FAQ-000848 - External Platform Security / External System Responsibility and Control

To address security issues in external systems connected to your package during the AppExchange Security Review: 1. **Test the Full Scope**: Ensure you test all external endpoints that operate independently of the Salesforce platform. 2. **Use Security Tools**: Perform both manual testing and automated security scans to identify vulnerabilities. 3. **Document False Positives**: If there are false-positive security violations, document them clearly. 4. **Follow Security Guidelines**: Ensure your code complies with Salesforce security guidelines, including using HTTPS endpoints, avoiding hardcoded credentials, and implementing proper authentication. 5. **Resolve Issues**: Rework your code to fix any vulnerabilities detected, such as insecure HTTP connections or embedded secrets. 6. **Provide Updated Reports**: Submit updated security scan reports, such as Dynamic Application Security Test (DAST) results, for external endpoints. For additional help, you can schedule a technical office hours appointment with the Product Security team through the Partner Security Portal.

The original answer is well-structured but point 4 'Follow Security Guidelines' was too generic. I improved it by adding specific security requirements commonly flagged during external system reviews - using HTTPS endpoints, avoiding hardcoded credentials, and implementing proper authentication. Point 5 was enhanced to include concrete examples of vulnerabilities (insecure HTTP connections, embedded secrets) that align with common external system security issues. These changes make the guidance more actionable while maintaining the original structure and length. Selected security rules relate to external system security concerns: ApexInsecureEndpoint flags non-HTTPS endpoints which is critical for external connections. ApexSuggestUsingNamedCred promotes secure credential management for external callouts. The hardcoded credential rules (AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls) directly apply to the FAQ's discussion of security issues in external systems where credentials are often involved. AvoidInsecureHttpRemoteSiteSetting and AvoidDisableProtocolSecurityRemoteSiteSetting relate to secure configuration of external endpoints. UseHttpsCallbackUrlConnectedApp ensures secure callback configurations for external integrations.