FAQ-000886 - External Platform Security / Third-Party API Integration Security

To handle security review failures caused by third-party API configurations you can't control, follow these steps: 1. **Document the Issue**: Provide detailed information about the third-party API and its configurations. 2. **Request Security Reports**: Obtain security certifications or reports (e.g., penetration test results) from the third-party provider to show their security measures. 3. **Request Updates**: If the issue involves outdated configurations (like TLS 1.0/1.1), ask the provider to update their settings. 4. **Remove References**: If the issue is unresolved and poses a significant risk, consider removing the third-party API from your package. 5. **Explain in Submission**: Include a detailed explanation of the issue, your mitigation efforts, or justifications in your submission to help the review team understand the context. These steps can help address the impact of third-party configurations on your security review.

The FAQ content is well-structured and covers the key aspects of handling third-party API security issues that are outside of a developer's direct control. The answer provides practical steps that align with security best practices. No significant changes are needed as the content is current and accurate. Regarding the related security rules: 1. **ApexInsecureEndpoint** - This rule directly relates to the FAQ because it detects insecure HTTP endpoints in Apex code. When the FAQ mentions "third-party API configurations" and issues with "outdated configurations (like TLS 1.0/1.1)", this encompasses the exact security concerns that ApexInsecureEndpoint identifies. 2. **AvoidDisableProtocolSecurityRemoteSiteSetting** - This rule is relevant because third-party API integration often requires Remote Site Settings configuration. The FAQ's discussion of "third-party API configurations you can't control" includes scenarios where developers might be tempted to disable protocol security to work around third-party limitations. 3. **AvoidInsecureHttpRemoteSiteSetting** - This rule directly applies to the FAQ's context of third-party API security issues. When the FAQ mentions problems with third-party providers using insecure configurations, this rule helps identify when Remote Site Settings are configured to allow insecure HTTP connections to these APIs. 4. **ApexSuggestUsingNamedCred** - This rule relates to the FAQ because proper credential management is crucial when integrating with third-party APIs. The FAQ's advice about "Request Security Reports" and documenting security measures ties into the broader context of secure API integration practices that Named Credentials support.