Setup a consultation
Recent Posts
Building an app and publishing it on the AppExchange feels daunting. This three-part series walks you through the process. The first part of how to get an app on AppExchange is planning, in which you answer a series of questions and review things to consider. Once you've nailed that, you can move forward with part two: development.
Begin with identifying the sprints from Phase 1 requirements. A sprint is a time frame when a specific task must be completed and ready for review. Before doing any Salesforce development, it's critical to complete the plan for each sprint.
With all the sprints documented, build out a schedule. Be sure to include the required security review process and creating a listing for the product in the Partner portal. As you create the schedule, incorporate standup meetings, weekly meetings, demonstrations, and package release dates. Leave room in the schedule for feedback in each sprint to accommodate changes requested during the demos.
Analyze the requirements for Phase 1 to create a design document based on the requirements. Break down the tasks to define weekly goals for the team. At standup meetings, discuss task status, hurdles, and priorities.
At the end of every week at the weekly status meeting, provide an update for the week and workload for the next week. Resolve any potential barriers to completing the sprints on schedule. Follow the schedule to release the packages with the completed functionality for testing. Define coding best practices and ensure the team follows security review guidelines.
You not only want to test your app for bugs, but also verify it works as planned. Testing also gives your app the best chance for passing AppExchange's security review process.
Create a test plan for the application with test cases for each function or module in the project. Perform testing with the managed beta version of the package after every release. Continue this process until the creation of the managed release.
After completing the main release, test the managed release version. This prevents losing any configurations and optimizes testing time. Share the test results for each version of the package and use a project management tool to track any issues to closure. This tool will ensure that no issues slip through.
Define a timeframe for taking the app to market as a minimal viable product with the fewest features required. Create a schedule for completing product development, marketing activities, and sales activities within the go-to-market timeframe. Incorporate the creation of marketing content in the schedule while Phase 1 is underway. AppExchange requires marketing content upon publishing.
Hold discussions with the AppExchange team to explain the product and the plan for demos. Doing this will help speed up the security review. After completing the scope for the first phase, prepare to develop the first version of the product and publish.
Since the marketing content is done during development, it should be ready to go when the first version is done. Initiate the security review with AppExchange as soon as possible with the minimal viable product to limit delays.
The detailed security review process helps AppExchange remain a trusted place for cloud applications. Therefore, it requires every app to undergo the security review process to determine whether an app meets security standards and best practices.
The AppExchange team tests all parts of an app to verify there are no risks for customers and their data. If the security review finds any issues, they must be fixed before the app can move forward.
Here are the steps to prepare for security review:
You can expect security review results about six to eight weeks after submission. If the security review team reports any issues, these need to be fixed and the app resubmitted for another security review. This cycle usually repeats two or three times until the app passes the review.
Several issues tend to arise during security review. Check your app for some of these issues to improve your app's chances of passing.
Cross-site scripting (XSS) attacks occur when malicious scripts get injected on trusted web sites. An attacker uses web application to send the malicious code, generally in the form of a browser side script, to a different end user.
Fix: Use JavaScript on Visualforce pages specially when displaying data inside script tags. Encode displayed data.
For example, use {!JSENCODE(text)} where text can be a merge field or text string that may contain the unsafe JavaScript characters. This prevents cross-site scripting attacks.
For more information, please see DOM based XSS Prevention Cheat Sheet at https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
Example
var varStartTime = "{!JSENCODE(HTMLENCODE(InitiateTime))}";
This issue occurs when sensitive data such as passwords are directly used in Apex controllers.
Fix: Use cryptographic hash function. For more information, please refer to Storing Sensitive Data at https://developer.salesforce.com/page/Secure_Coding_Storing_Secrets?language=en&language=en
Example
//Encrypting UserName
blob textBlob = blob.valueOf(Username);
blob encryptedData = Crypto.encryptWithManagedIV('AES256',cryptoKey,textBlob);
string strEncryptedUserName = EncodingUtil.base64Encode(encryptedData);
The Force.com platform extensively uses data sharing rules. Each object can have different permissions for a given profile based on whether the users have read, create, edit, and delete access. The restrictions are enforced when using all the standard controllers.
The data will be displayed to the users with the user of different sharing rules defined based on the role hierarchy defined in the system. But when using a custom Apex class, the profile permissions, field-level security restrictions, and sharing rules are not respected during the execution.
Fix: Use the “with sharing” keyword when declaring a new Class.
Example
public with sharing class BatchSMSSummaryReportCC {}
Even when you complete the development process, there will be ongoing development activities after the app is published on the AppExchange. The next post in the series will cover the publishing phase.
To learn about Salesforce application development services, which includes helping your organization get an app on AppExchange, please contact us at customersuccess@appshark.com.