FAQ-000829 - External Platform Security / External Dependencies and Libraries

To ensure the security of external dependencies and libraries used by your off-platform services before submitting for the AppExchange security review, follow these steps: 1. **Perform Security Scans**: Use tools like the Source Code Scanner from the Partner Security Portal to identify vulnerabilities in all external endpoints, including web applications or services. 2. **Submit Security Reports**: Include security scan reports, such as Dynamic Application Security Test (DAST) reports, and document any false positives with explanations. 3. **Secure Authentication**: Ensure all external components requiring authentication (e.g., APIs or services) are securely configured. Use Named Credentials when possible to manage external authentication securely. Provide URLs and login credentials for these components in your submission. 4. **Avoid Dynamic Loading**: Don't dynamically load third-party JavaScript files from CDNs. Instead, save these files in static resources within your package to maintain version control and prevent unauthorized changes. 5. **Encrypt Sensitive Data**: Use AES-256 or higher encryption standards for sensitive data and credentials. For server apps, store encryption keys securely, ensuring the database layer can't access them directly. 6. **Comprehensive Testing**: Test your entire solution, including external dependencies, using both manual and automated methods to ensure compliance with Salesforce security guidelines. 7. **Provide Documentation**: Include detailed documentation of your solution, such as your company's information security policies, to demonstrate adherence to enterprise security standards. By following these steps, you can minimize security risks and improve the chances of passing the review.

The FAQ content is generally solid but needed refinements for clarity and modern security standards. Key improvements: (1) Changed 'Do not' to 'Don't' for more conversational tone per brand guidelines, (2) Updated encryption standard from AES-128 to AES-256 as current best practice, (3) Changed 'cannot' to 'can't' for conversational tone, (4) Added guidance about Named Credentials for secure external authentication management. Security rules selected relate directly to the FAQ's core topics: ApexBadCrypto relates to step 5's encryption requirements, ApexInsecureEndpoint and ApexSuggestUsingNamedCred relate to step 3's secure external authentication, the AvoidHardcoded* rules relate to step 5's credential security, AvoidInsecureHttp* rules relate to external service security, Library vulnerability rules relate to step 4's third-party dependency management, and LoadJavaScript* rules relate to step 4's guidance on avoiding dynamic loading of external scripts.