PUBLISHING YOUR PACKAGE TO APPEXCHANGEIN 2023

SALESFORCE ARCHITECT GROUP, L'VIV, UKRAINE
PUBLISH YOUR PACKAGE
TO APPEXCHANGE
IN 2023

Introduction
What is AppExchange?
New changes applicable since March 2023?
Why should I publish on AppExchange?
How do I publish package to AppExchange?
How do I prepare for Security Review?
Questions
Agenda

Speaker intro
Bohdan Dovhań
Associate Salesforce Architect at SoftServe Inc
3 Listings Published on AppExchange
#50th on Salesforce Stack Exchange
17x Salesforce Certified Specialist
12 years of Development experience
10 years of Salesforce Development experience

Salesforce Marketplace where packages can be found
for installation or published by ISV (Independent
Software Vendors)
Package is bundled container of code and metadata
which can be published on AppExchange or shared
directly to subscribers
AppExchange

Since March 16, 2023:
1. The $2,550 initial review fee was eliminated.
2. The $150 annual fee was eliminated.
3. The security review fee is $999 per attempt for paid apps.
4. They claim there will be no fees for Security Reviews for
free solutions while they work to redefine the policy.
March 2023 Change

1. Salesforce didn’t accept any new submissions between
March 1 and March 15, 2023 to ensure a smooth transition to
the new fee structure.
2. Technically now all apps (both Free and Paid) require
Security Review fee payment. To reduce it for a free app from
999$ to 1$ open a case to receive a waiver voucher
March 2023 Change

UI Change

Why should you publish your package on AppExchange?
- Extended visibility of the product to potential customers
- Increased trust for the label “Security Review Passed”
- Option to create patch versions
- Option to push upgrades to customers
- Option to use LMA, FMA, Support Console
Why?

How?
1. Sign partnership agreement with Salesforce
2. Create a listing on Partner Community
3. Create and develop a package
4. Connect your Packaging Org or Dev Hub to Partner Community
5. Submit for Security Review and pass it
6. Update the listing and publish it

Select Listing Type
Choose one from three options:
- Packaged Solution
- API
- Consultant

Select Package Solution Type
Choose one from two
options:
- SF Platform Package
- B2C Commerce
Cartridge

Select a Salesforce Platform Package Type
Choose one from four options:
- App
- Bolt Solution
- Flow Solution
- Lightning
Component

Choose one from two languages:
- English
- Japanese
Choose Japanese?

Give it a title

Fill in other details
Provide Brief Description
Select Required Salesforce Products (e.g. Sales Cloud)
Select Compatible Salesforce Products (can be blank)
Select Supported Salesforce Editions
Select Supported Features (LEX, SF Mobile, Person Accounts,
Multiple Currencies, SF Shield, Lightning App Builder)
Select Supported Industries

Select Target User Persona
Select Supported Languages
Select Business Needs
Select Equality, Philantrophy badges
Fill in additional requirements
Fill in a business contact information
Continue
no Ukrainian in the list but
there is enemy’s language
My Packages are mostly
Admin&Dev Tools

Select one of four pricing options
1. Free
2. Paid
3. Paid Add-On Required
4. Freemium
Select Pricing

Before publishing listing, Salesforce must check that it complies
with partner brand guidelines and partner program policies by:
1. Checking information in the Basics and Price Your Solution
steps.
2. Approval process takes about 30 days.
3. It is possible to continue updating listing while it is not
approved yet
Submit for Approval

Add SEO Title
Add Tagline
Add Full Description
Add Details

Add Highlights
Add Terms and Conditions
Add Details

Upload Small Logo
Upload Large Logo
Include Visuals

Upload Large Logo
Decide if you allow marketing use
Include Visuals

Add Screenshots
Add Videos
Include Visuals

Add Demo Video
Add up to 15 Customer Resources
Include Visuals

Link Solution
Select developed package – the solution
If it is not present, go to Technologies tab, open Org subtab to
connect either DevHub or Packaging Org for the package

Connect Org
To select a package for review, connect an org first
To connect 1GMP, you need to connect Packaging Org
To connect 2GMP, you need to connect Dev Hub

`

Choose Installation Method
By default, use AppExchange
Link Solution

Trials & Marketing
Setup Trial Template to offer free trials for paid app

Setup Lead Capturing for the following events:
1. Lead watches a demo video
2. Lead takes a test drive
3. Lead signs up for a free trial
4. Lead installs the package solution
Setup Lead Capture

When you click Done, you can see overall listing status
Check Listing Status

Formal Steps
- Fill In Contact Information
- Fill In Technical Details
- Upload Documents (most important)
- Provide information for Test Environments
- Review the Summary
- Pay for Security Review
Security Review

Use Environment Hub to create a Test/Demo org for Security Review using Trial
Template 0TT3t000004cHv2
Install released package version into created org same as submitted for review.
Create Guest Admin user with appropriate Profile which has Skip Validation in
the name
If needed, configure it for use, for example, assign correct permission set to the
Guest Admin user.
Log in as Guest Admin user and confirm that this user has correct access to the
packaged application
Security Review Test Org

