How To Evaluate The Security Of AppExchange Apps

There are many things that go into building great customer relationships -- personalization, communication, consistency -- but few are as foundational as trust. Consumers don’t want to give their business to companies they don’t trust with their information. Since doing business and sharing personal information are two entwined activities in the modern world, trust has become more important than ever.

While new laws have started regulating how businesses use and store personal information (such as GDPR and CCPA), companies who proactively improve their security practices have big opportunities to continue building successful customer relationships and winning over the trust of new prospects.

If you’re using Salesforce, the good news is you’re already ahead of the curve. Salesforce incorporates a large array of security services out of the box, and there are countless options available to fine-tune your security preferences to your business and industry standards.

The thing is, most companies that use Salesforce don’t use it by itself -- over 71% of Salesforce customers use applications downloaded from the Salesforce AppExchange, and that number is only growing as more solutions are added to the marketplace every day. While you can rest assured that Salesforce will keep your data safe (it's trusted by top government and healthcare organizations around the world), the same can’t always be said for the applications that you use with the platform.

The S-Docs team compiled this guide to help you evaluate the security of Salesforce AppExchange apps, drawing from over ten years of experience as a trusted document generation and e-signature solution for Salesforce. Here are a few of our biggest recommendations for choosing the most secure solutions.

1. Check Out The App’s AppExchange Listing Page

Our first piece of advice for evaluating the security of AppExchange apps is simple: head over to the app’s listing detail page to get a first impression of the app. It’s true that you can’t judge a book by its cover, and you can’t judge an app’s security by its AppExchange listing page -- but there are a few things on that page that can give you a head-start into your app analysis. Here are a couple things to look for as you glance through the page:

How Old Is The Latest Release?

The top of every AppExchange listing will include a star rating, the date the app was first listed, and the date that the most recent version of the app was added to the AppExchange. This is the date you need to look out for.

You’ll likely come across many apps with latest releases ranging from a couple months ago to a couple years ago -- but sometimes you’ll find apps with “Latest Release” dates that are closer to the birth of the AppExchange itself than they are to the present.

It’s possible that installing an old application might pose a security risk simply by the nature of the app’s age. Since Salesforce’s security infrastructure and data security best practices are constantly updating, older applications may not incorporate the latest security advancements.

However, an old “Latest Release” date doesn’t always mean that the app hasn’t been updated in a while; it could also mean that a newer version of the app exists that just isn’t on the AppExchange. If you’ve found an older app that you think your business might really benefit from, contact the app vendor for information about a more up to date version.

How Do The Reviews Look?

While it’s true that an app’s reviews aren’t necessarily a good indication of that app’s security infrastructure, it doesn’t hurt to glance through them and see what others have said about the app in the past. It’s possible that a reviewer has pointed something out about the app that you didn’t notice during your initial evaluation.

Pay attention to the dates on the reviews, too -- older reviews might not be a good representation of the app in its current state.

You Might Also Like: 5 Best Salesforce Apps You Should Install Now

2. Find Out If The App Uses External Services Or Platforms

After you’re done looking through an app’s listing detail page, it’s time to dive in a little deeper. The next thing to look for during your app security review is whether or not the application requires external services or platforms to work, as well as whether or not it stores data on those external platforms.

There are a few ways to figure this out. The easiest way is to click the “Get It Now” button on the app’s listing detail page to begin the installation process (but you don’t actually have to complete it at this time). If during this process the app prompts you to authorize access to third-party websites, then you can be sure that it uses external services or platforms.

It’s also possible to figure this out by visiting the application’s website and poking around in their documentation, if it’s available; they’ll likely have information there about the external platforms or services that their app utilizes.

Why Do External Services Or Platforms Matter?

We’ve established that Salesforce itself is a secure solution with multiple data security measures in place -- after all, your team already trusts it with your sensitive business data. However, an application that uses external services or platforms is only as secure as its weakest link.

Although Salesforce isn’t the only secure platform available, whenever a new platform or service that handles your data is added, another security risk is introduced. Applications that rely on external platforms by nature require your data to be transferred away from Salesforce for processing. Each time your data changes possession, another vulnerability is created.

If an AppExchange application also stores data on a platform other than Salesforce, this could be a problem for your organization for a number of reasons. Like we said before, introducing another platform introduces another opportunity for a data breach. Your IT department probably spent a great deal of time and resources vetting Salesforce as a secure platform to trust with your company’s data; the same process would likely need to be repeated for the additional platforms that an app is using to store data. Additionally, it's hard to know who really has access to your data when it's being stored (even temporarily) on other platforms. The more platforms with access to your data, the less secure it is.

