What are the recommended approaches for storing sensitive user information in managed packages?
Answer
The recommended approaches for storing sensitive user information in managed packages are: 1. **Protected Custom Settings**: Use protected custom settings to securely store sensitive data. This ensures encryption and prevents unauthorized access. You can create a custom UI (using Visualforce, Aura, or LWC) for subscribers to input and manage credentials securely. 2. **Protected Custom Metadata**: If custom metadata is preferred, ensure it is protected and used according to security guidelines. This is suitable for subscriber-owned secrets. 3. **Encryption**: Encrypt sensitive data using AES-128 or higher. Store the encryption key securely, such as in a protected custom setting or an inaccessible property file. 4. **Avoid Hard-Coding Secrets**: Do not hard-code sensitive information like API keys or passwords in your codebase. Use secure storage mechanisms instead. 5. **Access Restrictions**: Restrict access to classes handling sensitive data to admin users only. Implement proper CRUD/FLS checks to maintain data security. 6. **Avoid Dynamic SOQL**: Avoid using dynamic SOQL queries for sensitive data to prevent potential information disclosure. These practices help ensure the security and integrity of sensitive user information in managed packages.
What are the recommended approaches for storing sensitive user information in managed packages?
Recommended Answer Update
The recommended approaches for storing sensitive user information in managed packages are:
1. **Protected Custom Settings**: Use protected custom settings to securely store sensitive data. This ensures encryption and prevents unauthorized access. You can create a custom UI (using Visualforce, Aura, or LWC) for subscribers to input and manage credentials securely.
2. **Protected Custom Metadata**: If custom metadata is preferred, ensure it's protected and used according to security guidelines. This is suitable for subscriber-owned secrets.
3. **Encryption**: Encrypt sensitive data using AES-256 or higher (AES-128 is the minimum acceptable standard). Store the encryption key securely, such as in a protected custom setting or an inaccessible property file.
4. **Avoid Hard-Coding Secrets**: Don't hard-code sensitive information like API keys or passwords in your codebase. Use secure storage mechanisms like Named Credentials or protected custom settings instead.
5. **Access Restrictions**: Restrict access to classes handling sensitive data to admin users only. Implement proper CRUD/FLS checks to maintain data security.
6. **Avoid Dynamic SOQL**: Avoid using dynamic SOQL queries for sensitive data to prevent potential information disclosure.
These practices help ensure the security and integrity of sensitive user information in managed packages.
Reasoning
The main change needed was updating the encryption recommendation from 'AES-128 or higher' to 'AES-256 or higher (AES-128 is the minimum acceptable standard)' to reflect current security best practices, as AES-256 is now the preferred standard while acknowledging AES-128 is still acceptable. I also enhanced the hard-coding avoidance recommendation to specifically mention Named Credentials as a Salesforce-native secure storage option. The related security rules were selected because they directly address the practices discussed in the FAQ: AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInVarAssign, and AvoidHardcodedCredentialsInHttpHeader all relate to the FAQ's point about avoiding hard-coded secrets in code. ApexSuggestUsingNamedCred aligns with the recommendation to use secure storage mechanisms. ApexBadCrypto relates to the encryption guidance provided. ApexCRUDViolation connects to the access restrictions and CRUD/FLS checks mentioned. ApexSOQLInjection relates to the dynamic SOQL avoidance recommendation. ProtectSensitiveData encompasses the overall theme of securely handling sensitive information that the entire FAQ addresses.