FAQ-000959 - External Service Security Testing / Tool-Specific Guidance

To run the required security scanner against your external API endpoints, follow these steps: 1. Use a Dynamic Application Security Test (DAST) scanner like ZAP, Burp Suite, HCL AppScan, or WebInspect. 2. Set up your API client or browser to route traffic through the scanner tool's proxy to capture and analyze requests and responses. 3. Exercise the relevant API endpoints or web services while the scanner tool is running as a proxy to help it discover the full attack surface. 4. Select the recorded endpoints in the tool and run an active scan to simulate real attacks and identify vulnerabilities. 5. Use the tool's interface to manually intercept, modify, or fuzz requests for deeper testing if needed. 6. Export a full report after the scan, including the scan date, targeted endpoints, and all findings. Make sure you have obtained permission from the third-party owner of the external endpoints before performing the security testing.

The current FAQ content is accurate and well-structured, providing clear step-by-step instructions for running DAST scans against external API endpoints. No significant changes were needed as the content already follows best practices for conversational tone and actionable guidance. I selected the following security rules based on their direct relevance to external API endpoint security testing: 1. **ApexInsecureEndpoint** - This rule is directly relevant because the FAQ discusses testing external API endpoints, and this rule identifies insecure endpoint configurations in Apex code that would be discovered during DAST scanning. 2. **ApexSuggestUsingNamedCred** - This rule relates to the FAQ's focus on external API security because it promotes using Named Credentials for secure external API authentication, which is a key security consideration when testing external endpoints. 3. **AvoidDisableProtocolSecurityRemoteSiteSetting** - This rule is relevant because external API endpoint testing often involves Remote Site Settings, and this rule ensures protocol security isn't disabled for external connections. 4. **AvoidInsecureHttpRemoteSiteSetting** - This rule directly relates to the FAQ's external API focus by ensuring Remote Site Settings use secure HTTPS protocols rather than insecure HTTP when connecting to external endpoints. 5. **UseHttpsCallbackUrlConnectedApp** - This rule is relevant to external API security testing because it ensures secure HTTPS callback URLs in Connected Apps, which are often involved in external API integrations that would be tested using the DAST scanning approach described in the FAQ.