FAQ-000839 - External Platform Security / External Platform Hosting and AWS

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What are the security requirements for external websites or services that my managed package connects to?
Answer
The security requirements for external websites or services that your managed package connects to include: 1. **Access to External Components**: Provide access to all external web applications or services used by your solution for security testing. 2. **Authentication Details**: Include URLs and login credentials for external components requiring authentication in your security review submission. 3. **Security Scans**: Conduct security scans (e.g., DAST reports) on external endpoints and include these reports in your submission. 4. **Document False Positives**: Identify and explain any false positives found during security scans. 5. **Secure Coding Practices**: Ensure external endpoints use secure coding practices, such as TLS v1.2 or above, and avoid weak ciphers. Exceptions may be granted for endpoints not under your control, with an action plan. 6. **Control Over External Endpoints**: If the external endpoint is in scope, you must have control over it, including placing a token in the web app root for testing. 7. **CORS and Cross-Domain Policies**: Avoid wildcarded CORS or cross-domain.xml files for non-public endpoints. Use a separate content domain if a general relay is needed. 8. **Secure Session IDs**: Ensure session IDs are marked as SECURE and follow other secure configuration practices. These measures ensure that all external components connected to your managed package meet enterprise security standards.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexInsecureEndpointApexSuggestUsingNamedCredAvoidHardcodedCredentialsInFieldDeclsAvoidHardcodedCredentialsInHttpHeaderAvoidHardcodedCredentialsInVarAssignAvoidHardcodedCredentialsInVarDeclsAvoidInsecureHttpRemoteSiteSettingAvoidDisableProtocolSecurityRemoteSiteSetting
Question
What are the security requirements for external websites or services that my managed package connects to?
Recommended Answer Update
The security requirements for external websites or services that your managed package connects to include: 1. **Access to External Components**: Provide access to all external web applications or services used by your solution for security testing. 2. **Authentication Details**: Include URLs and login credentials for external components requiring authentication in your security review submission. 3. **Security Scans**: Conduct security scans (e.g., DAST reports) on external endpoints and include these reports in your submission. 4. **Document False Positives**: Identify and explain any false positives found during security scans. 5. **Secure Coding Practices**: Ensure external endpoints use secure coding practices, such as TLS v1.2 or above, and avoid weak ciphers. Exceptions may be granted for endpoints not under your control, with an action plan. 6. **Control Over External Endpoints**: If the external endpoint is in scope, you must have control over it, including placing a token in the web app root for testing. 7. **CORS and Cross-Domain Policies**: Avoid wildcarded CORS or cross-domain.xml files for non-public endpoints. Use a separate content domain if a general relay is needed. 8. **Secure Session IDs**: Ensure session IDs are marked as SECURE and follow other secure configuration practices. These measures ensure that all external components connected to your managed package meet enterprise security standards.
Reasoning
The existing answer is comprehensive and accurate. No changes are needed to the structure or content as all points align with current security best practices. The related security rules were selected because they directly apply to external integrations: ApexInsecureEndpoint relates to point 5 about secure coding practices and ensuring external endpoints use proper security protocols. This rule detects insecure HTTP endpoints in Apex code. ApexSuggestUsingNamedCred relates to point 2 about authentication details and connects to the overall theme of secure external connections. This rule recommends using Named Credentials instead of hardcoded authentication. AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInVarAssign, and AvoidHardcodedCredentialsInVarDecls all relate to point 2 about authentication details and the secure handling of credentials when connecting to external services. AvoidInsecureHttpRemoteSiteSetting relates to point 5 about secure coding practices and ensuring connections use proper protocols like TLS v1.2 or above. AvoidDisableProtocolSecurityRemoteSiteSetting also relates to point 5 about maintaining secure protocols and not weakening security configurations for external connections.
Reasoning References