top of page
  • Writer's pictureKirk Steffke

Security Minded Development Practices


Getting an app publicly listed on the AppExchange means the developers have submitted it to the Salesforce Security Review and has passed. Apps that have gone through this process have been tested for adherence to industry best practices as they relate to data and control security mechanisms.

Apps built on the Salesforce platform will need to perform a few different audits, including:

  • Security Scanner (aka Checkmarx) - this is a self-service tool that is ran against all unmanaged code in an organization. A passing report or report that can have its findings mitigated with a false-positive report is required within the AppExchange Security Review app submission process.

  • Chimera/ZAP -If the app contains any elements that connect to external, non-Salesforce endpoints (web services, SSO/SAML, etc) an additional scan will be required. Chimera is a web-based scanning tool that serves the same function of ZAP and can be used in lieu of ZAP if the remote endpoints are publically accessible. Otherwise, the ZAP tool will need to be downloaded, configured, and used to perform the audit. The output of either tool will be a findings report of best practice violations, exploits, etc that will need to be addressed.

Top 10 Development Tips for a Passing Grade

  1. Bulkify

  2. Processing single records isn't efficient

  3. Perform DML on collections, not individual records

  4. Method parameters accepting objects/sObjects should accept collections of objects/sObjects, not individual records (more efficient to call a method once and iterate through records as opposed to entering and exiting methods for every record)

  5. Have Loop Awareness

  6. Avoid DML within loops

  7. Avoid SOQL/SOSL within loops

  8. Avoid async invocations within loops

  9. Respect Ownership/Sharing Rules

  10. Only use "without sharing" when you have a good reason to

  11. Respect Object and Field Level Permissions

  12. Include CRUD and FLS checks before accessing/modifying/creating records

  13. Usage of "Global" Access Modifiers

  14. If customers can build customizations on components within your package, it's likely those components can never be removed.

  15. Provide Adequate Test Coverage

  16. No seeAllData=true

  17. Positive and Negative Test Scenarios

  18. All test methods include asserts

  19. Beware of Properties Defined by URL Parameters

  20. SOQL/SOSL injections

  21. URL redirect

  22. No Hard Coding

  23. Ids

  24. Static Resource components

  25. Salesforce Document URLs

  26. Every SOQL Query Should...

  27. Include filter criteria

  28. Have a LIMIT set

  29. Triggers

  30. One per object

  31. Have customer toggle-able controls

Recent Posts
bottom of page