FAQ-000741 - Data Storage and Encryption Security / Vulnerability Identification and Remediation

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How should developers address insecure storage of sensitive data findings in security reviews?
Answer
Developers should address insecure storage of sensitive data findings by: 1. **Using Protected Storage**: Store sensitive information, such as encryption keys or secrets, in protected custom settings or custom metadata to ensure they are not publicly accessible. 2. **Encrypting Data**: Encrypt sensitive fields before storing them. 3. **Avoiding Public Exposure**: Ensure sensitive data is not stored in public or unprotected locations. 4. **Secure Communication**: For OAuth-related secrets, use protected custom settings and ensure secure communication through HTTPS for callback URLs. 5. **Following Guidelines**: Review and adhere to platform-specific security guidelines to mitigate risks effectively.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ProtectSensitiveDataApexBadCryptoApexSuggestUsingNamedCredAvoidHardcodedCredentialsInFieldDeclsAvoidHardcodedCredentialsInVarDeclsAvoidHardcodedCredentialsInVarAssignAvoidHardcodedCredentialsInHttpHeaderApexInsecureEndpointUseHttpsCallbackUrlConnectedApp
Question
How should developers address insecure storage of sensitive data findings in security reviews?
Recommended Answer Update
Developers should address insecure storage of sensitive data findings by: 1. **Using Protected Storage**: Store sensitive information, such as encryption keys or secrets, in protected custom settings, custom metadata, or Named Credentials to ensure they're not publicly accessible. 2. **Encrypting Data**: Encrypt sensitive fields before storing them using strong encryption methods. 3. **Avoiding Public Exposure**: Ensure sensitive data isn't stored in public or unprotected locations like hardcoded variables, field declarations, or HTTP headers. 4. **Secure Communication**: For OAuth-related secrets, use protected custom settings or Named Credentials and ensure secure communication through HTTPS for callback URLs. 5. **Following Guidelines**: Review and adhere to platform-specific security guidelines to mitigate risks effectively.
Reasoning
The FAQ content is generally accurate but can be improved for clarity and completeness. Key improvements made: (1) Added 'Named Credentials' as a recommended storage option alongside protected custom settings and custom metadata, as this is a modern best practice for storing credentials securely. (2) Clarified 'strong encryption methods' instead of just 'encrypt' to emphasize proper cryptographic practices. (3) Enhanced the description of what constitutes 'public exposure' by specifically mentioning hardcoded variables, field declarations, and HTTP headers. (4) Added Named Credentials as an option for OAuth secrets storage. The selected security rules are directly relevant to the FAQ content: ProtectSensitiveData relates to the overall topic of securing sensitive data storage. ApexBadCrypto applies to point 2 about encrypting data properly. ApexSuggestUsingNamedCred relates to points 1 and 4 about using secure storage for credentials. AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInVarAssign, and AvoidHardcodedCredentialsInHttpHeader all relate to point 3 about avoiding public exposure of sensitive data. ApexInsecureEndpoint relates to point 4 about secure communication. UseHttpsCallbackUrlConnectedApp specifically relates to the OAuth callback URL security mentioned in point 4.
Reasoning References