FAQ-000910 - External Service Security Testing / Authentication and Access Configuration

Authenticated scans for external web servers should be configured using Dynamic Application Security Test (DAST) tools like ZAP, Burp Suite, HCL AppScan, or WebInspect. Here's how to set them up: 1. **Obtain Permission**: Secure permission from the third parties that own the external endpoints before testing. 2. **Use HTTPS Endpoints**: Ensure all external web servers use HTTPS (not HTTP) for secure communication during testing. 3. **Compliance**: Follow Salesforce's IP Addresses & Domains to Allow guidelines to ensure proper configuration. These steps help ensure authenticated scans are properly configured and compliant.

The original FAQ was missing a critical security consideration for external web server configuration - the requirement to use secure HTTPS endpoints rather than insecure HTTP connections. This addition aligns with Salesforce security best practices and addresses potential security vulnerabilities. The existing content about obtaining permission and following compliance guidelines is maintained, but the security emphasis is strengthened by explicitly mentioning HTTPS requirements. I selected three security rules that relate to this FAQ: ApexInsecureEndpoint detects insecure HTTP endpoints in Apex code which relates to the FAQ's discussion of external web server endpoint configuration; AvoidInsecureHttpRemoteSiteSetting prevents HTTP remote site settings which directly relates to configuring external endpoints securely; and AvoidDisableProtocolSecurityRemoteSiteSetting ensures protocol security isn't disabled for remote sites, which is relevant when setting up authenticated scans that need to communicate with external servers securely.