FAQ-001533 - Proactive Security Architecture Review / Pre-Submission Documentation Review

To facilitate a pre-review of your application for the AppExchange security review, you should prepare the following: 1. **Test Environments and Credentials**: Provide access to all environments, packages, and external components your solution uses, including external web apps, client/mobile apps, and all Apex and Visualforce. Ensure authentication credentials and access URLs are valid. 2. **Solution Documentation**: Include detailed user documentation for your solution and your company's information security policies. Document any false positives identified during security scans. 3. **Security Scan Reports**: Conduct manual testing and use automated security scanning tools to identify vulnerabilities. Submit the scan reports along with explanations for any false positives. 4. **Developer Edition Org**: Provide a Developer Edition org with the version of the solution you intend to distribute installed. This will serve as the test environment for the security review team. 5. **Managed Package**: Ensure your submission is a Managed—Released package, as unmanaged or beta packages aren't accepted. 6. **Supporting Materials**: Include any additional materials required for your solution type, such as platform-specific requirements for mobile apps or extension packages. Preparing these thoroughly will help streamline the review process and minimize delays.

The FAQ content is comprehensive and accurate. The only minor improvement made was changing 'are not accepted' to 'aren't accepted' to follow the conversational tone guidelines requiring the use of contractions. All security rules selected relate to the automated security scanning mentioned in point 3 of the FAQ. The FAQ discusses using 'automated security scanning tools to identify vulnerabilities' and submitting 'scan reports along with explanations for any false positives' - these security scanning tools would specifically scan for the types of vulnerabilities covered by the selected rules: ApexBadCrypto relates to cryptographic vulnerabilities that scanners detect, ApexCRUDViolation relates to CRUD permission issues scanners flag, ApexCSRF relates to CSRF vulnerabilities scanners identify, ApexDangerousMethods relates to dangerous method usage scanners catch, ApexInsecureEndpoint relates to insecure endpoint vulnerabilities scanners find, ApexOpenRedirect relates to open redirect vulnerabilities scanners detect, ApexSharingViolations relates to sharing rule violations scanners identify, ApexSOQLInjection relates to SQL injection vulnerabilities scanners flag, ApexSuggestUsingNamedCred relates to credential management issues scanners detect, ApexXSSFromEscapeFalse and ApexXSSFromURLParam relate to XSS vulnerabilities scanners find, the AvoidHardcoded rules relate to hardcoded credential issues scanners detect, AvoidInsecureHttpRemoteSiteSetting relates to insecure HTTP configuration scanners flag, AvoidUnauthorizedApiSessionIdInApex and AvoidUnauthorizedGetSessionIdInApex relate to session ID misuse scanners detect, and VfCsrf and VfUnescapeEl relate to Visualforce security issues scanners identify.