Service 05 · Application Security

Code-level security from the team that wrote the rules engine.

Most breaches don't start at the firewall, they start in the code — and now, in the prompt. We review the application surface line by line, harden the pipeline that ships it, secure AI systems from prompt injection to production monitoring, and turn compliance requirements into engineering controls that run on their own.

Static analysisOWASP Top 10AppExchange security reviewSOC 2ISO 27001HIPAADevSecOpsSalesforce ShieldLLM securityAI guardrails
Why us

Security work that survives code review.

Three things that set our Application Security practice apart.

Craftsmanship matters more than ever. I ported PMD to Apex in 2014 because other people's code made me unhappy. Now AI writes most of it but the quality did only slightly improve. Deterministic rules are the only honest reviewer left in the room.

01

We wrote the rules engine the rest of Salesforce uses

Robert Sösemann, Salesforce MVP and Aquiva's AI Lead, ported PMD to Apex. It's the static-analysis core inside Salesforce Code Analyzer today. When your codebase has to pass a security review, AppExchange or otherwise, you want the people who shaped the tooling, not the people who learned it last quarter.

02

AppExchange security review is the day job

We've shepherded ISVs through the AppExchange security review process for ten years: pre-review audits, remediation cycles, post-submission hardening, and the operational discipline to keep listings clean across every Salesforce release. See Product Development for the full ISV journey we run around the review.

03

Engineers, not auditors

We do security work that survives code review, not security work bolted on as compliance paperwork. The same engineers who build the code review the code. Findings ship as PRs, not as PDFs.

Flagship · AppExchange security review

From pre-review audit to post-review hardening.

The AppExchange security review is where most ISV roadmaps stall. We've been through it enough times to know what each reviewer looks for, and we run the whole arc, from the pre-review audit to the controls that survive every release after.

Stage 01

Pre-review audit

Codebase walkthrough, dependency audit, secret scan, OWASP-pattern review, packaging hygiene check. Build the punch list before submission.

  • Line-by-line code walkthrough on the patterns the reviewers flag
  • Dependency audit and CVE triage
  • Secret-scan across history and CI artifacts
  • Packaging, namespace, and metadata hygiene
  • Prioritized findings with effort estimates
Stage 02

Remediation

Findings prioritized by risk and submission impact. Same engineers who found them write the fix-forward PRs. Branch hygiene maintained so the listing keeps shipping.

  • Risk-and-impact prioritized backlog
  • PR-based remediation, not advisory memos
  • Regression tests on the flows we touched
  • Branch and release hygiene preserved
  • Customer-zero install rehearsals
Stage 03

Packaging & submission

Final scratch-org rehearsals, evidence packaging, security review submission materials, and the demo orgs the reviewers need. The submission is reviewable, not aspirational.

  • Final scratch-org and sandbox rehearsals
  • Evidence package and reviewer-facing notes
  • Test orgs provisioned for the review team
  • Submission narrative and architecture context
  • Rollback path documented and rehearsed
Stage 04

Review response

Direct Q&A with the Salesforce security review team, evidence follow-ups, and fast-cycle remediation when findings come back. We've been through this enough times to know what each reviewer is looking for.

  • Direct reviewer Q&A and clarification
  • Evidence follow-ups and supplementary materials
  • Fast-cycle remediation for returned findings
  • Architecture explanations the review team trusts
  • Resubmission with the diff highlighted
Stage 05

Post-review hardening

Sustain across releases. Re-review prep on schedule. The controls that ship with the listing stay updated as the platform evolves.

  • Release-cycle security regression coverage
  • PMD rulesets maintained against new patterns
  • Re-review scheduling and prep cycles
  • Customer-reported security issue triage
  • Controls updated against platform evolution
What we do

From line-by-line review to compliance as code.

Five capability areas: code review, pipeline hardening, identity, compliance, and AI security. They cover the surface area where modern applications get breached.

Code-level security review

Line-by-line analysis of your application code for vulnerabilities, misconfigurations, and architectural weaknesses. We don't just scan, we read. Data-layer controls and lineage live on Data & Integrations.

Vulnerability assessment

OWASP Top 10, injection patterns, auth flaws, and business logic vulnerabilities.

Dependency audit

Third-party library analysis, CVE tracking, license compliance, and supply chain risk.

Secrets & config

Hardcoded credentials, exposed API keys, insecure defaults, and environment hygiene.

Remediation roadmap

Prioritized findings, effort estimates, risk scoring, and fix-forward recommendations.

DevSecOps & CI/CD

Security baked into every stage of the development pipeline, from commit to production. Shift left without slowing down.

Pipeline design

GitHub Actions, GitLab CI, Jenkins, and Azure DevOps. Build, test, scan, deploy.

SAST & DAST

Static and dynamic analysis integration, policy gates, and automated triage workflows.

Container security

Image scanning, runtime protection, registry policies, and Kubernetes admission control.

Infrastructure as code

Terraform, Pulumi, CloudFormation. Versioned, reviewed, and policy-compliant infrastructure.

Identity & access

Authentication, authorization, and access control across applications and platforms. The boundary where most breaches start.

Auth design

OAuth 2, OIDC, SAML, SSO integration, MFA, and passwordless flows.

Authorization model

Role-based and attribute-based access control, fine-grained permissions, and least-privilege enforcement.

Identity federation

Salesforce, Azure AD, Okta, and cross-platform identity bridging with consistent claims and sessions.

Session & credential hygiene

Token rotation, refresh strategy, credential vaulting, and exposed-secret remediation.

Compliance engineering

Turning regulatory requirements into automated, auditable engineering controls. Compliance as code, not compliance as paperwork. The data protection side of compliance lives on Data & Integrations.

SOC 2 & ISO 27001

Control implementation, evidence collection automation, and continuous compliance monitoring.

HIPAA & PCI-DSS

Data handling controls, encryption requirements, access logging, and breach notification workflows.

Audit readiness

Pre-audit assessments, gap analysis, evidence packaging, and auditor liaison support.

Policy automation

Policy-as-code frameworks, automated enforcement, exception tracking, and attestation workflows.

AI & LLM security

Securing AI-powered applications from prompt to production. Prompt injection testing, RAG pipeline hardening, agentic AI guardrails, and continuous monitoring for models that touch real data.

Prompt injection testing

Adversarial prompt testing, jailbreak assessment, input sanitization validation, and injection defense patterns.

RAG security assessment

Retrieval pipeline audit, data poisoning analysis, context window leakage, grounding verification, and source attribution integrity.

Agentic AI security

Tool-use permission boundaries, action guardrails, escalation path validation, and multi-agent trust models.

AI guardrails & monitoring

Output filtering, toxicity detection, PII leakage prevention, drift monitoring, and cost-anomaly alerting for production AI systems.

Let's secure it

Find the risk. Shrink the surface. Ship with confidence.

Most security teams find problems after they're in production. Ours find them before.

See how we work