FAQ-000856 - External Platform Security / External Web Applications and SaaS

Yes, you need to resubmit your Salesforce package for review after fixing a vulnerability on an external web server. Be sure to include updated Dynamic Application Security Test (DAST) scan reports and document your responses to any false positives. Ensure all required materials for the follow-up review are provided, as outlined in the security review guidelines.

The current answer is well-structured and accurate, providing clear guidance on the resubmission requirement. No major changes are needed as the content correctly addresses the question about external web server vulnerabilities requiring package resubmission. The answer appropriately mentions DAST scan reports and documentation requirements. I selected three security rules that relate to external web applications and endpoint security: ApexInsecureEndpoint relates to the FAQ's focus on external web server vulnerabilities because it flags insecure HTTP endpoints in Apex code that could introduce similar vulnerabilities. AvoidInsecureHttpRemoteSiteSetting is relevant because external web server vulnerabilities often involve HTTP vs HTTPS configurations, and this rule prevents insecure HTTP remote site settings. UseHttpsCallbackUrlConnectedApp applies because external web applications often involve callback URLs and this rule ensures secure HTTPS usage for connected app callbacks, which is directly related to external web server security posture.