FAQ-000887 - External Platform Security / Third-Party API Integration Security

To address OWASP Top 10 vulnerabilities in an external API your application uses, follow these steps: 1. **Security Assessment**: Use tools like OWASP ZAP or Burp Suite to scan the API (with the provider's consent). 2. **Input and Output Validation**: Validate inputs to prevent injection attacks and sanitize API responses to protect sensitive data. 3. **Authentication and Authorization**: Use secure methods like OAuth 2.0 and ensure proper authorization checks. 4. **Encrypt Data in Transit**: Use HTTPS to secure data transmission. 5. **Protect Sensitive Data**: Avoid passing sensitive info (e.g., API keys) in URLs or GET requests. Use Named Credentials to securely store and manage API credentials instead of hardcoding them. 6. **Rate Limiting and Throttling**: Implement mechanisms to prevent abuse. 7. **Monitor and Log**: Enable logging to detect suspicious activities. 8. **Address Specific Vulnerabilities**: Ensure the API and your app mitigate vulnerabilities like injection, broken authentication, and sensitive data exposure. 9. **Collaborate with the Provider**: Share findings with the API provider and request fixes if needed. 10. **Document and Resubmit**: Document findings and mitigations for security reviews, including scan reports if required. If you need more help, consider scheduling a technical office hours session or raising a support case.

The FAQ content is largely accurate and well-structured. The main improvement needed is in point 5 about protecting sensitive data. The current text mentions using "secure storage" but doesn't specifically reference Salesforce's recommended approach. Based on the ApexSuggestUsingNamedCred rule, Named Credentials are the preferred method for securely storing API credentials in Salesforce applications, so this should be explicitly mentioned. For security rules selection: - ApexSuggestUsingNamedCred: Directly relates to point 5 about secure storage of API credentials and the FAQ's discussion of protecting sensitive data like API keys - AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInHttpHeader: All relate to the FAQ's guidance about not hardcoding sensitive information like API keys - ApexInsecureEndpoint: Relates to point 4 about using HTTPS and ensuring secure data transmission - AvoidInsecureHttpRemoteSiteSetting: Relates to the overall guidance about securing external API connections and ensuring HTTPS usage