Before submitting for AppExchange Security Review, you need to complete the following mandatory security checks and configurations:
1. **Secure the Solution**: Ensure it adheres to industry security standards, protecting customer data and addressing vulnerabilities.
2. **Permission Sets**: Configure permission sets to limit user access to necessary data and functionality, following CRUD (Create, Read, Update, Delete) and FLS (Field-Level Security) guidelines.
3. **Testing**: Conduct end-to-end testing, including manual and automated scans with tools like Salesforce Code Analyzer and Source Code Scanner. Address vulnerabilities or document false positives.
4. **Documentation**: Provide detailed user documentation, security scan reports, and explanations for false positives, along with your company's security policies.
5. **Managed Package**: Submit a Managed—Released package, as unmanaged or beta packages are not accepted.
6. **Environment Access**: Grant access to all environments, packages, and external components used by the solution, including web, client, or mobile applications.
7. **Lightning Ready Certification**: Certify that the solution is Lightning Ready, as this is required for new solutions.
8. **Partner Program Enrollment**: Ensure enrollment in the AppExchange Partner Program and have a distribution agreement in place.
9. **Test Environment**: Set up a Developer Edition org with the distribution-ready version of the solution installed for the review team.
10. **Security Review Wizard**: Use the security review wizard in the AppExchange Partner Console to submit the solution and required materials.
Following these steps ensures your solution is ready for the review process.