FAQ-000961 - External Service Security Testing / Uncategorized

To provide web application scan results for external endpoints in the AppExchange Security Review, you need to use a Dynamic Application Security Test (DAST) scanner, such as ZAP, Burp Suite, HCL AppScan, or WebInspect. Make sure the external endpoints are within the scope of the security review, which includes endpoints that authenticate users or transfer Salesforce data. Include the DAST scan reports in your security review submission. If the external endpoints aren't owned by you, you must obtain the necessary permissions from the third-party owners before conducting the scans.

The FAQ content is accurate and well-structured. I made one minor improvement to enhance readability by changing "are not owned by you" to "aren't owned by you" to align with the conversational tone guidelines that recommend using contractions. This makes the text more natural and approachable while maintaining all the technical accuracy and completeness. I selected the ApexInsecureEndpoint rule because this FAQ directly relates to external endpoint security scanning, which is the core purpose of this security rule. The FAQ discusses DAST scanning of external endpoints that authenticate users or transfer Salesforce data, which aligns with the ApexInsecureEndpoint rule's focus on detecting insecure endpoint configurations. The rule helps identify when Apex code makes HTTP requests to insecure endpoints, and this FAQ provides guidance on how to properly security test those external endpoints through DAST scanning before submission to AppExchange.