What are the security review guidelines for an application architecture that involves an external service accessing Salesforce metadata via OAuth?
Answer
For an application architecture involving an external service accessing Salesforce metadata via OAuth, the security review guidelines include:
1. **OAuth Usage**: Use OAuth as the preferred integration mechanism. Request only the minimum permissions necessary for the app's functionality.
2. **Authorization Scope**: Ensure the app performs only authorized actions within the permissions granted during installation. Avoid unrelated or excessive actions.
3. **Credential Handling**: Do not store Salesforce usernames and passwords. Use OAuth tokens for API calls instead.
4. **Secure Connections**: Configure remote site settings and HTTP request endpoints securely. Use HTTPS and meet certificate and SSL configuration requirements. Avoid arbitrary servers or schemes unless justified by a valid business case.
5. **Sensitive Data Protection**: Do not log sensitive information like API credentials or cryptographic secrets in debug logs.
6. **Metadata API Access**:
- Arbitrary reads are allowed to view org settings or configurations.
- Writes are restricted to objects owned by the package (e.g., updating picklist values or creating layouts for custom fields).
7. **API Session IDs**: Limit the use of session IDs to specific cases like AJAX Toolkit or partner REST/SOAP API for data access. Use a connected app for other operations.
8. **Secure External Endpoints**: Ensure secure data and credential transfer with external endpoints. Obtain permissions for security testing on third-party endpoints.
These guidelines ensure secure and compliant integration with Salesforce metadata via OAuth.
What are the security review guidelines for an application architecture that involves an external service accessing Salesforce metadata via OAuth?
Recommended Answer Update
For an application architecture involving an external service accessing Salesforce metadata via OAuth, the security review guidelines include:
1. **OAuth Usage**: Use OAuth as the preferred integration mechanism. Request only the minimum permissions necessary for the app's functionality.
2. **Authorization Scope**: Ensure the app performs only authorized actions within the permissions granted during installation. Avoid unrelated or excessive actions.
3. **Credential Handling**: Don't store Salesforce usernames and passwords. Use OAuth tokens for API calls instead.
4. **Secure Connections**: Configure remote site settings and HTTP request endpoints securely. Use HTTPS and meet certificate and SSL configuration requirements. Avoid arbitrary servers or schemes unless justified by a valid business case.
5. **Sensitive Data Protection**: Don't log sensitive information like API credentials or cryptographic secrets in debug logs.
6. **Metadata API Access**:
- Arbitrary reads are allowed to view org settings or configurations.
- Writes are restricted to objects owned by the package (e.g., updating picklist values or creating layouts for custom fields).
7. **API Session IDs**: Limit the use of session IDs to specific cases like AJAX Toolkit or partner REST/SOAP API for data access. Use a connected app for other operations.
8. **Secure External Endpoints**: Ensure secure data and credential transfer with external endpoints. Obtain permissions for security testing on third-party endpoints.
These guidelines ensure secure and compliant integration with Salesforce metadata via OAuth.
Reasoning
The main updates improve clarity and tone by using more conversational language ("Don't" instead of "Do not") and adjusting phrasing to be more direct and actionable. No technical content was changed as it aligns with current security requirements.
The selected security rules all directly relate to the content discussed in the FAQ:
- **ApexInsecureEndpoint** relates to point 4 about configuring HTTP request endpoints securely
- **AvoidInsecureHttpRemoteSiteSetting** and **AvoidDisableProtocolSecurityRemoteSiteSetting** relate to point 4's guidance on secure remote site settings and HTTPS requirements
- **ApexSuggestUsingNamedCred** connects to points 3 and 5 about secure credential handling
- **AvoidApiSessionId**, **AvoidUnauthorizedApiSessionIdInApex**, and **AvoidUnauthorizedGetSessionIdInApex** all directly relate to point 7's specific guidance on limiting session ID usage
- **AvoidHardcodedCredentialsInFieldDecls**, **AvoidHardcodedCredentialsInVarDecls**, **AvoidHardcodedCredentialsInVarAssign**, and **AvoidHardcodedCredentialsInHttpHeader** all support points 3 and 5 regarding proper credential handling and avoiding hardcoded secrets
- **LimitConnectedAppScope** relates to points 1 and 2 about requesting minimum necessary permissions and proper OAuth scope management
- **UseHttpsCallbackUrlConnectedApp** supports point 4's emphasis on secure HTTPS connections