Salesforce product development challenges when building your first app

Although building an AppExchange product is a huge opportunity, it’s far more than just writing good code. Many teams dive in thinking it’s just another build, only to face unexpected hurdles navigating Salesforce’s ISV program, passing security reviews, and keeping up with an evolving set of compliance and packaging requirements.

We’ve seen plenty of discussions on Reddit where developers talk about these hurdles. One user shared how becoming an ISV partner was just the beginning, followed by a long security review process that felt like an achievement in itself. Other users agreed, saying they underestimated the effort required to meet Salesforce’s compliance and technical standards.

But despite the complexity, launching an AppExchange app is worth it. As of early 2025, the marketplace hosts 5,661 apps from 3,541 developers, and engagement continues to grow as total reviews jumped from 71,212 to 74,294 in just seven months.

The real challenge lies in managing the process without losing control. Many first-time teams fall into the trap of scope creep, where new requirements keep piling up, and a simple idea turns into a never-ending build.

We know this process inside out. Our team has successfully developed and listed three custom solutions on AppExchange as well as supported multiple clients through smooth, efficient launches. In this article, we’ll share the key challenges to expect, and how to navigate them, so you can avoid common pitfalls and bring your product to market faster.

‍

Success stories from our team and clients

Our approach to developing AppExchange products is built around offering quick, ready-to-use solutions for the most frequently requested functionalities, ensuring that users get the tools they need without delays or complexities. We’ve already launched successful in-house apps: CheckMyNumber, Tracky, and Cloud File Uploader, each designed to tackle specific business needs. Our apps have collectively amassed 78,391 installations on AppExchange, and we’re excited to continue expanding our product offerings, with more apps planned for the future.

Our Salesforce products are 100% native to the platform, meaning they integrate seamlessly into Salesforce environments. As a trusted Salesforce ISV partner, we are dedicated to delivering apps that are easy to manage, secure, and supported by our expert team.

‍

Tracky: our app for simplifying the auditing process

‍

When we set out to develop Tracky, our goal was simple: help businesses track every field value update without limitations. As a 100% native Salesforce app, Tracky offers a seamless way to monitor field changes, ensuring that compliance and data integrity are never compromised. This tool was designed to overcome the challenges businesses face with Salesforce’s default field history tracking, which has time constraints and storage limitations.

‍

Tracky solves critical issues like:

• Data retention—where Salesforce only keeps field history for 18 months—by offering unlimited data retention, so businesses never lose important historical data.
• It also addresses the lack of robust reporting tools by providing detailed reporting and KPI measurements based on field changes.
• Admins could easily select the fields and objects they wanted to track, which offers full customization.

Companies can now track field changes without time limits, which enables long-term data visibility and more comprehensive reporting for confident, data-driven decisions.

‍

Custom Salesforce SaaS solution for HRs and recruiters

‍

When our team at Noltic partnered with The Gradient design agency, we knew we were on the cusp of something exciting for HR and recruitment professionals. Hire Genius, a custom Salesforce-based SaaS solution was born out of the frustration HR teams experience when juggling multiple third-party tools to manage candidate data. By consolidating everything into one platform, we were able to tackle several key challenges faced by recruiters.

One of the biggest hurdles was fragmented data storage. Recruiters had to sift through LinkedIn, WhatsApp, SMS, and emails to manually compile candidate profiles. On top of that, the high cost of third-party integrations was draining valuable resources. 

Our solution was a unified platform that integrated communication tools like Twilio and Nylas, making candidate data easy to access and manage in one place. We also added automation features, eliminating the manual effort that slows down hiring processes.

As a result, recruiters now enjoy comprehensive candidate profiles that include all communication logs and scheduling tools integrated directly within the platform. The Talent Pool feature speeds up candidate sourcing, and the Recruitment Journey Dashboard provides a clear overview of each hiring stage. Additionally, a Chrome extension ensures that users stay updated with the latest information.

‍

Customizable barcode application

‍

When Gimbal Logic approached us, they had a simple idea in mind: create a barcode app that could handle various business needs. What started as a basic 1D barcode generator quickly transformed into a powerful solution supporting both 1D and 2D barcodes. Our task was to build a tool that would integrate seamlessly with Salesforce and offer easy-to-use barcode scanning capabilities for users in industries like manufacturing, logistics, and events.

