FAQ-000463 - Custom Settings and Configuration Security / Custom Metadata Security and Visibility Management

Protected custom metadata fields might be considered insufficient for storing sensitive data during security review because they can be accessed and modified by the org admin and other packages or untrusted code within the subscriber org. This lack of isolation and control over access makes them unsuitable for securely storing sensitive information. In contrast, protected custom settings offer better isolation and control over sensitive data. Additionally, protected custom settings lack built-in GUI interfaces, requiring custom code for updates, which enhances security by limiting access to authorized users only. However, when implemented correctly with proper permissions and encryption, storing secrets in Protected Custom Metadata records can be a secure and compliant method for storing third-party service credentials. For the highest security, consider using Named Credentials, which provide built-in credential management and are specifically designed for storing authentication information for external services.

The FAQ content is accurate and well-structured, explaining the security considerations around protected custom metadata fields versus custom settings for sensitive data storage. The main improvement needed is adding a reference to Named Credentials as the preferred security practice for storing third-party service credentials. I selected these security rules based on their direct relevance to the FAQ's content: 1. **ApexSuggestUsingNamedCred** - This rule is directly relevant because the FAQ discusses "storing third-party service credentials" which is exactly what Named Credentials are designed for. The FAQ should mention this as the preferred approach. 2. **AvoidHardcodedCredentialsInFieldDecls** - This rule relates to the FAQ's discussion of storing sensitive data in custom metadata fields, as it addresses avoiding hardcoded credentials in field declarations. 3. **AvoidHardcodedCredentialsInVarDecls** - This rule is relevant to the broader context of credential storage security that the FAQ addresses. 4. **AvoidHardcodedCredentialsInVarAssign** - This rule complements the credential storage security discussion in the FAQ. 5. **ProtectSensitiveData** - This rule directly aligns with the FAQ's core topic of "storing sensitive data" and the security considerations around different storage methods. The recommended update adds a sentence about Named Credentials as the preferred approach for third-party service credentials, which aligns with the ApexSuggestUsingNamedCred rule while preserving all existing content and maintaining the same structure and detail level.