FAQ-000544 - Custom Settings and Configuration Security / Specific Use Cases and Implementation Patterns

For credential management in custom settings during installation, follow these security requirements: 1. **Use Protected Custom Settings**: Store sensitive data like credentials in protected custom settings to prevent unauthorized access. 2. **Custom UI for Input**: Since protected custom settings lack a built-in user interface, create a custom UI using Visualforce, Aura, or LWC for users to input and manage credentials. 3. **Implement CRUD/FLS Checks**: Ensure your Apex code includes proper CRUD (Create, Read, Update, Delete) and FLS (Field-Level Security) checks to validate user permissions when accessing or updating these settings. These practices help ensure secure credential management and compliance with AppExchange security requirements.

The FAQ content is generally well-structured and accurate, so minimal changes were made to preserve the existing quality. The main update was adding "and compliance with AppExchange security requirements" to better align with the security review context without changing the core content. Security rules selected: 1. **ApexCRUDViolation** - This rule directly relates to the FAQ's third point about implementing "CRUD (Create, Read, Update, Delete) and FLS (Field-Level Security) checks" in Apex code. The FAQ explicitly mentions validating user permissions when accessing or updating custom settings, which is exactly what this rule enforces. 2. **ApexSuggestUsingNamedCred** - This rule is relevant to the overall topic of credential management discussed throughout the FAQ. While the FAQ focuses on custom settings for credential storage, this rule provides guidance on proper credential handling practices that complement the FAQ's advice. 3. **ProtectSensitiveData** - This rule directly applies to the FAQ's first point about storing "sensitive data like credentials in protected custom settings." The FAQ is specifically about protecting credential data during installation, which aligns with this rule's purpose of ensuring sensitive data protection.