FAQ-000913 - External Service Security Testing / Environment and Infrastructure Considerations

Yes, you can use a staging environment for security scanning instead of production, provided the staging environment is functionally equivalent to the production environment. However, keep in mind that SSL scans will still be performed on the production version, and invalid certificates are allowed on the staging version. Using a middleware proxy server for callouts doesn't change the security scan requirements for the final endpoint. The final endpoint remains within the scope of the security review and must undergo security testing. This includes providing necessary credentials and scan reports, such as ZAP or DAST, for the endpoint.

The FAQ content is accurate and well-structured, but I made minor wording improvements for better clarity and flow. I changed 'does not change' to 'doesn't change' to maintain a more conversational tone per the brand guidelines. I also refined 'is still within the scope' to 'remains within the scope' for smoother readability. These changes preserve all existing information while making the text more natural and easier to read. Regarding the related security rules: ApexInsecureEndpoint relates to the FAQ's discussion of endpoint security scanning requirements and SSL protocols. ApexSuggestUsingNamedCred is relevant because the FAQ discusses external service callouts and credential management for endpoints. The credential-related rules (AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls) apply because the FAQ mentions 'providing necessary credentials' for endpoint testing. AvoidInsecureHttpRemoteSiteSetting and AvoidDisableProtocolSecurityRemoteSiteSetting are relevant to the SSL scan requirements and production endpoint security mentioned in the FAQ content.