FAQ-000934 - External Service Security Testing / Scanning Tool Alternatives and Workarounds

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
If an automated security scanner cannot scan my external application, what are the accepted alternative tools and reports?
Answer
If an automated security scanner cannot scan your external application, you can submit a full penetration test (pentest) report. The pentest should be recent (ideally within 30 days of submission) and must include all actionable vulnerabilities that have been remediated. Alternatively, you can use Dynamic Application Security Test (DAST) tools such as OWASP ZAP, Burp Suite, VeraCode Dynamic Analysis, Intruder, or Acunetix. The DAST scan report should provide details about the current security risk level and the likelihood of risk exploitation for each request and response payload. If security scanning tools refuse to run on external endpoints, you can use a Dynamic Application Security Test (DAST) scanner like ZAP, Burp Suite, HCL AppScan, or WebInspect. These tools are designed to scan external endpoints and identify vulnerabilities. Be sure to include the reports from these scans in your security review submission.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexInsecureEndpointAvoidDisableProtocolSecurityRemoteSiteSettingAvoidInsecureHttpRemoteSiteSettingUseHttpsCallbackUrlConnectedApp
Question
If an automated security scanner cannot scan my external application, what are the accepted alternative tools and reports?
Recommended Answer Update
If an automated security scanner can't scan your external application, you have several options: **Penetration Testing** Submit a full penetration test (pentest) report that's recent (ideally within 30 days of submission) and includes all actionable vulnerabilities that have been remediated. **Dynamic Application Security Testing (DAST) Tools** Use DAST tools like: - OWASP ZAP - Burp Suite - Veracode Dynamic Analysis - Intruder - Acunetix - HCL AppScan - WebInspect Your DAST scan report should provide details about the current security risk level and likelihood of risk exploitation for each request and response payload. These tools are specifically designed to scan external endpoints and identify vulnerabilities. Be sure to include all reports from these scans in your security review submission.
Reasoning
The original answer had good content but suffered from repetitive information and unclear organization. The main issues were: 1) DAST tools were mentioned twice with overlapping tool lists, creating confusion about options; 2) The flow between penetration testing and DAST options wasn't clear; 3) Some minor wording could be improved for clarity (e.g., 'VeraCode' should be 'Veracode'). The recommended update consolidates the duplicated DAST tool information into a single, comprehensive list while maintaining all the original points and preserving the same level of detail. This improves clarity without removing any existing information or adding new requirements. Regarding related security rules: ApexInsecureEndpoint relates to this FAQ because it deals with securing external endpoints, which is exactly what external applications represent - endpoints that need security scanning. AvoidDisableProtocolSecurityRemoteSiteSetting and AvoidInsecureHttpRemoteSiteSetting are relevant because external applications often require remote site settings for communication, and these rules ensure those connections maintain proper security protocols during testing. UseHttpsCallbackUrlConnectedApp applies because external applications frequently use Connected Apps for OAuth flows, and the security testing mentioned in this FAQ should verify that HTTPS is properly enforced for callbacks.
Reasoning References