FAQ-000955 - External Service Security Testing / Third-Party API and Service Scanning

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

Question: Am I required to perform a DAST scan on a third-party API that my application integrates with?

Answer: Yes, you are required to perform a DAST scan on external endpoints, including third-party APIs that your application integrates with, for the AppExchange Security Review. You must include the DAST scan report in your submission, detailing the scan date, targeted endpoints, and findings. A passive scan or spider crawl may not be sufficient for a public API that you do not control in the AppExchange Security Review. The review process requires control over the external endpoint, including the ability to place a token in the web app root for testing. If you do not have control over the endpoint, the review may be canceled. Active scans are required for third-party API scanning to effectively identify vulnerabilities. A spider crawl alone is not sufficient, as it only maps the application structure without simulating real-world attacks.

Enhancing FAQ...

Enhancing FAQ with AI recommendations...

Related Security Rules (click to view): ApexInsecureEndpoint ApexSuggestUsingNamedCred

Question: Am I required to perform a DAST scan on a third-party API that my application integrates with?

Recommended Answer Update: No, you're not required to perform DAST scans on third-party APIs that your application integrates with for the AppExchange Security Review. DAST scanning requirements apply to endpoints you control, not external third-party services. The AppExchange Security Review requires control over endpoints being tested, including the ability to place verification tokens in the web app root. Since you don't control third-party APIs, DAST scanning them isn't feasible or required. For third-party API integrations, focus on these security practices instead: - Use secure authentication methods (like Named Credentials) - Ensure HTTPS connections to external endpoints - Validate and sanitize data received from third-party APIs - Follow proper error handling for external service failures Your DAST scan should target only the endpoints you control as part of your application.

Reasoning: The original answer contains fundamental inaccuracies about AppExchange Security Review requirements. It incorrectly states that DAST scanning of third-party APIs is required, when in fact the review process requires control over endpoints being tested. The FAQ contradicts itself by first saying DAST is required, then explaining why it's not feasible (lack of control over endpoints). This creates confusion for developers. The recommended update clarifies that DAST requirements apply only to controlled endpoints, removes the contradictory information, and provides actionable security guidance for third-party integrations instead. I selected ApexInsecureEndpoint because the FAQ discusses external endpoint security and HTTPS requirements for third-party integrations - this rule specifically detects insecure HTTP endpoints in Apex code. I selected ApexSuggestUsingNamedCred because the FAQ addresses secure authentication for third-party API integrations, and this rule promotes the use of Named Credentials as a security best practice for external service authentication, which directly relates to the secure integration practices mentioned in the FAQ.

Reasoning References

Current FAQ