FAQ-000923 - External Service Security Testing / Scan Report Issues and Requirements

To document and present external security testing evidence for security review requirements, developers should: 1. **Include Security Scan Reports**: Provide reports for all external endpoints that operate independently of the Salesforce platform. 2. **Document False Positives**: Clearly document any false-positive security violations and include explanations for these findings. 3. **Obtain Permissions**: Secure necessary permissions from third-party owners before performing security testing on external endpoints not owned by the developers. 4. **Follow Salesforce Guidelines**: Adhere to the guidelines in Salesforce's "IP Addresses & Domains to Allow." 5. **Run Periodic Scans**: Conduct regular scans throughout the development lifecycle to identify and address flagged issues. These steps ensure compliance with Salesforce security guidelines and help streamline the review process.

After reviewing the FAQ against the available security rules, I found that this FAQ addresses external security testing documentation and procedures, which is primarily a process and documentation requirement rather than a code-level security issue. The available security rules focus on code-level vulnerabilities in Apex, Visualforce, Lightning components, and other development artifacts (such as ApexSOQLInjection, ApexXSSFromURLParam, VfCsrf, etc.), while this FAQ deals with the procedural aspects of documenting external security scans and presenting evidence to Salesforce security reviewers. The content is accurate and well-structured, covering the key requirements for external security testing evidence. The answer is clear, actionable, and follows the security review requirements appropriately. No related rule IDs were identified because the available rules do not cover external security testing documentation procedures - they focus on preventing security vulnerabilities in code rather than the process of documenting external security assessments.