Appnigma

What Is the Salesforce Security Review? (Process and Checks)

salesforce security review

Jul 09, 2026

5 min read

What Is the Salesforce Security Review? (Process and Checks)

Salesforce Developers published the top 20 most-flagged vulnerabilities in August 2023. CRUD/FLS enforcement is the #1 cause by a long way. The list has barely changed since. If you understand the top of that list, you understand 80% of the security review.

Pro Tip

TL;DR: The Salesforce security review is the required check every AppExchange app passes before listing. Uses Salesforce Code Analyzer, Checkmarx, and OWASP ZAP plus manual review. Takes 4 to 5 weeks officially. Costs $999 per submission for paid apps (Salesforce Trailhead). Missing CRUD/FLS enforcement is the top failure cause.

What the security review is

It's Salesforce's gate for the AppExchange. Before any app, free or paid, can be listed, Salesforce's product security team reviews it to confirm it handles data securely and follows platform best practices (Salesforce ISVforce Guide). The same review applies whether people call it the AppExchange security review, the managed package security review, or the ISV security review. All the same process.

The point is trust. Customers install third-party packages into orgs holding sensitive business data. Salesforce verifies the code before it reaches the marketplace.

What it actually checks

The review blends automated and manual analysis. Salesforce Code Analyzer and Checkmarx for static scanning. OWASP ZAP for dynamic testing of external endpoints. A manual review of the findings (Salesforce Developers).

The recurring issues it flags, in roughly the order of frequency:

1/ Missing CRUD/FLS enforcement (the number-one cause, by a long way) 2/ Insecure or outdated library versions 3/ Sharing violations (missing with sharing) 4/ Hard-coded secrets or insecure storage of sensitive data 5/ TLS below 1.2 on external endpoints 6/ SOQL injection 7/ Cross-site scripting (XSS) and CSRF 8/ Sensitive data in debug logs

Pro Tip

CRUD/FLS being the top failure means most rejections are about access control, not exotic exploits. Code generated to enforce object- and field-level permissions by default clears the single biggest hurdle automatically.

How the process works

The flow is straightforward, even if the fixes aren't. You prepare your app and documentation. Run the scans yourself. Submit through the Partner Console. Salesforce reviews and returns findings. You fix issues and resubmit until you pass.

StepWhat happens
PrepareRun Code Analyzer and scanners; fix findings; gather docs and test credentials
SubmitProvide the package, test environment, and scan results in the Partner Console
ReviewSalesforce runs automated and manual analysis (4 to 5 weeks official)
ResolveFix any findings and resubmit ($999 again for paid apps)
PassApproval clears the app for listing

Cost and duration

Paid apps pay $999 per submission, charged again on each resubmission. Free apps are reviewed at no charge (Salesforce Trailhead). The review takes about 4 to 5 weeks officially and often 6 to 9 weeks in practice once queue time and fixes are included. For more, see our pages on the security review cost and how long it takes.

How no-code generation reduces review risk

Most failures are predictable: CRUD/FLS, sharing, SOQL injection, secret handling. Code generated to a fixed standard applies those requirements to every component by default, so the common rejections are pre-empted. Appnigma generates managed-package code against these requirements before you submit, which reduces the resubmission cycles that cost time and another $999.

Frequently Asked Questions

What does the Salesforce security review check?

It checks for secure coding and data handling: CRUD/FLS enforcement, sharing rules, input sanitization (SOQL injection, XSS), TLS 1.2+, and safe handling of secrets, using Code Analyzer, Checkmarx, and OWASP ZAP plus manual review (Salesforce Developers). CRUD/FLS is the top failure cause.

Is the AppExchange security review mandatory?

Yes. Every app, free or paid, has to pass the security review before it can be listed on the AppExchange. Applies to all managed packages distributed through the marketplace.

How much does the Salesforce security review cost?

$999 per submission for paid apps, charged again on each resubmission. Free apps are reviewed at no charge. The fee replaced the older $2,550 plus $150 model in March 2023.

How long does the Salesforce security review take?

About 4 to 5 weeks officially, and 6 to 9 weeks in practice once queue time and fixing findings are included. A failed first submission adds weeks and another $999 fee for paid apps.

Is the ISV security review the same as the AppExchange security review?

Yes. The terms ISV security review, AppExchange security review, and managed package security review all refer to the same mandatory review Salesforce runs before an app is listed.

About the author. Sunny Chauhan is the founder and CEO of Appnigma AI, a no-code platform that generates Salesforce AppExchange-ready managed packages with security-review requirements built in. He helps SaaS teams pass the review on the first try.

Key takeaway

The Salesforce security review is the mandatory assessment every AppExchange app passes before listing, using Salesforce Code Analyzer, Checkmarx, and OWASP ZAP plus manual review. Takes 4 to 5 weeks officially. Costs $999 per submission for paid apps. Most commonly fails on missing CRUD/FLS enforcement. Appnigma AI generates managed-package code against these requirements to reduce resubmissions.

Sources

1/ Salesforce Developers, Top 20 Vulnerabilities in the AppExchange Security Review, 2023 2/ Salesforce ISVforce Guide, how the security review works 3/ Salesforce Trailhead, ISV Security Review module (fee, duration)

What did your last submission actually fail on?

Ready to transform your Salesforce experience?

Start exploring the Salesforce Exchange today and discover apps that can take your CRM efficiency to the next level.

decorative section tag

Blog and News

Our Recent Updates