How can I confirm that my submitted web app scan results meet all security review requirements?
Answer
To confirm that your submitted web app scan results meet all security review requirements, ensure the following:
1. **Include DAST Scan Reports**: Submit Dynamic Application Security Test (DAST) scan reports for all external web applications or services.
2. **Document False Positives**: Identify and document any false positives, providing clear explanations for each.
3. **Address Security Issues**: Fix all flagged security issues or document them as false positives with proper justification.
4. **Use Approved Tools**: Ensure the scan results are generated using required tools and methodologies, such as the Source Code Scanner (Checkmarx) or other approved tools.
5. **Provide Endpoint Access**: Ensure all external endpoints and environments used by the web app are accessible and securely handle Salesforce credentials and data.
6. **Follow-the-Data Approach**: Test and secure all components interacting with customer data.
For additional guidance, you can schedule an appointment with the Security Review Operations team via the Partner Security Portal.
How can I confirm that my submitted web app scan results meet all security review requirements?
Recommended Answer Update
To confirm that your submitted web app scan results meet all security review requirements, ensure the following:
1. **Include DAST Scan Reports**: Submit Dynamic Application Security Test (DAST) scan reports for all external web applications or services.
2. **Document False Positives**: Identify and document any false positives, providing clear explanations for each.
3. **Address Security Issues**: Fix all flagged security issues or document them as false positives with proper justification.
4. **Use Approved Tools**: Ensure the scan results are generated using required tools and methodologies, such as the Source Code Scanner (Checkmarx) or other approved tools.
5. **Provide Endpoint Access**: Ensure all external endpoints and environments used by the web app are accessible and securely handle Salesforce credentials and data.
6. **Follow-the-Data Approach**: Test and secure all components interacting with customer data.
For additional guidance, you can schedule an appointment with the Security Review Operations team via the Partner Security Portal.
Reasoning
The FAQ content is clear and accurate regarding web app scan requirements for AppExchange security review. No significant issues were found that required updates to the answer content. The structure and information are appropriate for the security review context.
Regarding the selected security rules:
1. **ApexInsecureEndpoint**: This rule relates to the FAQ's discussion of external endpoints and web applications. The FAQ mentions "Provide Endpoint Access: Ensure all external endpoints and environments used by the web app are accessible and securely handle Salesforce credentials and data" - this directly connects to detecting insecure HTTP endpoints in Apex code.
2. **AvoidInsecureHttpRemoteSiteSetting**: This rule is relevant to the FAQ's emphasis on securing external web applications and services. When the FAQ discusses DAST scanning of "all external web applications or services" and ensuring endpoints "securely handle Salesforce credentials and data," it relates to preventing insecure HTTP connections in remote site settings.
3. **AvoidDisableProtocolSecurityRemoteSiteSetting**: This rule connects to the FAQ's requirement to "securely handle Salesforce credentials and data" for external endpoints. Protocol security is a key aspect of what DAST scans would evaluate in external web applications.
4. **UseHttpsCallbackUrlConnectedApp**: This rule is relevant to the FAQ's focus on external web applications and secure handling of Salesforce credentials. The "Follow-the-Data Approach" mentioned in the FAQ would include ensuring HTTPS is used for callback URLs in connected apps that interact with customer data.