How are third-party services like captchas, which may have unminified source code or support weak TLS, evaluated during security review?
Answer
Third-party services like captchas are evaluated during the AppExchange Security Review with the following considerations:
- **TLS Requirements**: TLS v1.2 or above is required, and weak ciphers (e.g., export or NULL) are not allowed. If the endpoint is not under your control (e.g., Google or Slack), exceptions may be granted if you provide an action plan.
- **Unminified Source Code**: The review ensures that unminified code does not introduce vulnerabilities or fail to meet security standards.
Let me know if you need further clarification!
How are third-party services like captchas, which may have unminified source code or support weak TLS, evaluated during security review?
Recommended Answer Update
Third-party services like captchas are evaluated during the AppExchange Security Review with the following considerations:
- **TLS Requirements**: TLS v1.2 or above is required, and weak ciphers (e.g., export or NULL) are not allowed. If the endpoint isn't under your control (e.g., Google or Slack), exceptions may be granted if you provide an action plan.
- **Unminified Source Code**: The review ensures that unminified code doesn't introduce vulnerabilities or fail to meet security standards.
Let me know if you need further clarification!
Reasoning
The FAQ content is accurate and addresses important security considerations for third-party services. I made minor improvements to enhance clarity and flow:
1. Changed "is not" to "isn't" for more conversational tone per brand guidelines
2. Changed "does not" to "doesn't" for consistency with conversational style
These changes align with the brand guideline to use contractions and maintain a conversational tone while preserving all technical content and structure.
For security rules selection:
- **ApexInsecureEndpoint**: This rule directly relates to the FAQ's discussion of TLS requirements and secure endpoint connections for third-party services. The FAQ mentions "TLS v1.2 or above is required" which aligns with this rule's purpose of detecting insecure endpoints.
- **ApexSuggestUsingNamedCred**: This rule is relevant to the FAQ's context of integrating with third-party services, as named credentials are the recommended approach for secure external service authentication.
- **AvoidDisableProtocolSecurityRemoteSiteSetting**: This rule relates to the FAQ's emphasis on TLS requirements and secure connections to third-party services, as it prevents disabling protocol security.
- **AvoidInsecureHttpRemoteSiteSetting**: This rule directly supports the FAQ's TLS requirements discussion, as it prevents the use of insecure HTTP connections to remote sites, which is exactly what the FAQ addresses when discussing third-party service security.