FAQ-001246 - Multi-Vulnerability Security Remediation / Salesforce-Specific Security Vulnerabilities

To address multiple Salesforce-specific security vulnerabilities, follow these comprehensive best practices: **SOQL/SOSL Injection**: - Use bind variables or `escapeSingleQuotes()` to sanitize user input. - Avoid directly injecting user input into queries. - For dynamic SOQL/SOSL, use `sObjectType` or `sObjectFields` to prevent injection and ensure proper CRUD/FLS checks. **Sharing Violations**: - Ensure operations are executed in the appropriate sharing context. - Use "with sharing" or "without sharing" as required by the business logic, and document the reasoning in your submission. - Clearly define scenarios where guest or automated users require specific access. **FLS (Field-Level Security) and CRUD Violations**: - Use `WITH USER_MODE` for SOQL queries and `AccessLevel.USER_MODE` for Database methods to automatically enforce permissions. - Alternatively, implement checks using methods like `isAccessible()`, `isUpdateable()`, and `isDeletable()` for DML operations. - Document any custom permission checks or mitigations in your submission. - Ensure all instances across the codebase are addressed. **DML Operations Inside Loops**: - Refactor the code to perform bulk operations outside the loop to improve code quality and avoid performance issues. - Security reviewers focus on actual security concerns, so ensure that false positives are documented with appropriate justifications. **Software Versions**: - Regularly update all software components to the latest secure versions. - For software with known vulnerabilities unrelated to your use case, document them as false positives and explain why they're safe for your solution. - Use the Common Vulnerabilities and Exposures (CVE) database to identify and address vulnerabilities. **Data Storage**: - Store sensitive data, such as API keys or client secrets, in protected custom settings, encrypted custom metadata, or using the Crypto API. - Avoid using public custom settings for sensitive information. - For external credentials, ensure secure storage and provide configuration options for customers. - Avoid hardcoding sensitive data in the code and ensure sensitive data is encrypted and not exposed in logs or debug outputs. **JavaScript in Salesforce DOM**: - Store JavaScript in static resources instead of directly loading it into the Salesforce DOM. - Avoid linking JavaScript from third-party servers. - Use secure methods like `URLFOR()` or `/resource[/timestamp]/YourStaticResourceName` to load static resources. - If dynamic content is necessary, host it externally and embed it via an iframe in a Visualforce page to ensure it's not associated with a Salesforce domain. **Session ID Usage**: - Don't share session IDs outside the Salesforce organization. - Approved use cases include internal operations like Metadata API calls or SOAP API usage where the session ID doesn't leave the org. - For external integrations, use OAuth tokens via a ConnectedApp with appropriate scopes instead of session IDs. **General Recommendations**: - Follow secure coding practices and use tools like Checkmarx and Salesforce Code Analyzer to identify and mitigate vulnerabilities. - For issues like insecure session handling or improper use of JavaScript, ensure compliance with best practices. - Prepare detailed documentation for any false positives and ensure all vulnerabilities are addressed before submission for security review. - Engage with the security review team for guidance on unresolved issues. By implementing these measures, you can effectively address the identified security findings and ensure your application meets Salesforce security standards.

Made stylistic improvements to align with the conversational brand guidelines: changed 'Do not share' to 'Don't share' and 'does not leave' to 'doesn't leave' for a more natural tone. Added modern security approaches by leading the FLS/CRUD section with `WITH USER_MODE` and `AccessLevel.USER_MODE` as recommended in the guidelines, while preserving the existing manual check approaches as valid alternatives. Selected security rules based on direct alignment with FAQ content: ApexSOQLInjection relates to the SOQL/SOSL injection prevention section, ApexSharingViolations corresponds to sharing context guidance, ApexCRUDViolation matches the FLS/CRUD violations content, ApexBadCrypto aligns with crypto API recommendations for data storage, ApexInsecureEndpoint relates to secure endpoint practices, session ID rules (AvoidApiSessionId, AvoidUnauthorizedApiSessionIdInApex, AvoidUnauthorizedGetSessionIdInApex) directly match the session ID usage section, ApexSuggestUsingNamedCred corresponds to external credential storage recommendations, hardcoded credential rules match the data storage security guidance, JavaScript loading rules (LoadJavaScriptIncludeScript, LoadJavaScriptHtmlScript) align with the JavaScript DOM section, and XSS prevention rules relate to the JavaScript security practices discussed.