FAQ-000837 - External Platform Security / External Platform Hosting and AWS

Applications primarily hosted on an external platform must meet these security review requirements: 1. **Testing Scope**: The entire solution, including external endpoints, must be tested. This includes endpoints for user authentication or Salesforce data transfer, ensuring secure processes. 2. **Control Over External Endpoints**: You must have control over the external endpoint (e.g., ability to place a token in the web app root for testing). Without this control, the review can't proceed. 3. **Security Testing**: Conduct manual and automated security scans, including Dynamic Application Security Testing (DAST). Document and address any false positives. 4. **Credentials and Secrets Management**: Securely store credentials for web services calling Salesforce APIs. Use AES-256 or higher encryption for server-side secrets, and avoid logging or storing sensitive data unencrypted. 5. **TLS Requirements**: External endpoints must support TLS v1.2 or higher. Weak ciphers and outdated protocols aren't allowed. 6. **Documentation**: Submit detailed documentation, including security scan reports, false-positive explanations, and solution architecture details. 7. **Compliance with Policies**: Follow Salesforce's security policies, secure coding practices, and industry standards. 8. **Staging Environment**: Testing can occur in a staging environment if it mirrors production. SSL scans will be performed on the production version. These steps ensure the security and compliance of externally hosted applications.

The FAQ content was improved for clarity and tone according to the guidelines. Changed 'cannot proceed' to 'can't proceed' for a more conversational tone, and 'are not allowed' to 'aren't allowed' for consistency with the conversational style guidelines. Updated the encryption recommendation from 'AES-128 or higher' to 'AES-256 or higher' as this represents current best practices for encryption standards, though AES-128 remains technically secure. For the security rules selected: - ApexBadCrypto: Relates to the FAQ's discussion of encryption requirements for server-side secrets, specifically the recommendation to 'encrypt server-side secrets with AES' - ApexInsecureEndpoint: Directly applies to the FAQ's coverage of external endpoint security and TLS requirements - AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls: All relate to the FAQ's section on 'Credentials and Secrets Management' which discusses securely storing credentials and avoiding logging sensitive data - ApexSuggestUsingNamedCred: Connects to the credentials management section where the FAQ discusses secure credential storage for web services calling Salesforce APIs - AvoidInsecureHttpRemoteSiteSetting and AvoidDisableProtocolSecurityRemoteSiteSetting: Both relate to the FAQ's TLS requirements section which mandates TLS v1.2 or higher and prohibits weak protocols