FAQ-000924 - External Service Security Testing / Scan Report Issues and Requirements

When integrating with external domains, the requirements for web application scan results include: 1. **Comprehensive Scan Reports**: Submit reports for all external endpoints involved in the integration, detailing any identified vulnerabilities and their resolutions. 2. **Document False Positives**: Clearly document and justify any false positives in the scan results. 3. **Provide Credentials and Documentation**: Include authentication credentials and API documentation (if available) to facilitate testing. 4. **Ensure Security Compliance**: Verify that external endpoints comply with security standards, such as using TLS v1.2 or above. 5. **Avoid Risky Practices**: Don't use wildcarded CORS for non-public endpoints. For non-Salesforce domains integrated with your application, you need to perform a Dynamic Application Security Test (DAST) scan on the external endpoints. Accepted tools include ZAP, Burp Suite, HCL AppScan, or WebInspect. When submitting your solution for security review, include the scan reports, authentication credentials, and any relevant API documentation for these integrations. These steps ensure your integration meets security review requirements.

The FAQ content is generally accurate and well-structured. I made minimal improvements to enhance clarity and conversational tone without changing the core information: 1. Changed "Do not use" to "Don't use" to make the language more conversational and match the brand guidelines 2. Changed "the integration" to "your integration" to make it more direct and user-focused 3. Changed "These steps ensure the integration meets" to "These steps ensure your integration meets" for consistency with the user-focused approach Regarding security rules selected: - **ApexInsecureEndpoint**: This rule relates directly to the FAQ's discussion of ensuring external endpoints use proper security protocols. The FAQ specifically mentions "using TLS v1.2 or above" which aligns with this rule's purpose of preventing insecure endpoint connections. - **AvoidInsecureHttpRemoteSiteSetting**: This rule is relevant to the FAQ's emphasis on security compliance for external integrations. The FAQ discusses integrating with external domains and ensuring they meet security standards, which directly relates to avoiding insecure HTTP connections in remote site settings. - **AvoidDisableProtocolSecurityRemoteSiteSetting**: This rule connects to the FAQ's requirement that external endpoints comply with security standards. The FAQ emphasizes proper security configuration for external integrations, which aligns with this rule's purpose of maintaining protocol security.