FAQ-000916 - External Service Security Testing / Managed Package and External Service Integration

Here are the requirements for security scanning an external web service integrated with your managed package: 1. **Test All External Endpoints**: Ensure all external endpoints, especially those that authenticate users or transfer Salesforce data, are tested as part of the security review. 2. **Use Security Scanning Tools**: Utilize automated security scanning tools like Zed Attack Proxy (ZAP), Burp Suite, or other Dynamic Application Security Test (DAST) scanners to identify vulnerabilities. 3. **Route Traffic Through Scanners**: Configure your API client or browser to route traffic through the scanner tool's proxy to capture and analyze requests and responses. 4. **Perform Active Scans**: Conduct active scans to simulate attacks and identify vulnerabilities. 5. **Generate a Full Report**: After the scan, export a comprehensive report that includes the scan date, targeted endpoints, and findings. 6. **Obtain Permissions**: Ensure you have permission to test external endpoints owned by third parties. 7. **Follow Salesforce Guidelines**: Adhere to Salesforce's guidelines for IP addresses and domains to allow during the scanning process. 8. **Testing Scope**: Follow a "follow-the-data" approach to determine the testing scope and test all components where customer data is transferred or authenticated, including endpoints not hosted on the Salesforce platform.

The existing FAQ content is comprehensive and accurate. No content updates were needed as all information aligns with current security practices and doesn't conflict with any available security rules. The FAQ effectively covers the key requirements for external service security testing. Regarding the security rules selected: - **ApexInsecureEndpoint**: This rule directly relates to the FAQ's focus on testing external endpoints. The FAQ emphasizes testing "all external endpoints, especially those that authenticate users or transfer Salesforce data," which aligns with this rule's purpose of identifying insecure endpoint usage. - **AvoidInsecureHttpRemoteSiteSetting** and **AvoidDisableProtocolSecurityRemoteSiteSetting**: These rules are relevant because external web service integrations typically require remote site settings, and the FAQ's emphasis on security scanning helps ensure these configurations are secure. - **ApexSuggestUsingNamedCred**: This rule relates to the FAQ's context of external service integration, as named credentials are a best practice for secure external service authentication that would be validated during the security scanning process described. - **AvoidHardcodedCredentialsInHttpHeader**, **AvoidHardcodedCredentialsInFieldDecls**, **AvoidHardcodedCredentialsInVarDecls**, and **AvoidHardcodedCredentialsInVarAssign**: These rules are directly relevant to external service integration security, as the scanning process described in the FAQ would help identify hardcoded credentials used in external service communications.