How do I address security review failures caused by external SaaS platforms rather than the managed package?
Answer
To address security review failures caused by external SaaS platforms rather than the managed package, follow these steps:
1. **Document Issues**: Clearly identify and document how the external SaaS platform contributes to the reported vulnerabilities.
2. **Provide Justifications**: Submit a detailed use case explaining the integration with the external platform and any mitigations or controls in place to address potential risks.
3. **Submit False Positive Documentation**: Include a false positive document with the security review, explaining why the flagged issues are not applicable to the managed package and are related to the external platform.
4. **Resolve Managed Package Vulnerabilities**: Ensure all other vulnerabilities within the managed package are resolved to avoid additional failures.
5. **Engage with the Security Review Team**: Use office hours or the Partner Security Portal to clarify the situation and seek guidance on addressing these specific issues.
This approach ensures transparency and demonstrates your efforts to address security concerns effectively.
How do I address security review failures caused by external SaaS platforms rather than the managed package?
Recommended Answer Update
To address security review failures caused by external SaaS platforms rather than the managed package, follow these steps:
1. **Document Issues**: Clearly identify and document how the external SaaS platform contributes to the reported vulnerabilities.
2. **Provide Justifications**: Submit a detailed use case explaining the integration with the external platform and any mitigations or controls in place to address potential risks.
3. **Submit False Positive Documentation**: Include a false positive document with the security review, explaining why the flagged issues aren't applicable to the managed package and are related to the external platform.
4. **Resolve Managed Package Vulnerabilities**: Ensure all other vulnerabilities within the managed package are resolved to avoid additional failures.
5. **Engage with the Security Review Team**: Use office hours or the Partner Security Portal to clarify the situation and seek guidance on addressing these specific issues.
This approach ensures transparency and demonstrates your efforts to address security concerns effectively.
Reasoning
The FAQ content is clear and helpful, with only minor improvements needed for conversational tone. Changed "are not applicable" to "aren't applicable" to follow the brand guidelines for using contractions and making content more conversational. The FAQ effectively addresses a complex scenario where external platforms cause security review failures and provides actionable steps. The selected security rules are directly relevant: ApexInsecureEndpoint relates to the external platform integration aspect where endpoints might be flagged as insecure when connecting to external SaaS platforms; ApexSuggestUsingNamedCred applies when integrations with external platforms should use Named Credentials for secure authentication; AvoidDisableProtocolSecurityRemoteSiteSetting and AvoidInsecureHttpRemoteSiteSetting both relate to remote site settings that are commonly required when integrating with external SaaS platforms, which is the core scenario this FAQ addresses.