What are the specific requirements for ZAP Scanner Reports for non-Salesforce domains?
Answer
For ZAP Scanner reports for non-Salesforce domains, here are the specific requirements:
- Provide a clean ZAP scan report to expedite the security review process.
- If the domain is publicly accessible, include authentication credentials with all roles.
- Ensure the ZAP scan covers all relevant API endpoints or web services.
- The report should include the scan date, targeted endpoints, and findings.
- If the domain is part of remote site settings, a ZAP scan report is mandatory.
- Perform a DAST scan using tools like ZAP to conduct a Dynamic Application Security Test (DAST) scan on all external endpoints that operate independently of the Salesforce platform.
- Obtain permissions: Ensure you have the necessary permissions from third parties to perform security testing on external endpoints.
These steps are essential to meet the security review requirements.
What are the specific requirements for ZAP Scanner Reports for non-Salesforce domains?
Recommended Answer Update
For ZAP Scanner reports for non-Salesforce domains, here are the specific requirements:
- Provide a clean ZAP scan report to expedite the security review process.
- If the domain is publicly accessible, include authentication credentials with all roles.
- Ensure the ZAP scan covers all relevant API endpoints or web services.
- The report should include the scan date, targeted endpoints, and findings.
- If the domain is part of remote site settings, a ZAP scan report is mandatory.
- Perform a DAST scan using tools like ZAP to conduct a Dynamic Application Security Test on all external endpoints that operate independently of the Salesforce platform.
- Obtain permissions: Ensure you have the necessary permissions from third parties to perform security testing on external endpoints.
These steps are essential to meet the security review requirements.
Reasoning
The FAQ content is accurate and comprehensive, but I made a minor improvement to reduce redundancy. The original text said 'conduct a Dynamic Application Security Test (DAST) scan' which was redundant since DAST already means Dynamic Application Security Testing. I simplified this to 'conduct a Dynamic Application Security Test' to eliminate the redundancy while preserving the meaning and detail level.
Regarding security rules selection:
1. **ApexInsecureEndpoint** - This rule is highly relevant because the FAQ discusses ZAP scanning requirements for 'all external endpoints that operate independently of the Salesforce platform.' This rule specifically addresses insecure endpoint usage in Apex, which directly relates to the external endpoint security testing requirements described in the FAQ.
2. **AvoidInsecureHttpRemoteSiteSetting** - This rule is directly applicable because the FAQ explicitly states 'If the domain is part of remote site settings, a ZAP scan report is mandatory.' This rule focuses on preventing insecure HTTP remote site settings, which aligns with the FAQ's emphasis on security testing domains configured in remote site settings.
3. **AvoidDisableProtocolSecurityRemoteSiteSetting** - This rule complements the previous rule and is relevant because the FAQ discusses security requirements for domains in remote site settings. This rule ensures protocol security isn't disabled in remote site configurations, supporting the overall security testing framework the FAQ describes.