FAQ-000914 - External Service Security Testing / Managed Package and External Service Integration

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What are the requirements for security scanning external web applications and services that integrate with managed packages?
Answer
To perform security scanning on external web applications that integrate with your package, here are the requirements: 1. **Scope of Testing**: Include all external endpoints that operate independently of the Salesforce platform, especially if they authenticate users or transfer Salesforce data. Use a "follow-the-data" approach to determine the testing scope. 2. **Automated Security Scanning**: Use tools to identify vulnerabilities in your solution and external endpoints. Utilize automated security scanning tools like Zed Attack Proxy (ZAP), Burp Suite, or other Dynamic Application Security Test (DAST) scanners. 3. **Route Traffic Through Scanners**: Configure your API client or browser to route traffic through the scanner tool's proxy to capture and analyze requests and responses. 4. **Perform Active Scans**: Conduct active scans to simulate attacks and identify vulnerabilities. 5. **Generate a Full Report**: After the scan, export a comprehensive report that includes the scan date, targeted endpoints, and findings. 6. **Permission**: Obtain permission from third parties if you don't own the external endpoints. 7. **Allowlisted IPs and Domains**: Follow Salesforce's IP Addresses & Domains to Allow guidelines. 8. **Control Over Endpoint**: The review can only proceed if you have control over the endpoint. For example, tools like Chimera require placing a token in the web app root, which necessitates endpoint control. Without control, the review cannot proceed. 9. **Document False Positives**: Document any false positives and address code that doesn't meet Salesforce security guidelines. 10. **Package Requirements**: Ensure your package is a Managed—Released package, as unmanaged or beta packages are not accepted. These steps ensure compliance and readiness for the security review.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexInsecureEndpointAvoidInsecureHttpRemoteSiteSettingAvoidDisableProtocolSecurityRemoteSiteSettingApexSuggestUsingNamedCredAvoidHardcodedCredentialsInHttpHeaderAvoidHardcodedCredentialsInFieldDeclsAvoidHardcodedCredentialsInVarDecls
Question
What are the requirements for security scanning external web applications and services that integrate with managed packages?
Recommended Answer Update
To perform security scanning on external web applications that integrate with your package, here are the requirements: 1. **Scope of Testing**: Include all external endpoints that operate independently of the Salesforce platform, especially if they authenticate users or transfer Salesforce data. Use a "follow-the-data" approach to determine the testing scope. 2. **Automated Security Scanning**: Use tools to identify vulnerabilities in your solution and external endpoints. Utilize automated security scanning tools like Zed Attack Proxy (ZAP), Burp Suite, or other Dynamic Application Security Test (DAST) scanners. 3. **Route Traffic Through Scanners**: Configure your API client or browser to route traffic through the scanner tool's proxy to capture and analyze requests and responses. 4. **Perform Active Scans**: Conduct active scans to simulate attacks and identify vulnerabilities. 5. **Generate a Full Report**: After the scan, export a comprehensive report that includes the scan date, targeted endpoints, and findings. 6. **Permission**: Obtain permission from third parties if you don't own the external endpoints. 7. **Allowlisted IPs and Domains**: Follow Salesforce's IP Addresses & Domains to Allow guidelines. 8. **Control Over Endpoint**: The review can only proceed if you have control over the endpoint. For example, tools like Chimera require placing a token in the web app root, which requires endpoint control. Without control, the review can't proceed. 9. **Document False Positives**: Document any false positives and address code that doesn't meet Salesforce security guidelines. 10. **Package Requirements**: Ensure your package is a Managed—Released package, as unmanaged or beta packages aren't accepted. These steps ensure compliance and readiness for the security review.
Reasoning
Made minimal improvements to enhance clarity and readability while preserving all content and structure. Changed "necessitates" to "requires" for simpler language, "cannot" to "can't" for more conversational tone, and "are not" to "aren't" for consistency with brand guidelines. These changes make the FAQ more accessible without altering any technical requirements or adding new information. Selected security rules relate directly to external service integrations and security scanning concerns: - ApexInsecureEndpoint: Relates to ensuring secure endpoints in external integrations (point 1 about external endpoints) - AvoidInsecureHttpRemoteSiteSetting: Connects to secure external service connections (points 1, 7 about external endpoints and allowlisted domains) - AvoidDisableProtocolSecurityRemoteSiteSetting: Ensures protocol security for external connections (points 7, 8 about endpoint security) - ApexSuggestUsingNamedCred: Relevant to secure authentication with external services (point 1 about authentication) - AvoidHardcodedCredentialsInHttpHeader: Important for external service authentication security (point 1 about user authentication) - AvoidHardcodedCredentialsInFieldDecls: Prevents credential exposure in external integrations (point 9 about meeting security guidelines) - AvoidHardcodedCredentialsVarDecls: Prevents credential exposure in code (point 9 about security guidelines compliance)
Reasoning References