FAQ-001068 - Lead and Data Routing Security / General Security Considerations

To ensure the security of an application that automates data routing and assignment, consider the following: 1. **Access Control**: Enforce object-level and field-level security (CRUD and FLS) to restrict data access based on user roles and permissions. Use `WITH USER_MODE` for SOQL queries and `AccessLevel.USER_MODE` for Database methods to automatically enforce permissions. 2. **Data Sensitivity**: Protect sensitive data (e.g., personal or financial information) by encrypting it both in transit and at rest. 3. **Authentication and Authorization**: Use OAuth for secure authentication and request only the minimum permissions needed. 4. **Input Validation**: Prevent vulnerabilities like XSS and SOQL injection through proper input validation and encoding. 5. **Logging Practices**: Avoid logging sensitive information, such as API credentials or cryptographic secrets. 6. **Third-Party Integrations**: Ensure third-party libraries and APIs are secure, up-to-date, and document any known vulnerabilities. 7. **Secure Communication**: Use HTTPS for all external communications and ensure SSL configurations meet security standards. 8. **Data Storage**: Securely store credentials using Named Credentials and strong encryption (e.g., AES-256 or higher) following secure key management practices. 9. **Security Testing**: Regularly test for vulnerabilities and address any issues promptly. 10. **Compliance**: Follow industry-specific regulations and standards like HIPAA or PCI DSS, if applicable. These practices help mitigate risks and ensure the secure operation of your application.

The FAQ content is generally accurate but needed refinement in several areas to align with current security best practices: 1. **Access Control Enhancement**: Added modern security enforcement methods (`WITH USER_MODE` and `AccessLevel.USER_MODE`) as the primary recommendation while preserving the existing advice about CRUD and FLS, following the security approaches guidelines to prioritize modern features. 2. **Input Validation Clarification**: Changed "XSS and SQL injection" to "XSS and SOQL injection" to be more accurate for the Salesforce platform context. 3. **Credential Storage Modernization**: Enhanced point 8 to recommend Named Credentials as the primary approach and updated encryption standard from AES-128 to AES-256 to reflect current best practices. Regarding the selected security rules: - **ApexCRUDViolation** and **ApexSharingViolations**: Directly relate to point 1 about enforcing object-level and field-level security - **ApexBadCrypto**: Connects to points 2 and 8 about data encryption and secure credential storage - **ApexSOQLInjection**, **ApexXSSFromEscapeFalse**, **ApexXSSFromURLParam**: Relate to point 4 about input validation and preventing injection/XSS attacks - **ApexInsecureEndpoint** and **AvoidInsecureHttpRemoteSiteSetting**: Connect to point 7 about secure communication and HTTPS usage - **ApexSuggestUsingNamedCred**: Directly supports the enhanced recommendation for using Named Credentials in point 8 - **AvoidHardcodedCredentialsInFieldDecls** and **AvoidHardcodedCredentialsInVarDecls**: Relate to points 5 and 8 about secure credential storage and avoiding hardcoded secrets - **ProtectSensitiveData**: Broadly relates to point 2 about protecting sensitive data and point 5 about logging practices