Skip to content
Back to Blog
Marketplace

Security Review 101: Preparing Your Salesforce Managed Package to Pass (2026)

Nov 26, 2025
SCSunny Chauhan
Security Review 101: Preparing Your Salesforce Managed Package to Pass (2026)

Salesforce requires every managed package to pass a security review before it lists on the AppExchange, and about half fail the first attempt — most often on missing CRUD and field-level security checks. Here is what the review checks and how to prepare your package to pass.

Introduction to Salesforce Security Review

Getting your Salesforce managed package approved for AppExchange is essential. The Salesforce Security Review ensures every app meets strict security, trust, and compliance standards. If you're preparing your first managed package, you’re in the right place. Learn more from the Salesforce Managed Package Guide.

Why Every Managed Package Must Pass This Review

Salesforce hosts thousands of third-party apps, and the ecosystem relies heavily on trust. The review protects customer data and ensures compliant behavior across enterprise environments. Explore the Salesforce AppExchange.

What Salesforce Checks During the Process

Salesforce scans for:

  • Vulnerable code patterns
  • Proper CRUD/FLS enforcement
  • Secure integrations
  • Authentication controls
  • Web vulnerabilities

Understanding the Importance of Security in the AppExchange Ecosystem

Security is central to the platform. Learn more about packaging essentials: Salesforce Managed Package (Appnigma)

Impact of a Failed Review

A failed review results in delays, additional fixes, and extra testing cycles.

Key Requirements Before Submitting Your Managed Package

Packaging Your App Correctly

Ensure proper visibility, packaging integrity, and version management.

Ensuring Namespace and License Setup

Reserve your namespace prefix and configure LMO settings. Learn about namespace setup.

Preparing Documentation and Support Details

Provide guides, diagrams, and support notes for the reviewers.

Technical Security Checkpoints You Must Pass

Apex Code Security Requirements

Follow secure coding standards and avoid unsafe operations. Learn more about Salesforce Integrations on Appnigma.

CRUD & FLS Enforcement

This is the top reason apps fail review.

Avoiding Hardcoded IDs

Use dynamic references and avoid static IDs.

Governor Limits and Bulkification

Use bulk-safe code and avoid inefficient patterns.

Secure Integrations and API Usage

OAuth Best Practices

Follow secure OAuth flows: Salesforce OAuth 2.0

Secure Storage of Secrets

Use Named Credentials, encrypted fields, and protected metadata.

Lightning Web Components (LWC) Security

Locker Service & Lightning Web Security

Follow the official security rules from: Lightning Web Security

Secure Event Handling

Validate payloads and prevent accidental data exposure.

Static Code Analysis and Tools to Use

Recommended tools for review readiness:

  • PMD
  • CodeScan
  • Checkmarx

Common Reasons Salesforce Rejects Packages

  • Missing CRUD/FLS
  • Weak or insecure integrations
  • Unsafe JavaScript patterns
  • Poor error handling

Preparing Your AppExchange Security Review Submission

Include:

  • Threat model
  • Data flow diagrams
  • Pen test documentation
  • Permission testing results

What Happens After You Submit

Expected Timeline

The review usually takes 4–6 weeks.

How to Respond to Review Feedback

Provide fixes, documentation, and test evidence.

Resubmitting After Fixes

Once everything is corrected, resubmit without penalties.

Best Practices to Speed Up Approval

  • Follow recommendations from the Salesforce scanner
  • Keep package components minimal
  • Test the entire package in a fresh org

Conclusion

Preparing your managed package for the Salesforce Security Review ensures trust, reduces risk, and sets your product up for AppExchange success.

A secure app isn’t just necessary—it’s smart business.

FAQs

1. How long does the Salesforce Security Review take? Usually 4–6 weeks.

2. Do all managed packages need a security review? Yes.

3. Can I skip CRUD/FLS enforcement? No.

4. Are external integrations allowed? Yes, if secure.

5. Can I use JavaScript libraries in LWC? Yes, if Lightning Web Security–compliant.

The failure reasons that sink most first submissions

Appnigma's founder ran 300+ of these reviews from the Salesforce side. The same issues came up first, every time — and Salesforce's own published data confirms the order: missing CRUD/field-level security enforcement is the number-one failure by a wide margin. Here are the categories that account for most rejections, and the fix for each.

#Failure categoryRoot causeThe fix
1CRUD/FLS not enforcedDML/SOQL without access checksSecurity.stripInaccessible, WITH SECURITY_ENFORCED, Schema.describe checks
2Insecure or outdated librariesBundled JS/dependencies with known CVEsUpgrade libraries; bundle current versions as static resources
3Sharing violationApex classes missing with sharingAdd with sharing or inherited sharing to every class
4Insecure secret storageAPI keys in custom fields or plaintextProtected Custom Metadata/Settings; Named Credentials
5SOQL injectionDynamic SOQL built with string concatenationBind variables; String.escapeSingleQuotes
6XSS / CSRFUnescaped output; no anti-CSRF handlingOutput encoding; avoid escape=false; framework CSRF tokens

What the docs don't spell out: reviewers check whether a fix is real or superficial, and whether the same vulnerability class appears elsewhere in your code. A patch in one class won't pass if the same pattern is left in three others.

How long the review takes

StageWho runs itDuration
Readiness checkSecurity Review Operations1–2 weeks
First testProduct Security3–4 weeks
Resubmission test (if failed)Product Security2–3 weeks
Total, first pass~6–9 weeks

The review is also periodic — listed packages face re-review over time, so security isn't a one-time gate.

Frequently Asked Questions

What does Salesforce check during the security review?

Static code security (CRUD/FLS, sharing, SOQL injection, XSS), dynamic/runtime security of any external endpoints (TLS, CSRF), secret storage, and a manual penetration test of authentication and access control.

Why do most managed packages fail the first time?

Industry estimates put first-attempt failure near 50%. The number-one cause, by Salesforce's own ranking, is missing CRUD/field-level security enforcement, followed by outdated libraries and sharing violations.

Where am I allowed to store API keys and secrets?

In Protected Custom Metadata or Protected Custom Settings, or via Named Credentials — never in custom fields, plaintext, or debug logs.

Do I need with sharing on every Apex class?

Yes in practice. Missing sharing declarations are the third-most-common failure; add with sharing or inherited sharing unless you have a documented reason not to.

How long does the review take?

Roughly 6–9 weeks for a first pass: 1–2 weeks readiness, 3–4 weeks first test, and 2–3 weeks for a resubmission if needed.

Is the security review a one-time requirement?

No. Listed packages are subject to periodic re-reviews, so you maintain security over the life of the app.

Does a no-code or declarative build make the review easier?

It can. Declarative logic that respects platform sharing and FLS by default designs out the top failure classes (CRUD/FLS, sharing, SOQL injection). It does not exempt you from the review or from documenting external integrations.

Does the security review apply to AgentExchange agent listings?

Yes. After Salesforce unified its marketplaces into AgentExchange in April 2026, the same security bar applies to agents and agent actions that touch data.

Key Takeaway

Every Salesforce managed package must pass a security review before listing on the AppExchange (now AgentExchange), and roughly half fail the first attempt. The top failure, by Salesforce's own ranking, is missing CRUD/field-level security enforcement, followed by outdated libraries, sharing violations, and insecure secret storage (store secrets in Protected Custom Metadata/Settings or Named Credentials). A first pass takes about 6–9 weeks, and listed packages face periodic re-review.

Sources

More Blogs

All Blogs

Ship your native CRM app this quarter.

30 minutes. We generate your first package live. 10x faster, 10x cheaper than the build you were quoting.