FAQ-000873 - External Platform Security / Security Design and Architecture

The recommended security architecture for a managed package that includes an external client application includes the following: 1. **Secure Storage**: - Use Named Credentials as the primary method to securely store secrets and credentials required for authentication. Protected custom metadata can be used as an alternative when Named Credentials aren't suitable for your specific use case. 2. **Secure External Callouts**: - Ensure all external callouts use HTTPS endpoints and are properly secured and documented. - Provide URLs and login credentials for external components requiring authentication. 3. **Thorough Security Review**: - Run tools like Checkmarx and Dynamic Application Security Test (DAST) scans to identify and address vulnerabilities. 4. **Address Common Vulnerabilities**: - Resolve issues related to CRUD permissions, Field-Level Security (FLS) settings, and unauthorized access risks before submitting for review. 5. **Submit Required Materials**: - Provide updated scan reports, false positive documentation (if applicable), and solution documentation during the security review process. For more detailed guidance, refer to Salesforce Partner Community resources and the Security Review Submission Requirements Checklist Builder.

The main issue was with the secure storage recommendation. The original answer suggested using protected custom metadata as the primary alternative to Named Credentials, but this conflicts with security best practices. The ApexSuggestUsingNamedCred rule specifically recommends Named Credentials as the preferred approach for storing authentication credentials. I corrected this to position Named Credentials as the primary method and protected custom metadata as an alternative for specific use cases. I also enhanced the external callouts section to explicitly mention HTTPS endpoints, which aligns with the ApexInsecureEndpoint rule that flags non-HTTPS endpoints as security risks. For the selected security rules: - ApexSuggestUsingNamedCred: Directly relates to the FAQ's discussion of "securely store secrets and credentials required for authentication" and the mention of Named Credentials as an alternative - ApexInsecureEndpoint: Relates to the FAQ's guidance on "ensure all external callouts are properly secured" - AvoidHardcodedCredentials* rules (FieldDecls, VarAssign, VarDecls, HttpHeader): All relate to the secure storage of credentials mentioned in point 1 - ApexCRUDViolation and ApexSharingViolations: Directly correspond to the FAQ's mention of "CRUD permissions, Field-Level Security (FLS) settings, and unauthorized access risks" - AvoidInsecureHttpRemoteSiteSetting and AvoidDisableProtocolSecurityRemoteSiteSetting: Relate to the external callouts security requirements discussed in point 2