3. Choose Native Apps Whenever Possible

We get it -- evaluating the security of any new Salesforce application is going to take some time; data security is of the utmost importance, and it shouldn’t be taken lightly. However, it doesn’t have to take too much time. There is one thing you can do that will significantly cut down on your evaluation timeline: choose native Salesforce applications first.

Native Salesforce applications are built on the Salesforce platform, meaning that they are hosted and operated entirely within the Salesforce cloud. When you choose a native app, you don’t have to worry about whether or not that application uses or stores data on third-party platforms or services. Native apps live completely within Salesforce, and the data they process does too. Native apps allow your security team to rest assured that no additional platform vetting will be required, since all of your organization’s data will remain in your already-approved Salesforce environment.

The Security Benefits Of Native Apps

Native Salesforce applications have more out-of-box security benefits than any other type of application on the AppExchange. While native solutions are not a universal answer to every Salesforce need, we recommend looking to them first before seeking out non-native alternatives. Here are just a few of the security benefits that come with native apps:

• Salesforce Servers - All of your client data stays within Salesforce (unless you download, export, or email it). It is not sent nor stored on external servers nor does data enter from external servers, which may be the case with non-native applications.
• Security Settings Consistency - A native Salesforce application conforms with the same security settings and sharing rules that you have already created within Salesforce. These rules and settings may not be applied with a non-native app, and data could be vulnerable as a result.
• Secure Integrations - Native app integrations are more secure. API interactions with any native app services require authentication with Salesforce. This ensures the highest level of security and minimizes the need for specially built integrations. For example, a single-sign-on (SSO) integration requires no additional consideration to work with a native app.
• Data Residency Compliance - Since all data used by native apps continues to be stored exclusively on existing Salesforce servers, native apps inherently meet the strictest government data residency requirements – just like Salesforce.
• Reliable Uptime & Connectivity - Since native apps reside 100% within Salesforce, they will always be up and running when Salesforce is running. Non-native and hybrid apps depend on outside servers and network connectivity, which may or may not have the same enterprise-class infrastructure as Salesforce. Downtime may not only cause loss to a business, but could also pose security risks if the application is being used for mission-critical processes.

You Might Also Like: How 2009 Changed The Salesforce AppExchange Forever

How Can You Tell If An App Is Truly Native?

Seeking out native applications first is a significant step towards finding and implementing the most secure solutions for your Salesforce org. However, discerning which apps are truly native can be surprisingly difficult. Some apps that aren’t 100% native try to capitalize on the marketing advantage that being native comes with, using phrases in their listings like “native integration,” “on-platform,” and “without ever leaving Salesforce.” Apps that include some native aspects, but still require you to connect your Salesforce org to external URLs, are not truly native, and do not come with all of the security features that 100% native apps do.

To figure out whether or not an AppExchange app is truly native, head back to the AppExchange listing detail page, and look under the highlights table on the left. Only 100% native applications will be designated as native in this table.

If you’re still not convinced, click the Get It Now button, and initiate the installation process again. If you’re prompted to grant access to any 3rd party sites, then the app is not native. If not, you can rest assured that the application is truly native.

4. Ask Your Vendor The Right Questions

When in doubt, asking the right questions can help give you a better understanding of an app’s security infrastructure. Here are some additional key questions to ask your vendor during your evaluation of an AppExchange application:

1. Does your app require that I whitelist any IP addresses in Salesforce to use any feature of your app?
2. Does your company use any web services that are required to use any feature of the app?
3. Where are those services hosted? Are they regional and do they meet data residency requirements?
4. How are services encrypted?
5. How are networks separated between corporate domain and services?
6. What are your SLAs for service and performance regarding uptime, bandwidth, and latency?
7. What is the communication process for downtime and breaches? Can you provide a history of those for the previous 24 months?
8. When was the last time you implemented your emergency management procedures?
9. What audits and certifications do you have?

Keep Your Data Secure With S-Docs

S-Docs is the only 100% native document generation and e-signature solution available on the Salesforce AppExchange, and it’s free with up to 2 templates. S-Docs holds all of the security benefits that come with native applications -- documents are designed, generated, emailed, and signed within Salesforce, and your data doesn’t leave your org.

The native benefits don’t stop at security -- S-Docs is faster, more reliable, and easier to use. Top government, healthcare, and financial service firms around the world trust S-Docs with all of their Salesforce document generation and e-signature needs. Being native allows it to work great with any Salesforce product, from Service Cloud, to Shield, to Government and Healthcare Clouds.

Get started today by contacting us to request a customized demo, or reach out directly to sales@sdocs.com.