So, the challenge was to ensure that our solution would cater to diverse use cases. From inventory management to employee time tracking and event attendee management, Gimbal Logic needed a barcode app that could handle it all. Our team developed a solution that supportes various barcode formats (like 128b, EAN-13, and UPC-A) and allows users to scan barcodes directly within Salesforce, whether through mobile devices or laser scanners like Zebra.

Today, Gimbal Logic’s barcode app is used by over 100 clients worldwide. The results speak for themselves—businesses now enjoy improved document control, efficient inventory management, and smooth event tracking. Plus, the barcode technology helps sync customer and supplier data seamlessly throughout the supply chain.

‍

‍

Salesforce AppExchange development challenges you may face 

When you’re developing a Salesforce product for the first time, it’s easy to assume that the process is straightforward. After all, Salesforce champions its “Click, Not Code” philosophy, which sounds simple enough. However, the reality is far more complex. It’s not just about knowing Apex or Lightning components—you need to have a deep understanding of how the entire Salesforce ecosystem works. Let’s dive into some of the most common challenges that first-time developers face on the path to creating a successful AppExchange product.

‍

‍

Challenge #1: Scope Creep

‍

One of the most common pitfalls in Salesforce development projects is scope creep, which can derail even the most well-intentioned projects, leading to budget overruns, missed deadlines, and compromised quality. Scope creep often happens when the project scope expands unexpectedly, frequently due to evolving business needs or a lack of clear communication. It’s easy to underestimate the effort that seemingly small enhancements will require, but before you know it, you’re on track to develop features for marketing, customer service, and finance—each with its own complex set of requirements.

‍

How to mitigate:

"In my experience, scope creep can be avoided by investing time upfront in detailed requirements gathering. We always organize workshops with stakeholders, use user stories, create process flow diagrams, and get a firm grasp on the core needs", explains our CRO Vlad Petrovych.

To manage scope creep, we also recommend implementing a formal change management process. With this approach, you can ensure that any new requests are carefully evaluated for their impact on the project’s scope, budget, and timeline. Prioritize features based on business value and technical feasibility, making informed trade-offs when necessary.

‍

Challenge #2: Security reviews

‍

When you’re ready to list your app on AppExchange, passing the Salesforce security review can feel like a major hurdle. The review process is designed to ensure that your app doesn’t introduce security vulnerabilities, which can be a challenge, especially for new developers. Problems can arise from improper coding practices, insecure data storage, or insufficient authentication mechanisms.

‍

How to mitigate:

"Security isn’t something you add at the end. It has to be part of how you build from day one. If you treat it as a side task, it will catch up with you later. But when it’s part of your development rhythm, the review becomes a formality, not a roadblock", says Vlad Petrovych. 

Since this step is often the most challenging, we’ve put together some recommendations: 

‍

• Start security design early, don’t retrofit it later. Treat security as a foundational part of your architecture, not a post-build checklist. Map out your data access layers, session handling, and storage encryption strategy during system design—not just before submission.
• Use Salesforce’s official security review checklist from day one. Too many teams consult the checklist too late. Use it as your development baseline, not as a final check, so you don’t miss critical items like CRUD/FLS enforcement, cross-site scripting (XSS) prevention, and secure Apex best practices.
• Automate static code analysis continuously. Integrate tools like PMD, Checkmarx, or CodeScan into your CI/CD pipeline to catch issues in every commit. They are often what Salesforce uses during review, so aligning your process with theirs is a smart move.
• Conduct real-world penetration testing. Simulate real attack scenarios using OWASP Top 10 as a framework. Go beyond automated scans—test business logic abuse, API misuse, and access escalation paths. Salesforce reviewers will.
• Encrypt sensitive data, even if you think you don’t need to. Use Platform Encryption or AES-based methods to protect PII, credentials, and tokens—especially if you're storing or transmitting data outside the Salesforce platform.
• Audit your authentication and session logic. Ensure secure OAuth flows, implement strict token expiration, and avoid storing credentials in local storage or plain text. This is a frequent rejection trigger.
• Document your security controls clearly. Salesforce’s review team doesn’t just test, they read. Prepare detailed documentation on how you handle FLS enforcement, Apex security patterns, authentication flows, encryption, and data handling policies.

