The Salesforce security review is a mandatory assessment of every app before it can be listed on the AppExchange. It combines automated code scanning, dynamic testing, and manual review to verify the app meets Salesforce's security requirements, with enforcement of CRUD/FLS, sharing rules, and input sanitization. It takes about 4 to 5 weeks officially and costs $999 per submission for paid apps. The most common reason apps fail is missing CRUD/FLS enforcement.

Pro Tip

TL;DR: The Salesforce security review is the required check every AppExchange app passes before listing. It uses Salesforce Code Analyzer, Checkmarx, and OWASP ZAP plus manual review, takes 4 to 5 weeks officially, and costs $999 per submission for paid apps (Salesforce Trailhead). Missing CRUD/FLS enforcement is the top failure cause.

It is Salesforce's gate for the AppExchange. Before any app, free or paid, can be listed, Salesforce's product security team reviews it to confirm it handles data securely and follows platform best practices (Salesforce ISVforce Guide). The same review applies whether people call it the AppExchange security review, the managed package security review, or the ISV security review; they all refer to this one process.

The point is trust. Customers install third-party packages into orgs holding sensitive business data, so Salesforce verifies the code before it reaches the marketplace.

The review blends automated and manual analysis: Salesforce Code Analyzer and Checkmarx for static scanning, OWASP ZAP for dynamic testing of external endpoints, and a manual review of the findings (Salesforce Developers). The recurring issues it flags, in roughly the order of frequency:

1. CRUD/FLS enforcement (the number-one failure cause, by a significant margin)

2. Insecure or outdated library versions

3. Sharing violations (missing with sharing)

4. Hard-coded secrets or insecure storage of sensitive data

5. TLS below 1.2 on external endpoints

6. SOQL injection

7. Cross-site scripting (XSS) and CSRF

8. Sensitive data in debug logs

Pro Tip

Our finding: CRUD/FLS being the top failure tells you most rejections are about access control, not exotic exploits. Code generated to enforce object- and field-level permissions by default clears the single biggest hurdle automatically.

The flow is straightforward, even if the fixes are not. You prepare your app and documentation, run the scans yourself, submit through the Partner Console, and Salesforce reviews and returns findings. You fix any issues and resubmit until you pass.

Paid apps pay $999 per submission, and that fee is charged again on each resubmission; free apps are reviewed at no charge (Salesforce Trailhead). The review takes about 4 to 5 weeks officially and often 6 to 9 weeks in practice once queue time and fixes are included. For deeper detail, see our pages on the security review cost and how long it takes.

Most failures are predictable: CRUD/FLS, sharing, SOQL injection, and secret handling. When code is generated to a fixed standard rather than hand-written, those requirements are applied to every component by default, so the common rejections are pre-empted. Appnigma AI generates managed-package code against these requirements before you submit, which reduces the resubmission cycles that cost both time and another $999.

It checks for secure coding and data handling: CRUD/FLS enforcement, sharing rules, input sanitization (SOQL injection, XSS), TLS 1.2+, and safe handling of secrets, using Code Analyzer, Checkmarx, and OWASP ZAP plus manual review (Salesforce Developers). CRUD/FLS is the top failure cause.

Yes. Every app, free or paid, must pass the security review before it can be listed on the AppExchange. It applies to all managed packages distributed through the marketplace.

$999 per submission for paid apps, charged again on each resubmission. Free apps are reviewed at no charge. The fee replaced the older $2,550 plus $150 model in March 2023.

About 4 to 5 weeks officially, and 6 to 9 weeks in practice once queue time and fixing findings are included. A failed first submission adds weeks and another $999 fee for paid apps.

Yes. The terms ISV security review, AppExchange security review, and managed package security review all refer to the same mandatory review Salesforce runs before an app is listed.

About the author. Sunny Chauhan is the founder and CEO of Appnigma AI, a no-code platform that generates Salesforce AppExchange-ready managed packages with security-review requirements built in. He helps SaaS teams pass the review on the first try.

The Salesforce security review is the mandatory assessment every AppExchange app passes before listing, using Salesforce Code Analyzer, Checkmarx, and OWASP ZAP plus manual review. It takes 4 to 5 weeks officially, costs $999 per submission for paid apps, and most commonly fails on missing CRUD/FLS enforcement. Appnigma AI generates managed-package code against these requirements to reduce resubmissions.

• Salesforce security review cost and fee

• Salesforce security review checklist and how to prepare

• How long does the security review take

• What happens if my app fails security review

1. Salesforce Developers, Top 20 Vulnerabilities in the AppExchange Security Review, 2023

2. Salesforce ISVforce Guide, how the security review works

3. Salesforce Trailhead, ISV Security Review module (fee, duration)