What is the policy on scanning third-party cloud service endpoints?
Answer
The policy for scanning third-party cloud service endpoints includes the following:
1. **Inclusion in Security Review**: Third-party cloud service endpoints must be included in the security review if they are involved in user authentication or the transfer of Salesforce data.
2. **Permission Requirement**: Obtain permission from the third-party owner before performing any security testing on endpoints you do not own.
3. **Use of Security Tools**: Use automated security scanning tools, such as ZAP or Burp, to identify vulnerabilities.
4. **Documentation**: Document the findings and provide a detailed report as part of the security review submission.
5. **Consent for Testing**: Ensure you have the necessary consent to conduct the security assessment if the endpoint is not owned by you.
These steps are essential to comply with Salesforce's security review requirements.
What is the policy on scanning third-party cloud service endpoints?
Recommended Answer Update
The policy for scanning third-party cloud service endpoints includes the following:
1. **Inclusion in Security Review**: Third-party cloud service endpoints must be included in the security review if they're involved in user authentication or the transfer of Salesforce data.
2. **Permission Requirement**: Get permission from the third-party owner before performing any security testing on endpoints you don't own.
3. **Use of Security Tools**: Use automated security scanning tools, such as ZAP or Burp, to identify vulnerabilities.
4. **Documentation**: Document the findings and provide a detailed report as part of the security review submission.
5. **Consent for Testing**: Ensure you have the necessary consent to conduct the security assessment if the endpoint isn't owned by you.
These steps are essential to comply with Salesforce's security review requirements.
Reasoning
The FAQ content is accurate and comprehensive but needed minor language improvements for clarity and conciseness. I made these refinements:
1. Changed "if they are involved" to "if they're involved" for conversational tone
2. Changed "Obtain permission" to "Get permission" for more direct language
3. Changed "if the endpoint is not owned" to "if the endpoint isn't owned" for consistency with conversational style
These changes align with the brand guidelines to use contractions and more direct, conversational language while preserving all original information and structure.
Regarding the selected security rules:
- **ApexInsecureEndpoint**: This rule relates to the FAQ's focus on third-party endpoint security and the requirement to include endpoints in security review when they handle authentication or Salesforce data transfers.
- **ApexSuggestUsingNamedCred**: This rule is relevant to the FAQ's discussion of third-party service integration security, as Named Credentials are a secure way to handle authentication with external services.
- **AvoidInsecureHttpRemoteSiteSetting**: This rule directly relates to the FAQ's emphasis on security testing of third-party endpoints, as it flags insecure HTTP connections to remote sites.
- **AvoidDisableProtocolSecurityRemoteSiteSetting**: This rule aligns with the FAQ's security focus by ensuring protocol security isn't disabled when connecting to third-party services, which is part of the overall endpoint security assessment.