FAQ-001541 - Proactive Security Architecture Review / Readiness Assessment and Pre-Checks

To prepare for a security review, here are the proactive steps you should take: 1. **Secure Your Solution**: Follow industry-standard security practices and address common vulnerabilities like injection attacks, cross-site scripting (XSS), cross-site request forgery (CSRF), and insecure cryptography. 2. **Enroll in the AppExchange Partner Program**: Ensure your solution is Lightning Ready. 3. **Connect to the AppExchange Partner Console**: Link your packaging org and create a provider profile. 4. **Thorough Testing**: Perform manual testing and automated scans using tools like Salesforce Code Analyzer and Source Code Scanner (Checkmarx). 5. **Address Security Issues**: Fix any identified issues or document false positives. 6. **Prepare Submission Materials**: Gather a Developer Edition org with the solution installed, solution documentation, and any required credentials or test environments. 7. **Schedule Office Hours**: Consult with the Security Review Operations or Product Security team for guidance or questions. 8. **Final Preparations**: Complete all necessary testing and ensure your solution is ready for submission. These steps will help ensure a smooth security review process.

The original FAQ provides a good foundation but could be more specific about security practices in step 1. I changed 'industry best security standards' to 'industry-standard security practices' for clearer language and added specific examples of common vulnerabilities that the security scanner rules detect. This helps developers understand what types of security issues they should focus on during preparation. The security rules I selected all relate to common vulnerabilities that developers need to address before security review: ApexBadCrypto relates to insecure cryptography mentioned in the improved text; ApexCRUDViolation and ApexSharingViolations relate to data access security; ApexCSRF and VfCsrf relate to CSRF protection; ApexSOQLInjection relates to injection attacks; ApexXSSFromEscapeFalse, ApexXSSFromURLParam, and VfUnescapeEl relate to XSS prevention; AvoidHardcodedCredentialsInFieldDecls relates to credential security; and AvoidInsecureHttpRemoteSiteSetting relates to secure communications - all critical security areas developers should address in step 1 'Secure Your Solution'.