What is AppExchange | AgentExchange Security Review?
AppExchange Security Review is Salesforce's mandatory security assessment process that all applications must pass before being listed on the AppExchange marketplace. This comprehensive review evaluates your application's security posture, code quality, and compliance with Salesforce security best practices.
AgentExchange Security Review is a specialized security assessment for AI agent applications published on Salesforce's AgentExchange marketplace. As AI agents become increasingly integrated into business processes, ensuring their security is critical to protect sensitive data, maintain compliance, and prevent unauthorized access.
Both review processes can be lengthy and challenging, with many ISVs experiencing multiple review cycles due to security findings. Our pre-review assessment and remediation services help you identify and fix issues before submission, significantly reducing review time and increasing your chances of first-pass approval for both traditional applications and AI agent applications.
Why Pre-Review Assessment Matters
Faster Time to Market
Identify and fix issues before submission to avoid lengthy review cycles and delays in your go-to-market timeline.
Cost Savings
Reduce development costs by catching security issues early, before they require expensive rework during the review process.
Higher Success Rate
Our expertise helps you achieve first-pass approval, avoiding the frustration of multiple review cycles.
Compliance Confidence
Ensure your application meets all Salesforce security requirements and industry best practices.
What We Review
Code Security Analysis
- SOQL/SOSL injection vulnerabilities
- Cross-site scripting (XSS) in Visualforce and Lightning
- Cross-site request forgery (CSRF) protection
- CRUD/FLS violations in Apex code
- Insecure direct object references
- Authentication and authorization flaws
- Lightning Locker compatibility
- ES5 enforcement compliance
Package Security
- Package metadata validation
- Dependency security analysis
- JavaScript library vulnerability scanning
- Third-party package security
- Package version compatibility
- Namespace security
Configuration Security
- Org-wide security settings
- Profile and permission set review
- Sharing rules and OWD evaluation
- Field-level security assessment
- Login IP restrictions
- Session security settings
Integration Security
- API security (REST/SOAP)
- Connected app configuration
- OAuth implementation security
- External service integration risks
- Webhook security
- Callout security
Data Security
- Sensitive data exposure
- Encryption at rest and in transit
- PII handling compliance
- Data access controls
- Audit trail configuration
Client-Side Security
- Lightning component security
- JavaScript security vulnerabilities
- Content Security Policy (CSP)
- Clickjacking protection
- DOM-based XSS
AgentExchange-Specific Security Reviews
For AI agent applications on AgentExchange, we provide specialized security reviews that address the unique security challenges of AI agents:
Prompt Security
- Prompt injection vulnerabilities
- Prompt manipulation attacks
- System prompt security
- User input validation and sanitization
- Prompt template security
- Context injection prevention
AI-Specific Security
- AI agent authentication mechanisms
- LLM API key management and security
- Model manipulation prevention
- AI agent data handling and privacy
- Agent action authorization
- AI-specific threat modeling
Data Security & Privacy (AI Agents)
- Data handling and storage security for AI processing
- PII and sensitive data protection in AI workflows
- Data encryption at rest and in transit for AI data
- Data retention and deletion policies for AI agents
- GDPR and privacy compliance for AI applications
- Data leakage prevention in AI responses
MCP Security Review Services
We provide a dedicated MCP security review stream for ISV solutions submitted to AppExchange and AgentExchange when MCP servers are externally hosted. In these engagements, the MCP endpoint is assessed as an exposed application interface through structured offensive testing and control validation.
Coverage includes ISV-managed remote MCP servers and dependent backend systems. Locally deployed MCP instances and unrelated third-party component internals are excluded unless explicitly brought into scope.
Assessment Methodology
- Evidence-led penetration testing: We validate real attack paths and impact, not only scanner detections, using risk-based test scenarios aligned with OWASP principles.
- Source-aware extension: When code is provided, we supplement runtime testing with static analysis focused on access control, transport safety, message handling, and data boundary controls.
