FAQ-000889 - External Platform Security / Third-Party API Integration Security

To address security issues in third-party APIs integrated with your managed package, follow these steps: 1. **Submit Scan Reports**: Provide scan reports for all third-party integrations, including authentication credentials and API documentation if available. 2. **Secure Sensitive Data**: Store sensitive information like API keys in protected custom settings, custom metadata types, or Named Credentials, ensuring they're not editable through the License Management Application (LMA). 3. **Validate API Calls**: Ensure API calls originate from a Salesforce org by using unique tokens stored in protected custom metadata or exposing a restricted REST API endpoint. 4. **Follow Secure Coding Practices**: Avoid vulnerable coding patterns and adhere to secure coding guidelines. 5. **Fix Vulnerabilities**: Address issues like insecure data storage, outdated software, or TLS/SSL configuration problems. Work with third-party providers to resolve vulnerabilities in their systems. 6. **Document False Positives**: If flagged issues aren't actual vulnerabilities, create a document explaining why they're false positives. 7. **Ensure Compliance**: For sensitive data like payment information, comply with standards such as PCI DSS and minimize stored data. 8. **Thorough Testing**: Use tools like Salesforce Code Analyzer and Source Code Scanner to identify and fix security issues. Run additional scans for open-source libraries. 9. **Provide Documentation**: Include updated scan reports, false positive documentation, and any certifications or security reports from third-party providers in your security review submission. 10. **Engage with Salesforce Support**: Open cases for specific questions or attend technical office hours for guidance. These steps help ensure your third-party API integrations meet Salesforce's security standards.

The original content was comprehensive and accurate, requiring only minor tone and clarity improvements. I made the text more conversational by using contractions ("aren't" instead of "are not") and removing overly formal phrasing ("will help ensure" became "help ensure"). These changes align with the brand guidelines for maintaining a friendly, natural tone while preserving all technical accuracy. For security rules selection: ApexInsecureEndpoint relates to the FAQ's emphasis on secure API endpoints and TLS/SSL configuration. ApexSuggestUsingNamedCred directly connects to step 2's recommendation for storing API credentials securely. The hardcoded credentials rules (AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInHttpHeader) all relate to step 2's guidance on storing sensitive information like API keys securely rather than hardcoding them. ProtectSensitiveData connects to step 7's compliance requirements and data minimization practices. ApexBadCrypto relates to step 5's mention of fixing security vulnerabilities including cryptographic issues. AvoidInsecureHttpRemoteSiteSetting and AvoidDisableProtocolSecurityRemoteSiteSetting both relate to steps 5 and the overall theme of securing third-party API communications through proper TLS/SSL configuration.