FAQ-000915 - External Service Security Testing / Managed Package and External Service Integration

To scan third-party applications integrated with your managed package, follow these steps: 1. **Prepare Documentation and Credentials**: Gather all necessary documentation for the third-party application, including API details and authentication credentials. Store sensitive information like API keys securely using Named Credentials or protected custom settings rather than hardcoding them in your code. 2. **Run Security Scans**: Use automated security scanning tools (e.g., ZAP) to test the third-party application. Ensure all external endpoints are included in the scan to identify vulnerabilities. 3. **Address Vulnerabilities**: Review the scan results and resolve any identified vulnerabilities. Update configurations or dependencies for issues like insecure storage or outdated software versions. 4. **Document False Positives**: Clearly document any false positives flagged during the scan, providing justifications. Include this documentation in your submission for context. 5. **Submit Security Reports**: Add the security scan reports for the third-party application to your managed package's security review submission. If the third-party application has its own security certifications or penetration test reports, include those as well. 6. **Follow Compliance Standards**: Handle sensitive data (e.g., payment information) in compliance with standards like PCI DSS. Minimize the storage of sensitive data wherever possible. 7. **Engage with Reviewers**: Provide additional information or testing promptly if requested during the review process. Address any concerns raised by reviewers. 8. **Schedule Office Hours if Needed**: Use the Partner Security Portal to schedule office hours with security engineers for guidance on specific issues or questions. By following these steps, you can ensure a thorough and compliant security review process for third-party applications integrated with your managed package.

The main improvement focuses on step 1 regarding credential storage. The original text mentioned 'Secure sensitive information like API keys in protected custom settings or metadata' which is acceptable but incomplete. The updated text emphasizes Named Credentials as the preferred approach while maintaining protected custom settings as an alternative, and explicitly calls out avoiding hardcoding credentials in code. This aligns with Salesforce security best practices. For the security rules selected: - ApexInsecureEndpoint: The FAQ discusses scanning external endpoints and ensuring secure connections to third-party applications, which directly relates to this rule about insecure endpoint usage. - ApexSuggestUsingNamedCred: Step 1 discusses handling authentication credentials for third-party applications, and this rule specifically recommends using Named Credentials for secure credential management. - AvoidHardcodedCredentialsInFieldDecls: The FAQ mentions securing API keys and credentials, and this rule prevents hardcoding credentials in field declarations. - AvoidHardcodedCredentialsInHttpHeader: When integrating with third-party applications, developers often need to set authentication headers, and this rule prevents hardcoding those credentials. - AvoidHardcodedCredentialsInVarAssign: Related to credential management mentioned in step 1, this rule prevents hardcoding credentials in variable assignments. - AvoidHardcodedCredentialsInVarDecls: Also related to the credential management discussion in step 1, preventing hardcoded credentials in variable declarations.