What are the security review requirements for CTI integrations and their technology stacks?
Answer
The security review requirements for CTI integrations and their technology stacks include:
1. **Adherence to Salesforce Security Standards**: The integration must comply with Salesforce's security guidelines and standards.
2. **Authentication Credentials and API Documentation**: You need to submit authentication credentials and API documentation for any third-party integrations.
3. **Secure Storage of API Keys**: API keys used for authentication must be stored securely, such as in protected custom settings.
4. **Secure Coding Practices**: Ensure the code follows secure coding standards and practices to prevent vulnerabilities.
5. **Sensitive Data Handling**: Any sensitive data, like payment information, must be handled in compliance with relevant standards such as PCI.
6. **Automated Security Tools**: Run automated security tools to identify and address security issues, and mark false positives where applicable.
If you need more specific guidance or have additional questions about these requirements, feel free to ask!
What are the security review requirements for CTI integrations and their technology stacks?
Recommended Answer Update
The security review requirements for CTI integrations and their technology stacks include:
1. **Adherence to Salesforce Security Standards**: The integration must comply with Salesforce's security guidelines and standards.
2. **Authentication Credentials and API Documentation**: You need to submit authentication credentials and API documentation for any third-party integrations.
3. **Secure Storage of API Keys**: API keys used for authentication must be stored securely using Named Credentials or Protected Custom Settings, not hardcoded in your code.
4. **Secure Coding Practices**: Ensure the code follows secure coding standards and practices to prevent vulnerabilities.
5. **Sensitive Data Handling**: Any sensitive data, like payment information, must be handled in compliance with relevant standards such as PCI.
6. **Automated Security Tools**: Run automated security tools to identify and address security issues, and mark false positives where applicable.
If you need more specific guidance or have additional questions about these requirements, feel free to ask!
Reasoning
The FAQ content is largely accurate but point #3 needed clarification to be more specific about secure storage methods. The original text mentioned 'protected custom settings' which is valid but incomplete - Named Credentials are the preferred modern approach for storing authentication credentials securely. The update specifies both Named Credentials and Protected Custom Settings while emphasizing not to hardcode credentials, which aligns with security best practices.
Security rules selected:
- ApexSuggestUsingNamedCred: Directly relates to point #3 about secure storage of API keys, as this rule suggests using Named Credentials for authentication
- AvoidHardcodedCredentialsInFieldDecls: Relates to point #3's emphasis on secure storage, as CTI integrations must avoid hardcoding credentials in field declarations
- AvoidHardcodedCredentialsInVarDecls: Relates to point #3's secure storage requirement, as credentials shouldn't be hardcoded in variable declarations
- AvoidHardcodedCredentialsInVarAssign: Relates to point #3's secure storage guidance, as credentials shouldn't be hardcoded in variable assignments
- AvoidHardcodedCredentialsInHttpHeader: Directly applies to CTI integrations that make HTTP calls with authentication headers
- ApexInsecureEndpoint: Relates to point #1 about security standards and point #4 about secure coding practices for API endpoints
- UseHttpsCallbackUrlConnectedApp: Applies to CTI integrations that use Connected Apps for OAuth flows