FAQ-001232 - Marketing Cloud Security / Security Review Process

For non-traditional Salesforce packages like Marketing Cloud integrations, the security review process involves: 1. **Test Environments**: Provide test environments for evaluation. 2. **Solution Documentation**: Submit detailed documentation of the solution. 3. **Security Scans**: Include security scan reports, such as DAST. 4. **Mobile Apps**: Ensure mobile apps meet platform-specific requirements. 5. **Extension Packages**: Adhere to the same standards as standalone solutions. The review team assesses the security posture, including external components and data transfer mechanisms, to ensure compliance with enterprise security standards. Document false positives and address flagged vulnerabilities during scans.

The original answer was already well-structured and accurate. I made one minor improvement: changed 'Documenting false positives and addressing flagged vulnerabilities during scans is also recommended' to 'Document false positives and address flagged vulnerabilities during scans' to follow the brand guidelines of being more direct and concise while maintaining a conversational tone. Regarding security rules selection: - ApexInsecureEndpoint: Selected because Marketing Cloud integrations often involve external API connections, and this rule helps identify insecure HTTP endpoints - ApexSuggestUsingNamedCred: Relevant for Marketing Cloud integrations that need to securely store and manage credentials for external API connections - AvoidHardcodedCredentialsInFieldDecls and AvoidHardcodedCredentialsInVarDecls: Critical for Marketing Cloud integrations which frequently handle API keys and authentication tokens - AvoidInsecureHttpRemoteSiteSetting: Important for Marketing Cloud integrations that make callouts to external services - AvoidDisableProtocolSecurityRemoteSiteSetting: Ensures secure protocol usage in Marketing Cloud integrations - UseHttpsCallbackUrlConnectedApp: Relevant for OAuth flows commonly used in Marketing Cloud integrations