FAQ-000922 - External Service Security Testing / Scan Report Issues and Requirements

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What are the common reasons a security scan report for a non-Salesforce domain might be rejected and how should I handle missing external URLs?
Answer
A security scan report for a non-Salesforce domain might be rejected for these common reasons: 1. **Incomplete Endpoint Coverage**: The report does not include all external endpoints running independently of the Salesforce platform. 2. **Unsupported Scanner**: The scan was not performed using a recommended Dynamic Application Security Test (DAST) scanner, such as ZAP, Burp Suite, HCL AppScan, or WebInspect. 3. **Lack of Documentation**: The report lacks documentation of false-positive findings or does not address flagged issues according to Salesforce security guidelines. 4. **Missing Permissions**: Necessary permissions or authorization for testing external endpoints owned by third parties are not included. 5. **Data Security Issues**: The report fails to demonstrate secure handling of sensitive data, such as authentication credentials or payment information, in compliance with standards like PCI compliance. 6. **Insufficient Scope Details**: The report does not provide enough details about the testing scope, including endpoints involved in data transfer or user authentication. If external URLs aren't properly included in scan reports, here's how to handle the situation: 1. **Provide a ZAP Scan Report**: Use a ZAP scan report as an alternative, especially if other scanners are not functioning or are taking too long. 2. **Include Remote Site Settings**: For URLs that are part of remote site settings, ensure a ZAP scan report is submitted. 3. **Provide Credentials**: If the URLs are publicly accessible, include credentials for the application with all roles to facilitate proper scanning. 4. **Avoid Sensitive Data Exposure**: Ensure that sensitive data in URLs, such as session IDs or usernames/passwords, is not exposed, as this would be flagged as a high-severity issue. To avoid rejection, ensure your report is complete, uses approved tools, and adheres to Salesforce's security review requirements.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexInsecureEndpointAvoidInsecureHttpRemoteSiteSettingAvoidDisableProtocolSecurityRemoteSiteSetting
Question
What are the common reasons a security scan report for a non-Salesforce domain might be rejected and how should I handle missing external URLs?
Recommended Answer Update
A security scan report for a non-Salesforce domain might be rejected for these common reasons: 1. **Incomplete Endpoint Coverage**: The report doesn't include all external endpoints running independently of the Salesforce platform. 2. **Unsupported Scanner**: The scan wasn't performed using a recommended Dynamic Application Security Test (DAST) scanner, such as ZAP, Burp Suite, HCL AppScan, or WebInspect. 3. **Lack of Documentation**: The report lacks documentation of false-positive findings or doesn't address flagged issues according to Salesforce security guidelines. 4. **Missing Permissions**: Necessary permissions or authorization for testing external endpoints owned by third parties aren't included. 5. **Data Security Issues**: The report fails to demonstrate secure handling of sensitive data, such as authentication credentials or payment information, in compliance with standards like PCI compliance. 6. **Insufficient Scope Details**: The report doesn't provide enough details about the testing scope, including endpoints involved in data transfer or user authentication. If external URLs aren't properly included in scan reports, here's how to handle the situation: 1. **Provide a ZAP Scan Report**: Use a ZAP scan report as an alternative, especially if other scanners aren't functioning or are taking too long. 2. **Include Remote Site Settings**: For URLs that are part of remote site settings, ensure a ZAP scan report is submitted. 3. **Provide Credentials**: If the URLs are publicly accessible, include credentials for the application with all roles to facilitate proper scanning. 4. **Avoid Sensitive Data Exposure**: Ensure that sensitive data in URLs, such as session IDs or usernames/passwords, isn't exposed, as this would be flagged as a high-severity issue. To avoid rejection, ensure your report is complete, uses approved tools, and adheres to Salesforce's security review requirements.
Reasoning
The content is generally accurate and comprehensive, but needed tone improvements to make it more conversational and less verbose. I changed formal contractions like 'does not' to 'doesn't' and 'are not' to 'aren't' throughout to match the brand guidelines for conversational tone. I also streamlined some phrases like 'are not functioning' to 'aren't functioning' to be more natural. No outdated content was detected. Regarding related security rules: ApexInsecureEndpoint: This rule is directly relevant because the FAQ discusses external endpoints and their security testing. The FAQ specifically mentions 'external endpoints running independently of the Salesforce platform' and 'endpoints involved in data transfer or user authentication' which are exactly the types of endpoints this rule addresses for security concerns. AvoidInsecureHttpRemoteSiteSetting: This rule relates to the FAQ's discussion of 'remote site settings' and external URLs. The FAQ mentions 'For URLs that are part of remote site settings, ensure a ZAP scan report is submitted' which directly connects to this rule's purpose of preventing insecure HTTP connections in remote site configurations. AvoidDisableProtocolSecurityRemoteSiteSetting: This rule is relevant because the FAQ discusses security requirements for external endpoints and remote site settings. The FAQ's emphasis on 'Data Security Issues' and ensuring proper security handling connects to this rule's purpose of maintaining protocol security in remote site settings.
Reasoning References