FAQ-000926 - External Service Security Testing / Scan Report Issues and Requirements

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How do I ensure all endpoints are correctly scanned and included in my security review submission?
Answer
To ensure all external endpoints are included in your scan report for security review, follow these steps: 1. **Identify All Endpoints**: List all external endpoints in your solution, including those that authenticate users or transfer Salesforce data. 2. **Use a DAST Scanner**: Employ tools like ZAP, Burp Suite, HCL AppScan, or WebInspect for scanning. 3. **Set Up Proxy**: Configure the scanner's proxy to capture and analyze requests and responses for the external endpoints. 4. **Exercise All Endpoints**: While the scanner is running, interact with all relevant API endpoints or web services to expose the full attack surface. 5. **Run Active Scans**: Select the recorded endpoints in the tool and perform active scans to simulate attacks and identify vulnerabilities. 6. **Export a Full Report**: Ensure the report includes the scan date, targeted endpoints, and all findings. 7. **Submit the Report**: Include the scan report in your security review submission, along with documentation for any false positives if applicable. 8. **Perform a DAST Scan**: Use tools like ZAP, Burp Suite, HCL AppScan, or WebInspect to scan all external endpoints that operate independently of Salesforce. 9. **Address Issues**: Resolve any critical or high-severity issues identified in the scan. 10. **Document False Positives**: Provide clear documentation for any false positives, if applicable. 11. **Obtain Permissions**: Secure necessary permissions to perform security testing on third-party endpoints. 12. **Follow Guidelines**: Adhere to Salesforce's IP address and domain guidelines. Make sure to obtain permissions for testing any external endpoints you do not own. These steps will help ensure your submission meets the security review requirements.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexInsecureEndpoint
Question
How do I ensure all endpoints are correctly scanned and included in my security review submission?
Recommended Answer Update
To ensure all external endpoints are included in your scan report for security review, follow these steps: 1. **Identify All Endpoints**: List all external endpoints in your solution, including those that authenticate users or transfer Salesforce data. 2. **Use a DAST Scanner**: Employ tools like ZAP, Burp Suite, HCL AppScan, or WebInspect for scanning. 3. **Set Up Proxy**: Configure the scanner's proxy to capture and analyze requests and responses for the external endpoints. 4. **Exercise All Endpoints**: While the scanner is running, interact with all relevant API endpoints or web services to expose the full attack surface. 5. **Run Active Scans**: Select the recorded endpoints in the tool and perform active scans to simulate attacks and identify vulnerabilities. 6. **Export a Full Report**: Ensure the report includes the scan date, targeted endpoints, and all findings. 7. **Submit the Report**: Include the scan report in your security review submission, along with documentation for any false positives if applicable. 8. **Address Issues**: Resolve any critical or high-severity issues identified in the scan. 9. **Document False Positives**: Provide clear documentation for any false positives, if applicable. 10. **Obtain Permissions**: Secure necessary permissions to perform security testing on third-party endpoints. 11. **Follow Guidelines**: Adhere to Salesforce's IP address and domain guidelines. Make sure to obtain permissions for testing any external endpoints you don't own. These steps will help ensure your submission meets the security review requirements.
Reasoning
I removed duplicate content to improve clarity and readability. The original answer contained two separate points that were essentially the same - step 2 already mentioned using DAST scanners like ZAP and Burp Suite, while step 8 repeated this same information. I consolidated this into a single, clearer instruction. I also made a minor grammatical improvement by changing 'you do not own' to 'you don't own' for a more conversational tone. The ApexInsecureEndpoint rule is relevant because this FAQ discusses scanning external endpoints for security vulnerabilities, and this rule specifically identifies when Apex code makes HTTP requests to insecure endpoints. The FAQ's guidance on ensuring all external endpoints are properly scanned and secured directly relates to the security concerns this rule addresses - preventing insecure endpoint usage in applications.
Reasoning References