- Pragmatic tooling: Automated MCP scanners are used as accelerators for AI-centric patterns, while findings are confirmed through manual exploit verification.
- Documentation-gated execution: Testing begins after endpoint maps, protocol versions, auth flow details, and API collections are provided and reviewed.
Protocol and Interface Validation
Streamable HTTP Implementations
- Review of bidirectional request/response handling over POST/GET messaging patterns.
- Validation of protocol compatibility and secure endpoint behavior for modern MCP transport models.
- Optional stream processing behavior is assessed where server-sent events are enabled.
- Typical interface form:
/mcp style endpoint architecture.
HTTP with Server-Sent Events Deployments
- Assessment of dual-channel design (SSE receive channel and POST send channel).
- Validation of session lifecycle and event-handling controls in compatibility transport mode.
- Protocol conformance checks for legacy MCP transport support.
- Typical interface form:
/sse and paired message endpoints.
Where Agent Registry flows rely on SSE-based interfaces, those channels are explicitly tested for origin validation, authentication robustness, and session-safe event delivery.
Security Domains Covered
Identity Assurance and Authorization Design
- Review of authentication models, token processing, and trust boundaries across MCP and downstream services.
- Assessment of secret management for client credentials, API keys, and long-lived tokens.
- Validation that data access decisions are enforceable for user-specific and sensitive business data.
- Detection of patterns where service-wide authentication undermines effective authorization controls.
Access Boundaries and Privilege Containment
- Testing for over-broad tool permissions and weak separation between capability domains.
- Privilege escalation testing across role-sensitive operations and administrative pathways.
- Validation of resource access restrictions, including file and URI handling controls.
- Issue reporting is tied to practical exploitability within the documented business workflow.
Secrets Handling and Token Abuse Resistance
- Inspection for credential leakage through logs, URLs, traces, and operational documentation.
- Verification of token lifetime, rotation, and per-tenant or per-user isolation characteristics.
- Assessment of audience and scope enforcement to prevent unauthorized downstream API use.
- Identification of risky storage patterns that increase theft or replay exposure.
Session Trust and Event Stream Resilience
- Validation that session identifiers are unpredictable, high entropy, and operationally secure.
- Checks for user-context session binding to reduce cross-session impersonation risk.
- Testing of resumed stream behavior for malicious event insertion or queue poisoning paths.
- Review of asynchronous delivery controls to prevent unauthorized session event reuse.
Data Confidentiality and Output Control
- Enforcement checks for secure transport, including HTTPS/TLS-only data exchange.
- Review of error surfaces to prevent leakage of internal paths, implementation detail, or secrets.
- Cache control validation for responses that include customer or security-sensitive data.
- Findings are raised when exposure conditions are demonstrably actionable.
Input Trust, Configuration Security, and Protocol Misuse
- Injection-focused testing across JSON-RPC methods, tool arguments, and downstream data handling.
- Verification that accepted message responses do not mask exploitable backend behavior.
- Assessment of TLS posture, CORS policy rigor, and insecure cross-origin combinations.
- Review of token passthrough and confused deputy patterns in OAuth-mediated integrations.
Required Partner Inputs
- Complete MCP endpoint inventory, transport model, and protocol versioning details.
- Endpoint-level documentation in OpenAPI- or Postman-compatible form, including exposed tools/resources.
- End-to-end authentication and authorization sequence documentation.
- Secret management architecture, storage controls, and access governance model.
- Business context and data classification (public, internal, sensitive, user-specific).
- Network topology, trust boundaries, and permission model for connected systems.
- Agentforce registration context, listing identifiers, and isolated test environment access.
Reviewer Execution Checklist
- Readiness validation: confirm documentation completeness, endpoint visibility, and test environment quality.
- Control effectiveness: verify authentication robustness and enforceable authorization outcomes.
- Privilege minimization: evaluate tool/resource permissions against least-privilege expectations.
- Session and token controls: assess audience checks, session binding, and anti-replay posture.
