How should developers prepare for manual security reviews when most of their code is hosted externally?
Answer
To prepare for manual security reviews when most of your code is hosted externally, here are some key steps:
1. **Adhere to Secure Development Practices**: Ensure your solution follows industry standards and secure coding guidelines.
2. **Test the Full Scope**: Use both manual testing and automated security scanning tools to test all components, including external endpoints.
3. **Document and Address Issues**: Document any false-positive security violations and fix code that doesn't meet security guidelines.
4. **Follow-the-Data Approach**: Identify all components and layers of your solution in scope for the review, especially endpoints that authenticate users or handle Salesforce data.
5. **Obtain Permissions for External Testing**: Secure necessary permissions from third parties before testing external endpoints and follow Salesforce's IP and domain guidelines.
6. **Run Periodic Scans**: Conduct regular scans during development to catch and fix vulnerabilities early.
7. **Secure Sensitive Data**: Ensure sensitive data is securely stored and not transmitted outside the platform.
Proper documentation and preparation will help minimize risks and make the security review process smoother.
How should developers prepare for manual security reviews when most of their code is hosted externally?
Recommended Answer Update
To prepare for manual security reviews when most of your code is hosted externally, here are some key steps:
1. **Follow Secure Development Practices**: Ensure your solution follows industry standards and secure coding guidelines.
2. **Test the Full Scope**: Use both manual testing and automated security scanning tools to test all components, including external endpoints.
3. **Document and Address Issues**: Document any false-positive security violations and fix code that doesn't meet security guidelines.
4. **Follow-the-Data Approach**: Identify all components and layers of your solution in scope for the review, especially endpoints that authenticate users or handle Salesforce data.
5. **Obtain Permissions for External Testing**: Secure necessary permissions from third parties before testing external endpoints and follow Salesforce's IP and domain guidelines.
6. **Run Periodic Scans**: Conduct regular scans during development to catch and fix vulnerabilities early.
7. **Protect Sensitive Data**: Ensure sensitive data is securely stored and not transmitted outside the platform.
Proper documentation and preparation will help minimize risks and make the security review process smoother.
Reasoning
The changes made improve clarity and consistency in the language while maintaining all original points and structure. Changed 'Adhere to' to 'Follow' and 'Secure Sensitive Data' to 'Protect Sensitive Data' for clearer, more direct language that aligns with security terminology. The FAQ covers external platform security which is directly related to multiple security rules: ApexInsecureEndpoint relates to the discussion of testing external endpoints and ensuring they're secure; ApexSuggestUsingNamedCred relates to external authentication mentioned in the follow-the-data approach; the credential-related rules (AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInHttpHeader) relate to the secure development practices for external integrations; AvoidInsecureHttpRemoteSiteSetting and AvoidDisableProtocolSecurityRemoteSiteSetting relate to the external endpoints and third-party testing mentioned; and ProtectSensitiveData directly relates to point 7 about securing sensitive data and the overall data protection concerns when code is hosted externally.