‍

Challenge #3: Performance optimization

‍

Salesforce is a multi-tenant platform, and this means that excessive customizations can negatively impact performance for all users. The challenge here lies in optimizing the performance of your app while balancing the functionality you need. Performance bottlenecks are often the result of inefficient SOQL queries, excessive DML operations, or poorly designed Lightning components.

‍

How to mitigate:

“Performance is often treated as a tuning step at the end, but on Salesforce, you don’t have that luxury. We design for scalability from the start—this means writing SOQL queries with selective filters, minimizing synchronous DML, and structuring components to avoid unnecessary rerenders. Otherwise, performance debt grows fast and quietly,” explains Vlad Petrovych.

‍

We always advise developers to stick to SOQL best practices, which means keeping queries selective, avoiding unnecessary nested queries, and making sure filters are properly indexed. For long-running processes, asynchronous execution like Queueable or Batch Apex helps maintain performance and stay within Salesforce limits. When working with Lightning components, keep things lightweight: reduce server calls, limit DOM updates, and use smart caching to keep the interface fast and smooth.

‍

Challenge #4: Salesforce updates

‍

Salesforce regularly releases updates three times a year, introducing new features, bug fixes, and, sometimes, breaking changes. For Salesforce app developers, this is both an opportunity and a challenge. Failing to prepare for these updates can lead to compatibility issues, broken customizations, and a poor user experience.

‍

How to mitigate:

“Every Salesforce release brings changes that can impact your app, especially if you're relying on undocumented behavior or legacy APIs. Our internal process involves analyzing release notes within 48 hours, testing all critical paths in preview orgs, and updating our compatibility matrix. This way, clients are never caught off guard,” adds Vlad.

Take time to review Salesforce release notes carefully, as they often highlight changes that could affect your app. Updating your custom code and configurations in advance helps you stay compatible and avoid unexpected issues after the release.

‍

Challenge #5: Governor limits in a multi-tenant environment

‍

Developing an AppExchange app requires a deep understanding of Salesforce's governor limits, which are designed to ensure fair use of resources in the multi-tenant environment. If your app exceeds limits like CPU time, SOQL queries, DML operations, or others, it can negatively impact performance—not just for your app, but for other users as well.

AppExchange apps need to be highly optimized to avoid hitting these governor limits. Failing to do so can cause performance issues, app failures, and degraded user experiences, especially when processing large datasets.

‍

How to mitigate:

"Governor limits are often seen as blockers, but they’re actually a blueprint for writing efficient code. We use them to guide architecture decisions—batching logic, bulking code, and offloading non-critical tasks to async processes. Treating limits as design input, not constraints, helps us build apps that scale and pass AppExchange reviews smoothly," says Vlad.

We suggest processing multiple records in a single transaction to minimize DML operations. You can write selective SOQL queries with proper filters and indexing, avoiding unnecessary "SELECT *" or "FOR UPDATE". Also, you can use caching mechanisms to store frequently accessed data, reducing the need for repeated SOQL queries.

‍

‍

Challenge #6: Secure coding practices & OWASP compliance

‍

When developing apps for the AppExchange, security is a top priority. You must adhere to strict standards to protect customer data and prevent vulnerabilities, following the OWASP Top 10 guidelines to mitigate issues like SOQL injection, Cross-Site Scripting (XSS), and other common web vulnerabilities.

Secure coding practices are essential for avoiding common security risks. Not following these practices can lead to serious vulnerabilities that can compromise your app’s integrity and security. For example, an AppExchange app that dynamically constructs SOQL queries based on user input without proper sanitization becomes vulnerable to SOQL injection, allowing attackers to manipulate the queries to gain unauthorized access.

‍

How to mitigate:

“OWASP isn’t a checklist—it’s a mindset. We train our developers to think in threat models and simulate abuse scenarios during code review. For example, every time we dynamically generate SOQL, we use strict input validation, and every user-facing field is reviewed for encoding needs. That’s what it takes to build secure apps on Salesforce,” suggests Vlad.

So, our advice is: 

• Implement robust input validation to prevent malicious data from being processed.
• Use output encoding techniques to prevent XSS attacks.
• Use parameterized SOQL queries to avoid injection vulnerabilities.
• Perform security audits to identify and fix vulnerabilities early.

