FAQ-000952 - External Service Security Testing / Third-Party API and Service Scanning

No, third-party security assessment reports can't be substituted for required vulnerability scans in the AppExchange Security Review. The review process requires specific scanning tools, such as the Source Code Scanner (Checkmarx) for Salesforce code and Dynamic Application Security Test (DAST) scanners like Burp Suite or ZAP for external endpoints. These scans identify vulnerabilities and must be included in your submission. However, you can submit full penetration test (pentest) results as an alternative to running your own dynamic scan. The pentests must be recent (preferably within 30 days of submission), and you'll need to remediate all actionable vulnerabilities identified in the report.

The original answer was well-structured and accurate but used overly formal language that didn't align with the conversational tone guidelines. I made the following improvements: 1. **Improved conversational tone**: Changed "cannot be substituted" to "can't be substituted" and "allows the submission" to "you can submit" to make it more direct and user-focused 2. **Enhanced clarity**: Simplified "mandates the use of" to "requires" and "must be remediated" to "you'll need to remediate" for clearer, more actionable language 3. **Better flow**: Made the text more scannable while preserving all original information and structure No security rules were associated because this FAQ discusses AppExchange Security Review process requirements and submission procedures rather than specific code security vulnerabilities that would be detected by the available scanner rules. The rules in the provided list focus on code-level security issues (like SOQL injection, XSS, hardcoded credentials, etc.) while this FAQ addresses procedural requirements for security testing tools and alternatives.