FAQ-000088 - API-Only Application Security Review / Security Scan Requirements

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What are the security scan requirements for API-only applications, including determining the correct scan type and requirements for applications without exposed endpoints?
Answer
The security scan requirements for API-only applications vary based on the specific configuration: ### General Requirements: - For API-only applications, the security review does not require Source Code Scanner (Checkmarx) reports in all cases - However, you must ensure that the application complies with the security review requirements, including addressing vulnerabilities and providing necessary documentation ### Applications Without Exposed Endpoints: - If your application does not expose any endpoints for Salesforce to call, you are not required to submit an external web application scan report - Make sure that all other security review requirements are fulfilled ### API-Only Services on Platforms like AWS: - You need to provide security scan results from automated tools such as the Salesforce Code Analyzer and Source Code Scanner (Checkmarx scanner) - These scans should cover all external endpoints that operate independently of the Salesforce platform - Document any false-positive security violations - Ensure all code complies with Salesforce security guidelines ### Determining the Correct Security Scan Type: To determine the correct security scan type for API-only applications, use automated security scanning tools like Zed Attack Proxy (ZAP), Burp Suite, or other Dynamic Application Security Testing (DAST) scanners: 1. **Set Up the Scanner**: Configure your API client or browser to route traffic through the scanner tool's proxy to capture and analyze requests and responses 2. **Exercise API Endpoints**: While the scanner is running, interact with the relevant API endpoints to uncover the full attack surface 3. **Generate a Report**: After the scan, export a comprehensive report that includes the scan date, targeted endpoints, and findings This process ensures that vulnerabilities in external endpoints are identified and addressed.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexInsecureEndpointApexSuggestUsingNamedCredAvoidInsecureHttpRemoteSiteSettingUseHttpsCallbackUrlConnectedAppAvoidDisableProtocolSecurityRemoteSiteSetting
Question
What are the security scan requirements for API-only applications, including determining the correct scan type and requirements for applications without exposed endpoints?
Recommended Answer Update
The security scan requirements for API-only applications vary based on the specific configuration: ### General Requirements: - For API-only applications, the security review doesn't require Source Code Scanner (Checkmarx) reports in all cases - However, you must ensure that your application complies with security review requirements, including addressing vulnerabilities and providing necessary documentation ### Applications Without Exposed Endpoints: - If your application doesn't expose any endpoints for Salesforce to call, you're not required to submit an external web application scan report - Make sure that all other security review requirements are fulfilled ### API-Only Services on Platforms like AWS: - You need to provide security scan results from automated tools such as the Salesforce Code Analyzer and Source Code Scanner (Checkmarx scanner) - These scans should cover all external endpoints that operate independently of the Salesforce platform - Document any false-positive security violations - Ensure all code complies with Salesforce security guidelines ### Determining the Correct Security Scan Type: To determine the correct security scan type for API-only applications, use automated security scanning tools like Zed Attack Proxy (ZAP), Burp Suite, or other Dynamic Application Security Testing (DAST) scanners: 1. **Set Up the Scanner**: Configure your API client or browser to route traffic through the scanner tool's proxy to capture and analyze requests and responses 2. **Exercise API Endpoints**: While the scanner is running, interact with the relevant API endpoints to uncover the full attack surface 3. **Generate a Report**: After the scan, export a comprehensive report that includes the scan date, targeted endpoints, and findings This process ensures that vulnerabilities in external endpoints are identified and addressed.
Reasoning
The FAQ content is technically accurate and comprehensive. I made minor improvements to make the language more conversational and direct by using contractions ('doesn't' instead of 'does not', 'you're' instead of 'you are') and slightly more natural phrasing, following the brand guidelines for conversational tone. Regarding the related security rules selected: - ApexInsecureEndpoint: This rule directly relates to the FAQ's discussion of scanning external endpoints and ensuring API security, specifically covering insecure HTTP endpoints in Apex code - ApexSuggestUsingNamedCred: Relevant to the FAQ's emphasis on secure API configuration and following Salesforce security guidelines for external API calls - AvoidInsecureHttpRemoteSiteSetting: Applies to the FAQ's discussion of external endpoints and API security requirements, covering Remote Site Settings security - UseHttpsCallbackUrlConnectedApp: Related to the FAQ's coverage of API-only applications and secure endpoint configuration, specifically for Connected App security - AvoidDisableProtocolSecurityRemoteSiteSetting: Connects to the FAQ's emphasis on maintaining security standards for external API endpoints and Remote Site Settings These rules all relate to the core theme of the FAQ: ensuring secure configuration and scanning of API endpoints in applications that interact with external services.
Reasoning References