FAQ-000849 - External Platform Security / External System Responsibility and Control

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How should I handle security issues reported by third-party vendors that involve standard Salesforce features?
Answer
To handle security issues reported by third-party vendors involving standard Salesforce features, follow these steps: 1. **Review the Issues**: Analyze the reported security issues to understand their impact on your application. 2. **Verify Findings**: Use Salesforce's security tools, like the Salesforce Security Scanner, to validate the issues against Salesforce's security guidelines. 3. **Fix High-Severity Issues**: Prioritize resolving vulnerabilities related to sensitive data, authentication, or authorization. 4. **Document False Positives**: If issues are inaccurately flagged, provide detailed documentation explaining why they are false positives, with supporting evidence. 5. **Use Salesforce Features**: Enhance security by leveraging features like protected custom settings, named credentials, and stripInaccessible(). Avoid hardcoding sensitive data and enforce proper CRUD/FLS. 6. **Collaborate with Vendors**: Work with third-party vendors to address vulnerabilities, such as updating libraries or securing external endpoints. 7. **Submit Proper Documentation**: Include all security reports, fixes, and justifications for false positives when submitting your application for review. 8. **Seek Assistance**: If needed, raise a case with Salesforce support or attend Office Hours for guidance. By following these steps, you can effectively address and resolve security issues while ensuring compliance with Salesforce's security standards.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexCRUDViolationApexSharingViolationsApexSOQLInjectionApexXSSFromEscapeFalseApexXSSFromURLParamApexSuggestUsingNamedCredApexInsecureEndpointAvoidHardcodedCredentialsInFieldDeclsAvoidHardcodedCredentialsInVarDeclsAvoidHardcodedCredentialsInVarAssignProtectSensitiveData
Question
How should I handle security issues reported by third-party vendors that involve standard Salesforce features?
Recommended Answer Update
To handle security issues reported by third-party vendors involving standard Salesforce features, follow these steps: 1. **Review the Issues**: Analyze the reported security issues to understand their impact on your application. 2. **Verify Findings**: Use Salesforce's security tools, like the Salesforce Code Analyzer, to validate the issues against Salesforce's security guidelines. 3. **Fix High-Severity Issues**: Prioritize resolving vulnerabilities related to sensitive data, authentication, or authorization. 4. **Document False Positives**: If issues are inaccurately flagged, provide detailed documentation explaining why they are false positives, with supporting evidence. 5. **Use Salesforce Features**: Enhance security by leveraging features like protected custom settings, named credentials, and stripInaccessible(). Avoid hardcoding sensitive data and enforce proper CRUD/FLS. 6. **Collaborate with Vendors**: Work with third-party vendors to address vulnerabilities, such as updating libraries or securing external endpoints. 7. **Submit Proper Documentation**: Include all security reports, fixes, and justifications for false positives when submitting your application for review. 8. **Seek Assistance**: If needed, raise a case with Salesforce support or attend Office Hours for guidance. By following these steps, you can effectively address and resolve security issues while ensuring compliance with Salesforce's security standards.
Reasoning
The main change needed was updating the reference from 'Salesforce Security Scanner' to 'Salesforce Code Analyzer' in step 2, as this is the current name for Salesforce's security scanning tool. All other content remains accurate and well-structured. Regarding the security rules selected: - **ApexCRUDViolation** and **ApexSharingViolations** relate to the FAQ's mention of enforcing 'proper CRUD/FLS' in step 5, as these rules detect violations of data access permissions. - **ApexSOQLInjection**, **ApexXSSFromEscapeFalse**, and **ApexXSSFromURLParam** are relevant to the FAQ's discussion of 'vulnerabilities related to sensitive data' and security issues that third-party tools commonly flag. - **ApexSuggestUsingNamedCred** directly corresponds to the FAQ's recommendation to use 'named credentials' in step 5. - **ApexInsecureEndpoint** relates to the FAQ's mention of 'securing external endpoints' in step 6. - **AvoidHardcodedCredentialsInFieldDecls**, **AvoidHardcodedCredentialsInVarDecls**, and **AvoidHardcodedCredentialsInVarAssign** all relate to the FAQ's guidance to 'avoid hardcoding sensitive data' in step 5. - **ProtectSensitiveData** broadly encompasses the FAQ's focus on addressing 'vulnerabilities related to sensitive data' mentioned in step 3.
Reasoning References
Recommended Related Articles