FAQ-001067 - Lead and Data Routing Security / Data Security and Sharing

To ensure proper data security and sharing in an automated lead routing application, follow these best practices: ### Data Security - Use secure coding practices, such as encrypting sensitive data during storage and transmission. - Implement strong authentication mechanisms like HMAC or JWT for external callouts. - Store secrets securely using Named Credentials or Custom Settings with encryption (AES-256 or higher for server-side apps). Avoid hardcoding credentials in your code. ### Sharing Rules - Apply sharing rules to control record access based on user roles and permissions. - Use "without sharing" mode only when necessary, with documented business justification. - For guest users, secure access through inherited sharing or validation mechanisms. ### CRUD/FLS Checks - Enforce Create, Read, Update, and Delete (CRUD) and Field-Level Security (FLS) checks to prevent unauthorized data access. Use `WITH USER_MODE` for SOQL queries and `AccessLevel.USER_MODE` for Database methods when possible. - Use tools like Salesforce Code Analyzer (SFCA), Checkmarx, or PMD to identify and address vulnerabilities. ### Input Validation - Validate and sanitize all user inputs to prevent injection attacks including SOQL injection and XSS. - Use encoding functions to securely handle user-generated content. ### Static Resources - Load JavaScript, CSS, and other resources from static resources instead of third-party endpoints. ### Audit and Documentation - Conduct regular security audits and document all security activities. - Maintain an inventory of third-party libraries and ensure they're secure and up-to-date. By implementing these measures, you can enhance the security and compliance of your lead routing application.

The FAQ covers comprehensive security topics for lead routing applications. I made several targeted improvements: 1) Updated encryption recommendation from AES-128 to AES-256 (stronger standard), 2) Replaced generic 'platform features or vendor-provided libraries' with specific 'Named Credentials or Custom Settings' for clearer guidance, 3) Added explicit warning about hardcoded credentials, 4) Modernized CRUD/FLS guidance by leading with WITH USER_MODE and AccessLevel.USER_MODE per guidelines, 5) Updated tool reference from SFCA-DFA to current 'Salesforce Code Analyzer (SFCA)', and 6) Enhanced input validation to specifically mention SOQL injection and XSS attacks. These changes align with modern Salesforce security practices while preserving all original content structure. For security rules: ApexCRUDViolation relates to the CRUD/FLS checks section that discusses enforcing data access controls. ApexSharingViolations connects to the sharing rules section covering 'without sharing' usage. ApexBadCrypto relates to the encryption practices mentioned in data security. ApexSOQLInjection and ApexXSSFromURLParam connect to the input validation section discussing injection attacks. ApexInsecureEndpoint relates to secure external callouts mentioned in authentication. ApexSuggestUsingNamedCred aligns with the updated guidance on using Named Credentials. AvoidHardcodedCredentialsInFieldDecls and AvoidHardcodedCredentialsInVarDecls relate to the added warning about avoiding hardcoded credentials in code.