FAQ-000499 - Custom Settings and Configuration Security / Protected Custom Settings Security Requirements and Best Practices

An application might be flagged for "Insecure Storage of Sensitive Data" even when using Protected Custom Settings if secure storage practices aren't fully followed. For instance: - Sensitive data isn't encrypted before storage. - The encryption key isn't securely stored in a separate protected custom setting or metadata field. - Access controls are improperly configured, or access to the protected settings isn't adequately restricted. To avoid this, ensure all recommended security measures are implemented correctly.

The FAQ content is accurate and well-structured, covering the key scenarios where Protected Custom Settings might still trigger insecure storage flags. Only minor formatting improvements were made to enhance readability by removing excessive bullet point formatting while preserving all original points and information. Regarding security rules: - ApexBadCrypto is directly relevant because the FAQ discusses encryption practices, specifically mentioning "sensitive data isn't encrypted before storage" and "encryption key isn't securely stored." This rule detects weak cryptographic practices in Apex code, which would flag the exact scenarios the FAQ describes. - ProtectSensitiveData is highly relevant as it specifically focuses on protecting sensitive data storage, which is the core topic of this FAQ. The rule would flag applications that don't properly protect sensitive information even when using Protected Custom Settings, matching the FAQ's explanation of why applications might still be flagged despite using these settings.