FAQ-000944 - External Service Security Testing / Specific Security Testing Requirements

To scan external endpoints that integrate with Salesforce applications, you must: 1. Include all external endpoints in the security testing scope, especially those that authenticate users or transfer Salesforce data. 2. Obtain permission from third-party owners before testing external endpoints you do not own. 3. Use Dynamic Application Security Test (DAST) tools like ZAP, Burp Suite, HCL AppScan, or WebInspect to identify vulnerabilities. 4. Include the scan reports in your security review submission. 5. Document any false positives and ensure all code complies with Salesforce security guidelines. 6. Get consent from third-party owners if the endpoints are not owned by you, allowing you to conduct security assessments. 7. Ensure the endpoints are fully exercised during the scan to uncover the complete attack surface. This includes routing traffic through the scanner's proxy and performing active scans. 8. Export a detailed report after the scan, including the scan date, targeted endpoints, and findings. 9. If the endpoint is part of the security review, ensure you have control over it or that the owner consents to the review and commits to addressing any issues found. 10. Follow Salesforce's external security testing guidelines, such as using TLS v1.2 or above and securely handling session IDs. These steps are essential to meet security review requirements and maintain the application's security integrity.

The FAQ content is accurate and comprehensive but has some minor improvements for clarity and conciseness. I removed redundant phrases like 'Obtain Permissions:' and 'Exercise Endpoints:' that made the content sound like headers rather than flow naturally. I simplified 'Generate a Report:' to just 'Export a detailed report' and removed 'Endpoint Control:' prefix. These changes maintain all the original information while improving readability and flow. Regarding security rules selected: 1. **ApexInsecureEndpoint** - This rule directly relates to the FAQ's focus on securing external endpoints that integrate with Salesforce. The FAQ discusses scanning external endpoints for vulnerabilities, which aligns with this rule's purpose of identifying insecure endpoints in Apex code. 2. **ApexSuggestUsingNamedCred** - This rule is relevant because the FAQ mentions external endpoints that authenticate users and transfer Salesforce data. When integrating with external services, using named credentials is a security best practice that this rule promotes. 3. **AvoidDisableProtocolSecurityRemoteSiteSetting** - The FAQ specifically mentions following Salesforce's external security testing guidelines including 'using TLS v1.2 or above', which directly relates to this rule about maintaining protocol security in remote site settings. 4. **AvoidInsecureHttpRemoteSiteSetting** - This rule complements the previous one and relates to the FAQ's emphasis on secure external endpoint configuration and the requirement to use secure protocols like TLS v1.2+. 5. **UseHttpsCallbackUrlConnectedApp** - This rule relates to the FAQ's discussion of external endpoints that authenticate users, as callback URLs are often part of OAuth flows with external services that need to be secured with HTTPS.