FAQ-000920 - External Service Security Testing / Scan Configuration and Setup

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What is the proper way to document and include all external endpoints for security review?
Answer
To properly document and include all external endpoints for a security review: 1. **Identify External Endpoints**: List all external endpoints in your solution, including those not hosted on the Salesforce platform, and specify their roles, such as authenticating users or transferring Salesforce data. 2. **Determine Scope**: Use a "follow-the-data" approach to focus on endpoints where customer data or credentials are transferred. 3. **Verify Control**: Confirm you have control over the endpoints. For third-party-managed endpoints, obtain their consent for the review and their commitment to address any issues. 4. **Conduct Security Testing**: Use Dynamic Application Security Test (DAST) tools like ZAP, Burp Suite, HCL AppScan, or WebInspect to test the endpoints. Include the scan reports in your submission. 5. **Provide Access Details**: Include URLs and login credentials for external components requiring authentication. 6. **Submit Security Scan Reports**: Provide security scan reports (e.g., DAST reports) and document any false positives with explanations. 7. **Document Configuration**: Ensure the endpoints comply with security requirements, such as marking session IDs as SECURE and using TLS v1.2 or above. 8. **Obtain Permissions**: Secure necessary permissions to perform security testing on third-party-owned endpoints. 9. **Meet Security Standards**: Ensure endpoints use TLS v1.2 or above and avoid weak ciphers. 10. **Complete Submission**: Include test environments, solution documentation, and any additional credentials in your security review submission. 11. **Disclose Exceptions**: If there are endpoints you do not control, disclose them and provide an action plan for addressing potential issues. 12. **Include Supporting Documentation**: Add architecture diagrams, data flow details, and explanations for any false positives in your security review submission. Make sure all documentation is complete and accurate to avoid delays in the review process and follow these steps to ensure compliance with security review guidelines.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexInsecureEndpointAvoidInsecureHttpRemoteSiteSettingAvoidDisableProtocolSecurityRemoteSiteSettingUseHttpsCallbackUrlConnectedAppApexSuggestUsingNamedCred
Question
What is the proper way to document and include all external endpoints for security review?
Recommended Answer Update
To properly document and include all external endpoints for a security review: 1. **Identify External Endpoints**: List all external endpoints in your solution, including those not hosted on the Salesforce platform, and specify their roles, such as authenticating users or transferring Salesforce data. 2. **Determine Scope**: Use a "follow-the-data" approach to focus on endpoints where customer data or credentials are transferred. 3. **Verify Control**: Confirm you have control over the endpoints. For third-party-managed endpoints, obtain their consent for the review and their commitment to address any issues. 4. **Conduct Security Testing**: Use Dynamic Application Security Test (DAST) tools like ZAP, Burp Suite, HCL AppScan, or WebInspect to test the endpoints. Include the scan reports in your submission. 5. **Provide Access Details**: Include URLs and login credentials for external components requiring authentication. 6. **Submit Security Scan Reports**: Provide security scan reports (e.g., DAST reports) and document any false positives with explanations. 7. **Document Configuration**: Ensure the endpoints comply with security requirements, such as marking session IDs as SECURE and using TLS v1.2 or above. 8. **Obtain Permissions**: Secure necessary permissions to perform security testing on third-party-owned endpoints. 9. **Meet Security Standards**: Ensure endpoints use TLS v1.2 or above and avoid weak ciphers. 10. **Complete Submission**: Include test environments, solution documentation, and any additional credentials in your security review submission. 11. **Disclose Exceptions**: If there are endpoints you don't control, disclose them and provide an action plan for addressing potential issues. 12. **Include Supporting Documentation**: Add architecture diagrams, data flow details, and explanations for any false positives in your security review submission. Make sure all documentation is complete and accurate to avoid delays in the review process and follow these steps to ensure compliance with security review guidelines.
Reasoning
The FAQ content is well-structured and accurate, requiring only minor grammatical improvements for clarity. The main change was correcting 'you do not control' to 'you don't control' to align with the conversational tone guidelines while maintaining all original points and information. Regarding the security rules selected: - **ApexInsecureEndpoint**: This rule directly relates to the FAQ's focus on documenting external endpoints and ensuring they meet security standards. The FAQ discusses identifying external endpoints and their security requirements, which aligns with this rule's purpose of detecting insecure endpoint usage. - **AvoidInsecureHttpRemoteSiteSetting**: The FAQ's requirement for endpoints to "use TLS v1.2 or above" and avoid insecure configurations directly corresponds to this rule, which prevents the use of insecure HTTP remote site settings. - **AvoidDisableProtocolSecurityRemoteSiteSetting**: The FAQ's emphasis on security standards and TLS requirements relates to this rule's purpose of preventing disabled protocol security in remote site settings. - **UseHttpsCallbackUrlConnectedApp**: The FAQ discusses external endpoints for authentication and data transfer, which connects to this rule's requirement for HTTPS callback URLs in connected apps. - **ApexSuggestUsingNamedCred**: The FAQ mentions providing "login credentials for external components" and secure endpoint configuration, which relates to this rule's recommendation for using Named Credentials for secure credential management.
Reasoning References