What are the recommended approaches for handling authentication tokens and credentials when external applications require authentication for security scanning?
Answer
When external applications require authentication tokens that prevent standard security scanning, you can:
1. **Use Protected Custom Metadata**: Store secrets and credentials securely in protected custom metadata as an alternative to Named Credentials. This ensures sensitive information is managed safely.
2. **Configure Authentication Flows**: Set up DAST scanners (like ZAP, Burp Suite, HCL AppScan, or WebInspect) to handle the required authentication flows for the endpoints.
3. **Obtain Permissions**: If the endpoints are owned by third parties, secure the necessary permissions before performing security testing.
4. **Follow Salesforce Guidelines**: Adhere to the guidelines in Salesforce IP Addresses & Domains to Allow.
5. **Document False Positives**: Submit documentation for any false positives along with relevant use cases to provide context for the security review team.
6. **Submit Scan Reports**: Include the DAST scan reports in your security review submission.
These approaches help ensure secure handling of authentication data while complying with the AppExchange Security Review process.
What are the recommended approaches for handling authentication tokens and credentials when external applications require authentication for security scanning?
Recommended Answer Update
When external applications require authentication tokens that prevent standard security scanning, you can:
1. **Use Protected Custom Metadata**: Store secrets and credentials securely in protected custom metadata as an alternative to Named Credentials. This ensures sensitive information is managed safely.
2. **Configure Authentication Flows**: Set up DAST scanners (like ZAP, Burp Suite, HCL AppScan, or WebInspect) to handle the required authentication flows for the endpoints.
3. **Obtain Permissions**: If the endpoints are owned by third parties, secure the necessary permissions before performing security testing.
4. **Follow Salesforce Guidelines**: Adhere to the guidelines in Salesforce IP Addresses & Domains to Allow.
5. **Document False Positives**: Submit documentation for any false positives along with relevant use cases to provide context for the security review team.
6. **Submit Scan Reports**: Include the DAST scan reports in your security review submission.
These approaches help ensure secure handling of authentication data while complying with the AppExchange Security Review process.
Reasoning
No content changes were needed as the FAQ is already well-structured and accurate. The answer correctly recommends secure credential storage using protected custom metadata and Named Credentials, which aligns with security best practices. I selected security rules that directly relate to the credential and authentication handling concepts discussed in this FAQ. ApexSuggestUsingNamedCred relates to the FAQ's recommendation of Named Credentials as secure credential storage. The AvoidHardcodedCredentials rules (FieldDecls, VarDecls, VarAssign, HttpHeader) are relevant because the FAQ addresses secure credential management practices that help avoid hardcoding credentials. AvoidInsecureHttpRemoteSiteSetting and AvoidDisableProtocolSecurityRemoteSiteSetting relate to the FAQ's discussion of external service authentication and following Salesforce security guidelines for remote connections.