FAQ-000862 - External Platform Security / Off-Platform and External Service Integration

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What security requirements apply to applications that aren't directly embedded in Salesforce?
Answer
Applications not directly embedded in Salesforce must follow these security requirements to ensure data protection and secure integration: 1. **Credential Storage**: - For server applications, encrypt credentials using AES-128 or higher, and store encryption keys securely (separate from the database layer). - For client applications, use a secure keychain or keystore provided by the vendor. 2. **Sensitive Data Handling**: - Avoid writing sensitive data (e.g., social security numbers, API tokens) to debug logs or storing it in unencrypted form. - Ensure compliance with industry-specific standards. 3. **OAuth and Authorization**: - Use OAuth for third-party integrations and request only the minimum permissions necessary. - Do not store Salesforce usernames and passwords. 4. **Remote Site Settings**: - Use HTTPS for connections to third-party sites, meeting certificate and SSL configuration requirements. - Avoid arbitrary servers or schemes unless justified by a valid business case. 5. **Security Testing**: - Conduct thorough security testing, including manual and automated scans, to identify vulnerabilities. - Test external endpoints involved in data transfer or user authentication. 6. **Debug Logs**: - Do not include sensitive information (e.g., cryptographic secrets, API credentials, passwords) in debug logs. - Avoid logging entire requests or responses containing authentication data. These measures are critical to maintaining the security and integrity of applications interacting with Salesforce.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexBadCryptoApexInsecureEndpointApexSuggestUsingNamedCredAvoidHardcodedCredentialsInFieldDeclsAvoidHardcodedCredentialsInHttpHeaderAvoidHardcodedCredentialsInVarAssignAvoidHardcodedCredentialsInVarDeclsAvoidInsecureHttpRemoteSiteSettingAvoidDisableProtocolSecurityRemoteSiteSettingProtectSensitiveDataUseHttpsCallbackUrlConnectedApp
Question
What security requirements apply to applications that aren't directly embedded in Salesforce?
Recommended Answer Update
Applications not directly embedded in Salesforce must follow these security requirements to ensure data protection and secure integration: 1. **Credential Storage**: - For server applications, encrypt credentials using AES-256 or higher, and store encryption keys securely (separate from the database layer). - For client applications, use a secure keychain or keystore provided by the vendor. 2. **Sensitive Data Handling**: - Avoid writing sensitive data (e.g., social security numbers, API tokens) to debug logs or storing it in unencrypted form. - Ensure compliance with industry-specific standards. 3. **OAuth and Authorization**: - Use OAuth for third-party integrations and request only the minimum permissions necessary. - Don't store Salesforce usernames and passwords. 4. **Remote Site Settings**: - Use HTTPS for connections to third-party sites, meeting certificate and SSL configuration requirements. - Avoid arbitrary servers or schemes unless justified by a valid business case. 5. **Security Testing**: - Conduct thorough security testing, including manual and automated scans, to identify vulnerabilities. - Test external endpoints involved in data transfer or user authentication. 6. **Debug Logs**: - Don't include sensitive information (e.g., cryptographic secrets, API credentials, passwords) in debug logs. - Avoid logging entire requests or responses containing authentication data. These measures are critical to maintaining the security and integrity of applications interacting with Salesforce.
Reasoning
The primary improvement needed is updating the encryption recommendation from AES-128 to AES-256, as AES-128 is becoming outdated and the security rules emphasize stronger cryptographic practices. I also made minor style improvements to use contractions ('Don't' instead of 'Do not') to match the conversational tone guidelines while preserving all original content and structure. Regarding the selected security rules: - ApexBadCrypto: Directly relates to the FAQ's discussion of credential encryption using AES standards - ApexInsecureEndpoint: Connects to the FAQ's requirement for HTTPS connections to third-party sites - ApexSuggestUsingNamedCred: Relevant to the OAuth and credential storage recommendations - AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls: All relate to the FAQ's guidance on avoiding hardcoded credentials and proper credential storage - AvoidInsecureHttpRemoteSiteSetting: Directly supports the FAQ's requirement for HTTPS in remote site settings - AvoidDisableProtocolSecurityRemoteSiteSetting: Relates to the FAQ's emphasis on secure SSL configuration - ProtectSensitiveData: Connects to multiple FAQ points about sensitive data handling and debug logs - UseHttpsCallbackUrlConnectedApp: Supports the FAQ's OAuth security requirements
Reasoning References