FAQ-000690 - Data Storage and Encryption Security / Data Classification and Handling

Yes, access controls and data lifecycle policies can mitigate an "Insecure Storage" finding. These measures ensure sensitive data is stored securely and accessed only by authorized users. Recommended practices include: using protected custom settings or custom metadata for sensitive information like encryption keys, encrypting sensitive fields before storage using secure encryption methods, and defining clear data retention and deletion policies to minimize risks. These steps help address vulnerabilities related to insecure storage.

The main improvement needed was updating 'protected custom settings or metadata' to 'protected custom settings or custom metadata' for clarity and technical accuracy. The original phrasing was ambiguous about what type of metadata was being referenced. Custom metadata is the correct Salesforce feature alongside protected custom settings for securely storing configuration data. I also added 'using secure encryption methods' to emphasize the importance of proper encryption implementation. Regarding security rules selected: - ApexBadCrypto: Directly relates to the FAQ's mention of 'encrypting sensitive fields before storage' as this rule detects weak cryptographic implementations - ApexSuggestUsingNamedCred: Connects to 'using protected custom settings or custom metadata for sensitive information like encryption keys' as this rule promotes secure credential storage - AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInVarAssign: All relate to the FAQ's recommendation about secure storage of 'sensitive information like encryption keys' by detecting hardcoded credentials in code - ProtectSensitiveData: Directly aligns with the overall theme of the FAQ about protecting sensitive data through proper storage practices and access controls