FAQ-000909 - External Service Security Testing / Authentication and Access Configuration

The recommended approach for handling external authenticated API endpoints in security reviews includes: 1. **Scope and Control**: Ensure the external endpoint is within the review scope and that you have control over it. Confirm control by placing a token in the web application root. 2. **Secure Authentication**: Use secure mechanisms like OAuth for external API calls instead of session IDs, unless explicitly approved for specific use cases. 3. **Secure Data Transfer**: Use secure protocols like TLS v1.2 or above to ensure credentials and data are securely transferred. 4. **Permission for Testing**: Obtain necessary permissions from third-party owners of external endpoints before conducting security tests. 5. **Automated Scanning**: Use tools like ZAP or Burp Suite to scan for vulnerabilities and include the scan reports in your security review submission. 6. **Sensitive Data Protection**: Store secrets in protected custom metadata, custom settings, or Named Credentials, and avoid exposing them in URLs or query strings. Avoid embedding sensitive information (e.g., API keys) directly in the code. 7. **Authentication Mechanisms**: Implement proper authentication and avoid sending sensitive information in URL parameters. 8. **Thorough Documentation**: Document all API details, including authentication methods, and provide necessary credentials for testing during the review. 9. **Static Hosting for Scripts**: Host JavaScript-based API callouts statically on your domain, avoiding dynamic loading from external domains. 10. **Comprehensive Security Testing**: Perform automated scans and manual reviews on all external endpoints to identify and mitigate vulnerabilities. 11. **Vulnerability Resolution**: Address all high-severity vulnerabilities identified during scans. Address flagged issues, and document false positives with appropriate justifications in a false positive document. 12. **Secure Coding Practices**: Escape tainted input, validate data properly, and follow secure coding guidelines. 13. **Salesforce Compliance**: Test all components and layers of the solution to ensure compliance with Salesforce security guidelines. These practices help ensure the security of external endpoints and compliance with the security review process.

The main improvement made was to point #6 about sensitive data protection. The original text mentioned 'protected custom metadata or settings' which was imprecise. The updated version specifically mentions 'custom metadata, custom settings, or Named Credentials' to be more accurate about Salesforce storage options. Named Credentials are particularly relevant as they're the Salesforce-recommended approach for storing external API credentials, which directly relates to this FAQ about external authenticated endpoints. All other content was preserved as it accurately reflects security best practices. The selected security rules all directly relate to the content: ApexInsecureEndpoint relates to point #3 about secure protocols, ApexSuggestUsingNamedCred relates to point #6 about credential storage, the hardcoded credential rules relate to point #6 about avoiding embedded secrets, the session ID rules relate to point #2 about secure authentication, the remote site setting rules relate to point #3 about secure protocols, ApexXSSFromURLParam and ApexSOQLInjection relate to point #12 about secure coding practices, and ProtectSensitiveData relates to point #6 about sensitive data protection.