FAQ-000890 - External Platform Security / Third-Party API Integration Security

If your security review fails due to issues with a third-party API that you don't control, here's how you can proceed: 1. **Request Security Reports**: Contact the third-party provider and ask for security reports, such as penetration test results or certifications, to include in your app submission. 2. **Request Updates**: If the issue involves outdated configurations (e.g., TLS 1.0/1.1), ask the provider to update their settings to meet current security standards. 3. **Remove References**: If the provider can't resolve the issue, consider removing references to the third-party API from your managed package to avoid vulnerabilities. 4. **Document the Issue**: Provide detailed documentation of the issue and your efforts to resolve it. Include this in your submission for transparency. 5. **Open a Case**: Reach out to the security review team, explain the situation, and provide all supporting evidence, including the third-party's response and any mitigations you've implemented. These steps will help you address the issue and move forward with the security review process.

The content was already well-structured and accurate, so minimal changes were needed. I made minor improvements for clarity and conciseness: changed 'that I do not control' to 'that you don't control' for consistency with the conversational tone in the answer, changed 'cannot' to 'can't' for a more conversational feel, and ensured consistent contraction usage throughout. The security advice remains comprehensive and accurate. For security rule associations: - ApexInsecureEndpoint relates to the FAQ's discussion of third-party API security issues, as this rule identifies insecure HTTP endpoints which could be relevant when evaluating third-party integrations - ApexSuggestUsingNamedCred is relevant because the FAQ discusses third-party API integration security, and this rule promotes using Named Credentials for secure external API connections - AvoidInsecureHttpRemoteSiteSetting applies because third-party API failures often involve insecure HTTP connections, which this rule detects - AvoidDisableProtocolSecurityRemoteSiteSetting is relevant as protocol security issues (like TLS 1.0/1.1 mentioned in the FAQ) are exactly what this rule addresses - AvoidHardcodedCredentialsInHttpHeader relates to the security concerns around third-party API authentication that could cause security review failures