What would really happen in the security review before listing our app in AppExchange?
During the security review process ,following things are checked
1.Apex code Security best practices .Force.com scanner is good tool to point out any risks
2.All your end points will be BURP Scanned .If your application makes a call to external SAP url ,even SAP URL will be BURP Scanned to discover any potential threats .Note for partners BURP Scanner is available freely.
As a best pratice you should provide scanned reports to SFDC .The top ten OWASP(Open Web Application Security Project) security risks are examined
3.You can also use Chimera to scan your end points .Chimera avoids installation of any tool on your local machine and instead runs all on cloud .Preferred for only web apps at this point .
4.Security team reserves rights to randomly test your app functionality
The scope of security review is discussed here
Also the entire checklist is documented .
There are Security review FAQ's that should also help
Based on these scans you will receive one of the below
The entire process takes 6-8 weeks and you don't want to wait again for 6-8 weeks and go through second time .So make sure you have all documents ready .There also other paper works like enrolling to ISVForce and having a policy template
Dont forget to have a fully documentation of your solution offering along with a test org showing end to end on how your solution works
Have you done Burp testing for the API's for which you are making callouts.
There are certain points which are considered in security review:
- Injection (SQL, XML etc.)
- Cross Site Scripting (XSS)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross Site Request Forgery (CSRF/XSRF)
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection(no SSL enforcement, weak or null ciphers, session cookies without secure attribute)
- Unvalidated Redirects and Forwards
Beside this there are few points which salesforce include them in Black box testing:
As per my experience, salesforce checks if they are planning for the same functionality as we are providing and then they takes decision to pass the app or not.