FAQ-000841 - External Platform Security / External Platform Hosting and AWS

Salesforce packages that integrate with AWS or other cloud services must meet the following security requirements: 1. **Secure Data Transfer**: Ensure secure data transfer between Salesforce and external services by using HTTPS endpoints and strong cryptographic methods. Avoid hardcoded credentials and use Named Credentials for authentication. 2. **Comprehensive Testing**: Test the full scope of the solution, including external endpoints, using both manual and automated security tools. 3. **Document False Positives**: Provide documentation for any false positives identified during security scans. 4. **Submit Required Materials**: Include all necessary materials for the security review, such as test environments, credentials for external components, and security scan reports. 5. **Address Vulnerabilities**: Fix any vulnerabilities identified during the review, such as insecure storage of sensitive data or improper use of session IDs. These measures are designed to protect customer data and ensure secure integration with external cloud services.

The main issue with the original FAQ was the specific mention of SHA256 as a cryptographic method for secure data transfer, which is misleading. SHA256 is a hashing algorithm, not an encryption method for securing data in transit. The updated answer removes this confusion and provides more accurate guidance about using HTTPS and avoiding hardcoded credentials, which are the actual security requirements for external integrations. Regarding the selected security rules: ApexBadCrypto relates to the cryptographic methods mentioned in point 1. ApexInsecureEndpoint directly applies to the secure data transfer requirement when integrating with external services. ApexSuggestUsingNamedCred is highly relevant to the authentication aspects of external integrations mentioned in point 1. The AvoidHardcodedCredentials rules (AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls) all relate to the secure authentication practices needed when integrating with AWS and other cloud services. AvoidInsecureHttpRemoteSiteSetting and AvoidDisableProtocolSecurityRemoteSiteSetting directly apply to the secure data transfer requirements for external integrations. UseHttpsCallbackUrlConnectedApp relates to ensuring secure connections when setting up integrations with external platforms.