‍

Challenge #7: Asynchronous processing limitations

‍

Salesforce offers asynchronous processing methods like Batch Apex, Queueable Apex, and Future to handle long-running or resource-intensive tasks. However, each method has specific limitations, and choosing the wrong one can lead to performance issues or governor limit exceptions.

Developers must carefully choose the right asynchronous processing method based on the task’s requirements. Misusing these methods can result in incomplete data processing and performance issues.

For example, the AppExchange app uses Future methods for processing a complex data transformation on thousands of records. However, Future methods have a limit on the number of calls per transaction, leading to incomplete data processing and errors.

‍

How to mitigate:

“Asynchronous processing on Salesforce isn’t just about picking the right method—it’s about understanding how limits behave under load. We evaluate each use case for volume, chaining needs, and failure handling. Batch Apex is ideal for jobs over thousands of records, while Queueable Apex gives us control for task sequencing and retries,” adds Vlad.

• Use Batch Apex to process large datasets in smaller, manageable chunks.
• Use Queueable Apex for tasks requiring job chaining or managing dependencies between asynchronous jobs.
• Regularly monitor asynchronous jobs to identify errors or performance issues early.

‍

Challenge #8: Packaging and versioning complex metadata

‍

Managing complex metadata like custom objects, fields, layouts, and Apex code is challenging, especially when dealing with multiple versions and customizations. Proper packaging and versioning are crucial for ensuring smooth upgrades and compatibility with different Salesforce orgs.

If an AppExchange app introduces a new custom object but doesn’t properly manage dependencies, users who have customized their data model experience issues during upgrades.

‍

How to mitigate:

“Versioning isn’t just about tagging releases. On Salesforce, every metadata dependency—like object relationships, field-level security, or layout customizations—must be tracked to ensure compatibility. We use unlocked packages during development to isolate features and managed packages for deployment to enforce integrity, simplify upgrades, and protect customizations in client orgs,” explains Vlad.

• Use namespaces to prevent naming conflicts with existing Salesforce metadata.
• Leverage managed packages to control access to code and metadata and simplify upgrades.
• Carefully manage dependencies between components to avoid issues during upgrades.

‍

Challenge #9: Handling AppExchange licensing and security

‍

When developing for the AppExchange, licensing and security are critical. You must protect your intellectual property and ensure that unauthorized users cannot access your app's features.

Implementing robust licensing checks and security measures is essential for safeguarding your app and preventing unauthorized use or tampering.

‍

How to mitigate:

“Licensing isn’t just a business requirement—it’s a technical guardrail. We integrate License Management App with feature flags in our code, enabling or disabling functionality based on license state. This gives us control, helps us comply with agreements, and ensures that only authorized users can access our tools,” adds Vlad.

• Use LMA to manage licenses, track usage, and enforce licensing policies.
• Apply code obfuscation techniques to make it more difficult for unauthorized users to reverse-engineer your app.
• Implement remote authentication to verify licenses with a central licensing server.

‍

‍

Four Salesforce tools to simplify your product development

Based on our extensive experience, we’ve found the following tools to be extremely useful for simplifying and enhancing the Salesforce new product development process. With these tools, you can automate processes, build custom interfaces, and handle complex business logic within the Salesforce platform.

‍

Salesforce Flow

‍

Salesforce Flow is a powerful and intuitive automation tool that allows users to automate business processes without needing to write code. It provides a visual builder (Flow Builder) that makes it easy to create and manage complex workflows by simply dragging and dropping elements. Here is how building apps with Flows looks like:

‍

Automating processes

With Flow, you can automate a variety of processes, reducing human error and saving time. For example, you could automate routine tasks like creating records, sending confirmation emails, updating data, or triggering notifications. Automation is especially helpful for tasks like following up with clients, updating lead statuses, or creating tasks after a meeting is logged.

‍

Guiding users

Salesforce Flow enables you to create screen flows, which are highly interactive guided processes for users. For instance, a customer service representative can be guided through a series of steps to resolve a client’s issue. Usually, it includes gathering information, presenting troubleshooting options, and even escalating the case if needed. By guiding users through a process step-by-step, you ensure a consistent and accurate experience every time.

