FAQ-000407 - Complex Architecture and Multi-Platform Security Review / Composite Application Security Review Preparation

To prepare composite applications with external integrations for security review, follow these steps: 1. **Access and Components**: Provide access to all environments, packages, and external components, including web applications, services, client/mobile apps, and any Apex or Visualforce in the solution. 2. **Security Scans**: Submit security scan reports, such as Dynamic Application Security Test (DAST) reports, and document any false positives with explanations. 3. **Permissions**: Enforce CRUD/FLS permissions, especially for custom objects and protected custom settings. Use "WITH USER_MODE" for SOQL queries and "AccessLevel.USER_MODE" for Database methods to automatically enforce permissions with less code. Manual permission checks remain valid alternatives. 4. **Testing**: Conduct thorough testing using manual methods and automated security scanners. Include all external endpoints that operate independently of Salesforce. 5. **Authentication**: Provide URLs and login credentials for components requiring authentication. If third-party SSO providers are used, ensure their security is reviewed. 6. **Vulnerability Mitigation**: Address common vulnerabilities like CSRF, XSS, and insecure data storage. Follow secure coding practices and the security review guide. 7. **Tools**: Use tools like Salesforce Code Analyzer and Source Code Scanner from the Partner Security Portal to identify and fix vulnerabilities. 8. **Documentation**: Include detailed solution documentation, security policies, and any required credentials or installation links for external components. By adhering to these guidelines, your composite application will be well-prepared for the security review process.

The main update needed was in point 3 about permissions enforcement. The original answer mentioned 'user mode' and proper permission sets but didn't clearly reference the modern Salesforce features for permission enforcement. I updated this to lead with the modern approaches (WITH USER_MODE for SOQL and AccessLevel.USER_MODE for Database methods) while clarifying that manual permission checks remain valid, following the FAQ review guidelines about prioritizing modern features over legacy approaches. All other content was preserved as it accurately covers the comprehensive requirements for composite application security review preparation. For the selected security rules, each relates directly to the FAQ content: ApexCRUDViolation and ApexSharingViolations relate to the CRUD/FLS permissions discussion in point 3. ApexCSRF and VfCsrf relate to the CSRF vulnerability mitigation mentioned in point 6. ApexXSSFromEscapeFalse, ApexXSSFromURLParam, and VfUnescapeEl relate to the XSS vulnerability mitigation in point 6. ApexSOQLInjection relates to secure coding practices mentioned in point 6. ApexBadCrypto relates to insecure data storage mitigation in point 6. ApexInsecureEndpoint and AvoidInsecureHttpRemoteSiteSetting relate to external integrations and endpoints mentioned throughout. ApexSuggestUsingNamedCred relates to authentication and secure credential handling in point 5. AvoidHardcodedCredentialsInFieldDecls and AvoidHardcodedCredentialsInVarDecls relate to the secure coding practices and credential management discussed in points 5 and 6.