FAQ-000951 - External Service Security Testing / Third-Party API and Service Scanning

If running a required security scan (like ZAP) on a third-party integration would violate their terms of service, you should: 1. **Request Security Reports**: Ask the third-party provider to share any available security reports, such as a penetration test report or other relevant documentation. 2. **Document Limitations**: If the third party can't provide these reports, document this limitation and include any certifications or security assurances they have in your submission. 3. **Obtain Permission**: Ensure you have explicit permission from the third-party provider before attempting any scans. This approach helps address the security review requirements while respecting the third party's terms of service.

The FAQ content is accurate and well-structured, but I made minor wording improvements for clarity and conversational tone. Changed 'cannot' to 'can't' to match the conversational style guidelines and maintain consistency with the brand voice. The selected security rules relate directly to the FAQ's focus on third-party service integration security: ApexInsecureEndpoint identifies insecure HTTP endpoints in third-party integrations that this FAQ addresses when developers can't scan external services; ApexSuggestUsingNamedCred promotes secure credential management for third-party API calls mentioned in this context; AvoidInsecureHttpRemoteSiteSetting prevents HTTP remote sites that could be relevant when integrating with third parties; and AvoidDisableProtocolSecurityRemoteSiteSetting ensures protocol security isn't disabled for external connections, which is crucial when working with third-party services that can't be directly scanned.