

  • Chimera/ZAP -If the app contains any elements that connect to external, non-Salesforce endpoints (web services, SSO/SAML, etc) an additional scan will be required.  Chimera is a web-based scanning tool that serves the same function of ZAP and can be used in lieu of ZAP if the remote endpoints are publically accessible.  Otherwise, the ZAP tool will need to be downloaded, configured, and used to perform the audit.  The output of either tool will be a findings report of best practice violations, exploits, etc that will need to be addressed.


Top 10 Development Tips for a Passing Grade

  1. Bulkify

    1. Processing single records isn't efficient

    2. Perform DML on collections, not individual records

    3. Method parameters accepting objects/sObjects should accept collections of objects/sObjects, not individual records (more efficient to call a method once and iterate through records as opposed to entering and exiting methods for every record)

  2. Have Loop Awareness

    1. Avoid DML within loops

    2. Avoid SOQL/SOSL within loops

    3. Avoid async invocations within loops

  3. Respect Ownership/Sharing Rules

    1. Only use "without sharing" when you have a good reason to

  4. Respect Object and Field Level Permissions 

    1. Include CRUD and FLS checks before accessing/modifying/creating records

  5. Usage of "Global" Access Modifiers 

    1. If customers can build customizations on components within your package, it's likely those components can never be removed.

  6. Provide Adequate Test Coverage

    1. No seeAllData=true

    2. Positive and Negative Test Scenarios

    3. All test methods include asserts

  7. Beware of Properties Defined by URL Parameters

    1. SOQL/SOSL injections

    2. URL redirect

  8. No Hard Coding

    1. Ids

    2. Static Resource components

    3. Salesforce Document URLs

  9. Every SOQL Query Should...

    1. Include filter criteria

    2. Have a LIMIT set

  10. Triggers

    1. One per object

    2. Have customer toggle-able controls


Please reload

Recent Posts
Please reload

At CRM Science, we use our Salesforce expertise to transform your enterprise. Partnering with our clients throughout the Salesforce journey, we work with leaders to strategize and optimize business processes, and design and develop solutions across every Salesforce cloud. We help you maximize the value of the Salesforce platform. 

CRM Science is a Salesforce Gold Consulting Partner and a Registered Partner. Our strategic consulting services were recognized by Salesforce in four consecutive Salesforce Partner Innovation Awards, an annual recognition for partners that deliver outstanding client success. 

Helpful Content
Client Success
Connect with us
Email Us
860 First Ave, Suite 2
King of Prussia, PA 19406
(484) 775-0333
  • Twitter
  • Facebook
  • YouTube

Copyright © 2011-2020 CRM Science, Inc. All rights reserved.