back to article Salesforce asks devs to cough 800% more for security review

Salesforce.com has hiked the security fees for software authors posting apps on its AppExchange – by an eyewatering $2,400 a pop. From 1 September, you’ll pay $2,700 for each paid app to undergo an obligatory security review before it appears on Salesforce’s AppExchange. The old price was $300. Marc Benioff's cloud crusader …

COMMENTS

This topic is closed for new posts.
  1. Callam McMillan

    Not seeing the problem here

    We're not exactly talking about fart apps, this is the kind of software which is used to store information which then makes the front page of this site if it's sprayed all over the internet. $2700 for a proper review of business/enterprise-class software seems quite reasonable, provided it is a proper multi-day deep dive review of the application.

    1. DrXym

      Re: Not seeing the problem here

      Pray tell what constitutes a "proper review"? Do they have the source code to review? If not, how do they detect a malicious app?

      I could easily write an app which has entirely innocuous behaviour. It reads your PIM, shows you your appointments, dials your numbers. Every day it also goes off to the web to retrieve an inspirational message to start your day. It works exactly as it should.

      Then one day when it goes off for its inspirational message it receives an embedded pwn command and turns evil. It begins dialling a premium number from Guyana at 2am, searches your emails for credit card numbers and passwords, installs malware on any PCs it finds connected to the same wifi network as your phone and otherwise does everything to siphon your money and make your life miserable.

      I'm quite certain I could hide this functionality sufficiently to evade an automated scan of the app.

      That isn't to say a cash barrier doesn't have some effect on security. Just raising the bar would discourage hackers more than a $25 fee for example. But I doubt it would discourage determined or well financed attackers with particular targets in mind.

      1. Callam McMillan

        Re: Not seeing the problem here

        "I'm quite certain I could hide this functionality sufficiently to evade an automated scan of the app."

        Hence, this is what justifies a $2700 cost. A review of the source code as necessary and a proper examination by a pen-tester, all done by hand.

        1. Phil O'Sophical Silver badge

          Re: Not seeing the problem here

          And does this $2700 get you a warranty from SalesForce that if a security problem does arise, they take responsibility for the consequences, since you've paid them a substantial fee to validate your app?

      2. craigj

        Re: Not seeing the problem here

        I have sent salesforce / force.com applications for review.

        Yes, they have access to your code.

        If your app connected to an external web service and did not escape values before including them in a page / query / code it would not pass the security review, that's exactly what the review is there for,

  2. James Micallef Silver badge

    I Agree, $2700 isn't that much considering also this is more of an enterprise space where a larger %age of app users will be paying for it as opposed to the majority of apps on Play, Apple store etc that are free.

    Also, consider that Google, Apple etc are gobbling up 30%, if SF is charging you say 20% then you make $27k in sales and you already made that money back compared to if SF is doing the checking 'free' but charged you 30%.

  3. Anonymous Coward
    Anonymous Coward

    "All of them grab 30 per cent of your sales"

    Perhaps they should use some of the clear profits they are making from others hard work, and rather than acting like a monopoly, start actually adding value to the process....

This topic is closed for new posts.

Other stories you might like