RIO Education is a native Salesforce Student Information System (SIS, SMS) listed on the AppExchange. See it here.

For the solution to be listed on the AppExchange, RIO Education has to go through Salesforce's security review process and pass it. The security review ensures that the solution we publish on the AppExchange meets industry security best practices.  

This article outlines the series of processes that RIO Education went through before it can be publicly listed as a solution in the AppExchange.

Design and Development

Only solutions that pass the AppExchange security review will be approved. Hence, the solution design and development of RIO Education were done based on the following guides:

• Security Guidelines for Apex and VisualForce Development.
• Apex & VisualForce Security Tips.
• Lightning Aura Components Developer Guide.
• Secure Coding Guide.
• B2C Commerce Security Best Practices for Developers.
• AppExchange Security Requirement Checklist (requires a Salesforce login to view).  

Throughout the development lifecycle, an automated scanning tool was also used to constantly test/check the codes (please see below for more information) to ensure that the codes comply with Salesforce quality and security standards. 

Automated Scanning Tool

Source Code Scanner, which is also referred to as the Checkmarx scanner, was used to scan and detect for any possible quality and security issues in the solution. 

The scanner assisted in:

• Quality profile - detecting common Apex coding and design issues e.g. DML statements inside loops, SOQL/SOSL inside loops etc. (please read more in the link below). 
• Security profile - detecting security vulnerabilities e.g. Cross Site Scripting (reflected, stored, and DOM based), SOQL/SOSL Injection etc. (please read more in the link below).

This was to ensure that all issues can be identified and addressed prior to the AppExchange security review.

For more information on the scanner, please click here.

Security Review

Only when the scanned results are clean, we proceeded to the next stage; the AppExchange security review.

In order to continue with the security review, RIO Education solution was packaged (in managed packaged) and installed into a Salesforce test environment. 

The test environment was then handed over to the Security review team for reviewing/checking/testing.

Any security vulnerabilities reported were attended/fixed and resubmitted for follow-up review. This process continued until there were no further actions required and the solution has fully passed the review/test.

For more information, please click here.

AppExchange

When the solution passed the security review, only then it could be publicly listed in the AppExchange.

New Release

Any new releases have and will go through the same process as above.