‍

Complex logic

Flows aren’t limited to simple task automation—they can handle complex logic. Using decisions, loops, and data manipulation within flows, you can set up business logic that would otherwise require custom coding. For example, you can use decision elements to route records to different paths based on conditions, such as assigning different sales teams based on the region or prioritizing high-value leads.

Think of building an app for sales reps that automates the entire lead follow-up process. Using a Screen Flow, you could walk the sales rep through gathering lead details, scheduling a follow-up call, and automatically updating the lead status in Salesforce without writing a single line of code.

‍

Lightning Components

Lightning Components are reusable blocks of code that help you build modern, interactive, and dynamic user interfaces in Salesforce. They are built using standard web technologies such as HTML, CSS, and JavaScript and can be used to create anything from simple user interface elements to complex applications. Here is what you can do with Lightning Components:

‍

Custom UIs

Salesforce offers standard user interfaces for most use cases, but sometimes, you need something unique to fit your company’s branding or specific business needs. Lightning Components allow you to design highly customized UIs that can match your branding and user experience requirements exactly. Whether you’re looking for a custom dashboard, an intuitive lead management tool, or a tailored data entry form, Lightning Components provide the flexibility to design exactly what you need.

‍

Reusability

One of the greatest strengths of Lightning Components is reusability. You can build a component once and then use it in multiple places throughout your Salesforce environment. For example, a component displaying customer information could be used on multiple pages, such as account detail pages or custom dashboards, without having to rewrite or duplicate the code.

‍

Integration

Lightning Components seamlessly integrate with Salesforce features like Salesforce Data and Apex controllers and can also communicate with external systems through APIs. For instance, you could integrate a Lightning Component with external data sources like CRM systems or payment processors to display relevant data or interact with external services, all within your Salesforce interface.

Let’s say you want to create a customer activity dashboard for account managers. Using Lightning Components, you can display key information like recent activities, calls, emails, and tasks, all in a dynamic, real-time interface. This consolidation can significantly improve user experience and provide easy access to important data.

‍

Apex and Visualforce

‍

Apex is Salesforce’s proprietary programming language, designed to run on the Salesforce platform. It’s a strongly typed, object-oriented language similar to Java. Visualforce is a markup language used to create custom user interfaces for Salesforce applications. Together, they allow you to extend the platform’s functionality far beyond what’s possible with Flow or Lightning Components alone. Here is how you can use them:

‍

Complex business logic

While Flow is great for automating many processes, it’s not always capable of handling very complex business logic. This is where Apex shines. Apex allows developers to implement advanced features like multi-level approval processes, custom calculations, and batch processing that are too intricate for Flow. For example, you might need to calculate commissions based on complex rules or integrate custom approval workflows with specific conditions that Flow cannot handle.

‍

Custom integrations

Not every system integrates easily with Salesforce using built-in connectors. With Apex, you can build custom integrations with external systems that are not supported out of the box, whether you’re pulling in data from an ERP system, sending data to a third-party service, or creating custom API endpoints for other systems to interact with your Salesforce instance.

‍

Custom UIs

For highly tailored user interfaces, Visualforce allows you to create custom pages that can interact with Apex logic and display the data you need. Visualforce gives you full control over the layout and functionality of pages, including adding custom components and integrating them with Salesforce’s back end. For example, you might use Visualforce to create a custom approval page that allows users to approve or reject a request, including advanced business logic such as routing approvals based on multiple decision factors.

‍

Salesforce Code Builder

‍

Salesforce Code Builder is a cloud-based integrated development environment (IDE) that simplifies the development of custom Salesforce applications. Code Builder is designed to streamline the process of writing and testing code, offering advanced features such as code completion, syntax highlighting, and debugging tools, all within a user-friendly interface. Here are its benefits:

‍

Simplified development

Code Builder provides a simplified, efficient development environment. With features like code completion and syntax highlighting, developers can write code faster, identify errors more easily, and improve the overall quality of their code. Whether you’re working on Apex, Lightning Components, or Visualforce, Code Builder helps make the coding process faster and more accurate.

‍

Collaboration

With its cloud-based setup, Code Builder enables developers to collaborate more effectively. Team members can access the same environment, share code, and review each other's work in real time. This makes teamwork much easier, especially in distributed teams where multiple developers might be working on the same project at once.

