RIO Education is a native Salesforce Student Information System (SIS, SMS, SRS) listed on the AppExchange. See it here.

To be listed on the AppExchange, RIO Education has to pass the Salesforce's security review process. The security review ensures that RIO Education is ready to run on the world's leading platform, Salesforce.

This article outlines the steps that our RIO Education development team steps through to ensure we can be  publicly listed as a solution in the AppExchange.

Design and Development

The following guides are used to develop, test and list RIO Education on the Salesforce Appexchange:

• Security Guidelines for Apex and VisualForce Development.
• Apex & VisualForce Security Tips.
• Lightning Aura Components Developer Guide.
• Secure Coding Guide.
• B2C Commerce Security Best Practices for Developers.
• AppExchange Security Requirement Checklist (requires a Salesforce login to view).  

Throughout the development lifecycle, an automated scanning tool is used to test/check the RIO codeto ensure it complies with Salesforce quality and security standards. 

Automated Scanning Tool

Source Code Scanner, which is also referred to as the Checkmarx scanner, is used to scan and detect for any possible quality and security issues in the solution. 

The scanner ensures:

• Quality profile - detecting common Apex coding and design issues e.g. DML statements inside loops, SOQL/SOSL inside loops etc. (please read more in the link below). 
• Security profile - detecting security vulnerabilities e.g. Cross Site Scripting (reflected, stored, and DOM based), SOQL/SOSL Injection etc. (please read more in the link below).

For more information on the scanner, please click here.

Security Review

Only when the scanned results are clean, we proceeded to the next stage; the AppExchange security review.

In order to continue with the security review, the RIO Education solution is packaged as a managed package and installed into a Salesforce test environment. 

The test environment is then handed over to the Salesforce Security Review team for reviewing/checking/testing.

Any security vulnerabilities reported are attended/fixed and resubmitted for follow-up review. This process continues until there were no further actions required and the solution has fully passed the review/test.

For more information, please click here.

AppExchange

When the solution passed the security review, only then it could be publicly listed in the AppExchange.

New Release

Any new releases have and will go through the same process as above.