FAQ-001209 - Manual Security Review vs Automated Scanning / Additional Security Checks Beyond Automation

If an app fails the security review for issues not detected by scanning tools, follow these steps: **Immediate Actions:** 1. **Review the feedback** provided in the review report, which includes examples of the issues that need to be fixed across the solution 2. **Remediate the identified vulnerabilities** and ensure similar issues are resolved throughout the application 3. **Perform thorough manual testing** throughout the development lifecycle alongside automated scanning tools **Testing Strategy:** 4. **Use comprehensive testing approaches** including: - Manual testing of the solution's architecture - Testing external endpoints and areas not covered by automated tools - Follow-the-data approach to test all components involving customer data - Penetration testing on Developer Edition test orgs **Documentation and Resubmission:** 5. **Document false positives** - If you believe any flagged issues are false positives, document them with proper justifications 6. **Address all flagged issues** by fixing the code or providing clear explanations 7. **Conduct final testing** before resubmission 8. **Resubmit the updated package** for follow-up security review, including all required materials and updated scan reports **Additional Support:** - Schedule office hours with the Product Security team for guidance on resolving specific issues - Use tools like Salesforce Code Analyzer alongside manual testing to identify missed violations - Ensure your solution adheres to Salesforce security guidelines throughout the process

The existing FAQ is well-structured and comprehensive, covering the complete process for handling security review failures. The content accurately reflects the manual security review process and provides actionable guidance. I made one minor editorial improvement by removing the category and subcategory lines at the end, as these appear to be metadata rather than user-facing content and don't add value to the FAQ answer. For security rules association, I selected rules that represent common security issues that automated tools might miss and require manual review: - **ApexCRUDViolation**: This rule relates to the FAQ's emphasis on "follow-the-data approach to test all components involving customer data" and the need for "manual testing of the solution's architecture" as CRUD violations often require contextual analysis. - **ApexSharingViolations**: Connected to the FAQ's mention of "comprehensive testing approaches" and "manual testing" since sharing rule violations often require understanding business logic context that automated tools may not fully capture. - **ApexSOQLInjection**: Relevant to the FAQ's discussion of "testing external endpoints and areas not covered by automated tools" as SOQL injection vulnerabilities can be context-dependent and may require manual code review to identify. - **ApexXSSFromEscapeFalse** and **ApexXSSFromURLParam**: These XSS-related rules connect to the FAQ's emphasis on "penetration testing" and "follow-the-data approach" since XSS vulnerabilities often require manual testing to understand the full data flow and identify where user input might be improperly handled.