SECTION 3 Manage the security review process If your solution is subject to security review, you How to use the security review wizard must pass the review before it can be listed on AppExchange. Only Salesforce Platform packages, The security review wizard allows partners to upload Marketing Cloud API solutions, and Salesforce documentation like preliminary security scans with Checkmarx, Platform API solutions are subject to an initial ZAP, Chimera, or usage documentation to share with the security review. If the review team identi昀椀es Salesforce AppExchange product security team for review. vulnerabilities, you have access to personalized Additionally, partners will use the wizard to provide credentials to technical guidance to help identify vulnerabilities. relevant test environments that pertain to the solution. While the solution is listed on AppExchange, it may be periodically re-reviewed to check that it Security review wizard bene昀椀ts: still helps protect against security vulnerabilities. 1. A dynamic security review submission 昀氀ow that scales with each solution type on AppExchange. Common security threats that we test for: • SOQL and SQL injection 2. Secure and simpli昀椀ed security review payment model to give partners a more e昀昀ective and scalable fee • Cross-site scripting structure, especially for 1GP and 2GP packages. • Non Secure authentication and access control protocols 3. Status tracking on the Security Review overview page in • Vulnerabilities speci昀椀c to the Salesforce platform, the Partner Console. Partners can see a contextual status like record-sharing violations indicator, review failure reports, and view communications with the review team. Security review wizard overview 4. New versions of approved packages no longer need to be You must use the security review wizard to specify your solution submitted for auto-approvals. You can immediately details and submit it for security review. associate the new version to your listing. 12 THE APPEXCHANGE PARTNER CONSOLE GUIDE