FAQ-000905 - External Service OAuth Security Review / OAuth Submission Process

To properly submit external services that use OAuth authentication for security review scanning, follow these steps: 1. **Authentication Credentials**: Submit the authentication credentials and, if available, the API documentation for the external services. 2. **Scan Reports**: Provide scan reports for all third-party integrations using tools like Chimera or ZAP, as required. 3. **Secure Storage**: Ensure sensitive information, such as API keys or tokens, is securely stored using Named Credentials or protected custom settings. Named Credentials are the recommended approach for storing external service credentials. 4. **OAuth Scopes**: Limit OAuth scopes to only what's necessary and avoid using full scope access. 5. **Vulnerability Management**: Address any vulnerabilities identified during the scans and document any false positives with supporting use cases for the review team. 6. **Secure Data Transfer**: Ensure external endpoints use HTTPS and securely transfer credentials and data. Obtain permission to perform security testing on endpoints you don't own. These steps will help ensure compliance with the security review process. Let me know if you need further clarification!

The FAQ content is generally accurate but needs minor refinements for clarity and security best practices. The main improvements are: 1) Updated point 3 to explicitly recommend Named Credentials as the preferred method for storing external service credentials, which aligns with the ApexSuggestUsingNamedCred rule that encourages using Named Credentials over hardcoded credentials. 2) Enhanced point 6 to explicitly mention HTTPS requirement, which relates to the ApexInsecureEndpoint rule. The selected security rules are all directly relevant to the FAQ's OAuth authentication content: ApexSuggestUsingNamedCred relates to the 'Secure Storage' recommendation about storing API keys/tokens; AvoidHardcodedCredentials rules (FieldDecls, VarDecls, VarAssign, HttpHeader) relate to the credential storage and handling practices discussed; ProtectSensitiveData relates to the overall handling of sensitive authentication information; ApexInsecureEndpoint relates to the secure data transfer requirement; and LimitConnectedAppScope directly relates to the OAuth scopes limitation guidance in point 4.