Inside the Salesforce App Exchange: A developer's perspective MVP Michael Farrington explains the App Exchange's security review process.

Michael Farrington is a published author in a sense. His work isn't available in Barnes & Noble, but it's easily found with a quick search in the Salesforce App Exchange. And not unlike a writer, this developer went through a rigorous "editing" process designed to ensure that the application he created is highly secure.

A and Most Valuable Player, Farrington got his start working with Salesforce as a systems administrator with Motorola. A self-described geek, he's one of three people to hold the MVP distinction on both sides of the business.

His first experience with the security review process came in 2007, when he first published free apps into the exchange under the name Qandor.

"Basically, I selfishly built some tools for my own use to help me manage the sharing model and my customizations. So I posted them on the app exchange for free," he said. "The one great thing about it is if you're posting an app for free, you don't have to pay for the security review."

Salesforce kicks off the review process by giving developers a tool that scans for known security issues and inconsistencies with the Salesforce architecture. It's a proofreader in a sense, one that Farrington says always turns up a mistake, no matter how careful he was when creating the app.

"Every time I run it, it comes back with something I've missed or didn't think about. It's pretty handy," he said.

The next step for native app developers such as Farrington is to fill out a questionnaire explaining the application and what it does, then answering a series of yes-or-no questions about its technical aspects.

"You really don't have to do anything that complicated; you have to fill out a form and click a button," he said. "[It's a] very easy process -- there's no calling or faxing or sending mail; it's all just done online, so it's pretty convenient."

The turnaround time varies. Farrington believes that the review team, normally comprising several experts with one key person handling communication, gives preference to native apps. In the six years he has been active in the App Exchange, he's gotten responses in as short as 48 hours and waited as long as "a couple of weeks."

Salesforce's staff do not make any changes to the code of an app. Instead, they point errors out in an email and offer suggestions on how to fix them. Farrington said oftentimes the changes are extremely minor.

"The issues that the code scanner comes up with -- usually they are simple things to fix," he said. "I forgot a keyword here or let me add an extra line after it."

He believes that the majority of mistakes made are little things that would affect the customer-facing side of the app, especially if it's viewed through a browser. Other times he had to rethink the code or design, but normally changes are small. The back and forth between developer and reviewer is potentially unlimited, but Farrington said the process have never gone on for an uncomfortably long period of time.

"Usually it's one fix and [I'm] done. Whatever issue they give me, I fix it thoroughly and send it back, but sometimes they find something else," he said. "The maximum I've ever hit, I had to resubmit twice.  It all comes down to the developer."

He added that when a developer resubmits his app, it stays at the front of the queue, which cuts down on the review process. Once approval comes through, the Salesforce team sends documentation and allows a developer to attach the code to the App Exchange. Updates follow the same pattern but usually go through more quickly in Farrington's experience.

Advice for other developers

Farrington highlighted the relationship he has developed with several reviewers over the years, even meeting up with them annually at Dreamforce. He said that building those relationships is helpful because, ultimately, they are the experts and the buck stops with them.

"They're very helpful at explaining or helping you find a solution to any issues," he said.

He also made it clear that his experiences with quick turnaround times are his alone, and that if another developer asked him, "How long will this take?" he would give a broader response.

"I wouldn't promise them anything.  But once it gets to the front of the queue, I'd be surprised if it lasted longer than two weeks and with good luck; [it will probably last] a week or less."

Adam Riglian is a news writer with Follow him on Twitter @AdamRiglian.

Next Steps

Salesforce acquires Rypple

Chatter adds to social enterprise

Dig Deeper on Customer service technology