‍

Accessibility

Since Code Builder is web-based, it’s accessible from anywhere with an internet connection. This flexibility means developers can work from any location, whether they’re in the office, at home, or on the go, without having to worry about local IDE setups.

‍

‍

Why it’s better to approach PDO for developing your new product 

While developing a Salesforce product in-house may seem cost-effective, it often leads to unforeseen challenges. Salesforce product development requires specialized skills in areas like Apex, Lightning Web Components, and customization—skills that not every in-house team has. A lack of Salesforce-centered expertise can result in poor code quality, delays, and unnecessary costs.

Salesforce product development outsourcers (PDOs) bring certified Salesforce experts: developers, architects, administrators, and consultants who specialize in managing the entire development lifecycle. Their experience helps ensure high-quality solutions that align with your business needs and Salesforce best practices.

By partnering with a PDO, you can avoid issues like scope creep, security vulnerabilities, and technical bottlenecks. Development outsourcing facilitates the development process, reducing delays and ensuring a faster time to market. PDOs also provide scalability and flexibility, allowing your product to evolve and grow with ease.

Additionally, PDOs have industry-specific experience, ensuring your product meets regulatory requirements and business challenges, whether in healthcare, finance, or other sectors. Outsourcing development to a PDO not only guarantees expertise but also helps you control costs and deliver a high-quality, scalable product.

‍

Noltic is your trusted Salesforce product development partner

At Noltic, we specialize in crafting custom Salesforce solutions that are both robust and scalable. With extensive experience in Salesforce product development, our team of experts has successfully delivered tailored applications for industries like tech, finance, and logistics. Our focus is on optimizing workflows, automating processes, and creating solutions that drive business growth.

As a Crest ISV Partner and Summit Consulting Partner, we are recognized for our high level of expertise and commitment to excellence within the Salesforce ecosystem. Our team includes 10 certified Salesforce architects and over 400 Salesforce certifications, ensuring that we have the skills and knowledge to tackle any challenge. Additionally, we have earned a 4.9 rating on AppExchange, reflecting the satisfaction and trust of our clients.

We offer a full range of services, from app design and development to deployment and support. Our certified team ensures that every product is built to scale and aligned with industry-specific needs and Salesforce best practices.

‍

‍

FAQs

Why is Salesforce app development so complex?

‍

Salesforce app development can be complex because it requires expertise across various areas, including Apex programming, Lightning Web Components, integration with external systems, and adhering to Salesforce's strict security and performance guidelines. Additionally, developing an app that seamlessly integrates with Salesforce's multi-tenant environment and handles large datasets efficiently requires deep knowledge of Salesforce's architecture and best practices. Proper testing, scalability, and compliance also add to the complexity.

‍

What are the requirements for listing an app on the AppExchange?

‍

To list an app on the AppExchange, it must pass a series of stringent requirements, including a Salesforce security review, ensuring that the app is secure and does not introduce vulnerabilities. The app also needs to adhere to Salesforce’s guidelines for performance, user experience, and design. Additionally, developers must ensure that their app is compliant with Salesforce's terms and conditions and provides necessary documentation and user support. After passing the security review, the app is ready for listing.

‍

How do I market my Salesforce app on the AppExchange?

‍

Marketing your app on the AppExchange involves several strategies. First, ensure that your listing is fully optimized, with a clear and detailed description, attractive screenshots, and customer reviews. You can also utilize AppExchange promotions and advertising options, including sponsored listings or email campaigns targeted to relevant Salesforce users. Building a strong presence on social media, engaging in Salesforce-related forums, and attending events like Dreamforce can also increase visibility and drive traffic to your listing.

‍

Where can I find Salesforce developers?

Finding Salesforce developers can be done through various channels. You can search for Salesforce-certified professionals on platforms like LinkedIn, Upwork, or Toptal, or use Salesforce’s Talent Marketplace to find developers with expertise in specific areas. Additionally, attending Salesforce events like Dreamforce or joining Salesforce developer communities can help you connect with qualified professionals. Partnering with a Salesforce PDO is also an excellent option for accessing certified developers who specialize in custom Salesforce app development.