FAQ-000881 - External Platform Security / Security Scanning and Testing

Reverse proxy configurations and security scanning for AppExchange applications should be handled as part of the security review process. Here's what you need to do: 1. Perform security scans on all external endpoints that operate independently of the Salesforce platform. 2. Use tools like Salesforce Code Analyzer available on the Partner Security Portal to identify vulnerabilities. 3. Document any false-positive security violations. 4. Ensure all code complies with Salesforce security guidelines. This approach ensures your application meets the required security standards.

The main issue identified is outdated tooling information. The answer references 'Source Code Scanner (Checkmarx)' which is outdated terminology. The current tool is 'Salesforce Code Analyzer' which replaced the older Checkmarx-based scanner. This update ensures developers use the correct current tool name when performing security scanning. All other content remains accurate and comprehensive. For security rules selected: - ApexInsecureEndpoint: This rule directly relates to the FAQ's focus on scanning external endpoints, as it identifies insecure HTTP endpoints in Apex code that would be caught during the security scanning process described. - AvoidInsecureHttpRemoteSiteSetting: This rule is relevant because external endpoints often require remote site settings, and this rule ensures HTTPS is used, which aligns with the security scanning requirements mentioned. - AvoidDisableProtocolSecurityRemoteSiteSetting: This rule relates to the security guidelines compliance mentioned in point 4, as it prevents disabling protocol security in remote site settings. - UseHttpsCallbackUrlConnectedApp: This rule is relevant to external endpoint security mentioned in point 1, ensuring callback URLs use HTTPS for secure communication.