FAQ-000945 - External Service Security Testing / Specific Security Testing Requirements

For an external service endpoint that's a serverless function, you'll need to provide these security documents and scan results as part of the security review: 1. **Penetration Testing Reports**: Submit pen test reports for the external endpoint to ensure it follows security best practices. 2. **DAST Scan Reports**: Include Dynamic Application Security Test (DAST) scan results, such as ZAP scan reports, to identify vulnerabilities. 3. **False Positives Documentation**: Document any false positives found during scans and provide justifications for why they're considered false positives. 4. **Authentication Credentials**: Provide authentication credentials for the endpoint, if applicable, to allow the security review team to perform necessary tests. 5. **Compliance with Security Guidelines**: Ensure compliance with Salesforce's guidelines for securely transferring credentials and data. Additionally, if you don't own the external endpoint, obtain permission to perform security testing. Follow Salesforce's guidelines for IP addresses and domains to allow during testing.

The content is generally accurate and comprehensive. I made minor improvements to align with the brand and tone guidelines: simplified the opening phrase from 'the following security documentation and scan results are required' to 'you'll need to provide these security documents', made language more conversational with contractions like 'that's', and changed 'if the external endpoint is not owned by you' to the more direct 'if you don't own the external endpoint'. These changes maintain all existing points while making the text more conversational and user-focused. For security rules selection: ApexInsecureEndpoint directly relates to the FAQ's focus on securing external service endpoints. ApexSuggestUsingNamedCred relates to the FAQ's mention of 'securely transferring credentials' and authentication credentials for endpoints. The hardcoded credentials rules (AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls) all relate to the FAQ's emphasis on 'securely transferring credentials and data' and providing 'authentication credentials' - these rules help ensure credentials are handled securely rather than hardcoded when connecting to external serverless endpoints.