Technical Steps
- Run CheckMarx Scanner for Salesforce Package
- On Partner Portal
- On Customer Portal
- Run PMD or any other Static Analyzer Tool
- Address every findings from Checkmarx and PMD
- Prepare Solution Architecture And Usage document
- Prepare False Positives document
- if you can’t workaround some findings from Checkmarx
- if you failed Security Review
Security Review

Common Findings
- Sharing Violation – use WITH SHARING
- Enforce CRUD/FLS: Security.stripInaccessible, WITH USER_MODE
- CSRF – do not perform DML during page load
- SOQL Injection – use escapeSingleQuotes in dynamic queries
- Sensitive Information in Debug – remove all debug logs
- Check external JS library vulnerabilities
- Remove inline CSS and fixed, absolute, or float in CSS or add them as
exceptions to False Positives document
Security Review

Sharing Violation
Use “with sharing”, “inherited sharing” class declarations
Avoid empty sharing class declarations
Document and justify “without sharing” class declarations.
Verify CRUD and FLS on SOQL and DML
Consider using “WITH USER_MODE” and Security.stripInaccessible
methods
Consider using Custom Permissions for enabling functionality
Consider using Permission Set to combine necessary permissions
together

CSRF
Do not perform DML operations on page load
CSRF is an attack which forces an end user to execute unwanted
actions on a web application in which he/she is currently
authenticated. With a little help of social engineering (like sending a
link via email/chat), an attacker may force the users of a web
application to execute actions of the attacker's choosing. A
successful CSRF exploit can compromise end user data and
perform state changing actions on this data without the user’s
knowledge.

SQL injection is a common application security flaw that results
from insecure construction of database queries with user-
supplied data. When queries are built directly with user data
inlined or concatenated directly with the query text, instead of
using type-safe bind parameters, malicious input may be able
to change the structure of the query to bypass or change
application logic. SQL injection flaws are extremely serious. A
single flaw anywhere in your application may allow an attacker
to read, modify or delete your entire database.
What is SQL Injection?

Apex does not use SQL, but its own database query language,
SOQL. SOQL is much simpler and more limited in functionality
than SQL. With SOQL injection, you can add additional conditions
to the already existing query but cannot build a new query
altogether. Therefore, the risks are much lower for SOQL
injection than for SQL injection, but the attacks are nearly
identical to traditional SQL injection.
Use binding ”:” or escapeSingleQuotes to fix.
SOQL Injection

Sensitive Information
Sensitive Information in Debug
Issue Description
Revealing information in debug statements can help reveal potential
attack vectors to an attacker. Debug statements can be invaluable
for diagnosing issues in the functionality of an application, but they
should not publicly disclose sensitive or overly detailed information
(this includes PII, passwords, keys, and stack traces as error
messages, among other things).
Remove all debug logs

Review Time
6 - 9 weeks
First review took 8 weeks for me.
Submission for additional packages took 1-3 weeks.
In exceptional circumstances, priority can be given to a particular
review, but please remember that this really means exceptional
and still requires a security reviewer to become available, which
could be multiple days (our reviews are thorough!). Reach out to
your Partner Account Manager if you need assistance.

1. Successful Checkmarx scan does not guarantee Successful pass of Security
Review submission
2. It doesn't report all possible security vulnerabilities that might be found by
manual review of Salesforce Security Review team.
3. Security Review Team will reject the security review if any security vulnerabilities
were found by Checkmarx which are not fixed or mentioned as false positives
4. It is required for Security Review submission, as well as Chimera or Burp or ZAP
for external endpoints if such are used.
Checkmarx scanner

SF Code Analyzer is very promoted by Salesforce,
however:
SF Code Analyzer scanner just runs PMD.
SF Code Analyzer results are NOT Accepted with
Submission for Security Review
SF Code Analyzer

Questions?

References
 https://partners.salesforce.com/pdx/s/pcnews/appexchange-security-review-fee-updates-MC4W7STFOTRNCO5C52G27DQK5J7Y
 https://developer.salesforce.com/blogs/2023/04/prepare-your-app-to-pass-the-appexchange-security-review
 https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/appexchange_publish.htm
 https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_dev2gp_publish_appexchange.htm
 https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/review_and_certification.htm
 https://trailhead.salesforce.com/en/content/learn/v/modules/secure-serverside-development/mitigate-crosssite-request-forgery
 https://trailhead.salesforce.com/en/content/learn/v/modules/secure-serverside-development/mitigate-soql-injection
 https://quip.com/pfqeA8kRTraY

PUBLISHING YOUR PACKAGE TO APPEXCHANGEIN 2023

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to PUBLISHING YOUR PACKAGE TO APPEXCHANGEIN 2023

Similar to PUBLISHING YOUR PACKAGE TO APPEXCHANGEIN 2023 (20)

More from Bohdan Dovhań

More from Bohdan Dovhań (14)

Recently uploaded

Recently uploaded (20)