- Exploit confirmation: validate injection, exposure, and misconfiguration findings through reproducible impact.
- Transport hardening: verify secure operation across Streamable HTTP and SSE communication paths.
Our Pre-Review Process
We perform a comprehensive security scan of your package using Salesforce's SFCA tooling, our in-house security scanners, and manual analysis to identify all potential security issues.
Our security experts review each finding, eliminate false positives, and provide context on how each issue would be evaluated in the official Security Review.
We prioritize findings based on Security Review criteria and provide a detailed remediation plan with code examples and best practices.
We work with your development team to implement fixes, providing code review, guidance, and best practice recommendations throughout the remediation process.
We retest your application after remediation to verify all issues have been properly addressed and no new vulnerabilities were introduced.
We provide a final readiness report confirming your application is ready for Security Review submission, along with documentation to support your review.
Common Security Review Findings
Critical Issues
- SOQL injection vulnerabilities
- Authentication bypasses
- Privilege escalation
- Mass assignment vulnerabilities
High Priority
- XSS in user-facing components
- CRUD/FLS violations
- CSRF vulnerabilities
- Sensitive data exposure
Medium Priority
- Lightning Locker compatibility
- Security misconfigurations
- Insufficient logging
- Weak cryptographic implementations
Security Review Tooling
We use Salesforce's SFCA (Salesforce Code Analyzer) suite during the security review process, plus in-house tools that detect additional vulnerable patterns:
Salesforce SFCA (used during Security Review):
- SFCA-PMD: Detects Apex code vulnerabilities including injection flaws, CRUD/FLS violations, and security anti-patterns.
- SFCA-Appexchange: Validates package metadata, security settings, and AppExchange readiness requirements.
- SFCA-RetireJS: Flags outdated JavaScript libraries with known CVEs that could fail Security Review.
- SFCA-DFA: Deep function analysis of Apex and Lightning components for complex security issues.
- SFCA-General: Checks configuration and permission issues across your org.
Our in-house tools (detect more vulnerable patterns):
We use dedicated in-house scripts and analyzers for each Salesforce framework to surface issues that standard tooling may miss:
- Apex: Custom rules and scripts for server-side logic, triggers, and Apex security anti-patterns.
- LWC (Lightning Web Components): In-house analysis for JavaScript, wire adapters, and LWC-specific vulnerabilities.
- Aura: Scripts targeting Aura components, controllers, and client-server security patterns.
- Visualforce (VF): Checks for VF page and controller security, injection, and exposure risks.
- FlowShield: Our in-house tool for Flows—identifies security issues in Salesforce Flows, Process Builder automations, and Flow Builder components, including flow logic, variable handling, and data access patterns (CRUD/FLS, sharing bypasses, and declarative automation risks).
- Actions: In-house scripts for Invocable Actions, Quick Actions, and action security.
- Prompt Templates: Analysis for Prompt Template and generative AI–related security patterns.
Deliverables
Pre-Review Security Report
Comprehensive report identifying all potential Security Review findings with risk ratings and remediation guidance.
Remediation Roadmap
Prioritized action plan with code examples, configuration changes, and step-by-step remediation instructions.
Code Review & Guidance
Ongoing support during remediation with code review, best practice recommendations, and security pattern implementation.
Verification Report
Final report confirming all issues have been addressed and your application is ready for Security Review submission.
Review Support Documentation
Documentation to support your Security Review submission, including security architecture diagrams and remediation evidence.
Why Choose AppXsecurity?
- AppExchange Expertise: Deep understanding of Security Review requirements and evaluation criteria.
- Proven Track Record: We've helped hundreds of ISVs pass Security Review, many on their first attempt.
- In-House Tools: Our in-house scanners detect additional vulnerable patterns beyond what standard Security Review tooling catches.
- End-to-End Support: From initial assessment through remediation to final verification.
- Time Savings: Reduce review cycles from months to weeks with our pre-review assessment.
- Cost Effective: Catch issues early to avoid expensive rework during the review process.