FAQ-001543 - Proactive Security Architecture Review / Readiness Assessment and Pre-Checks

To proactively ensure your application's architecture meets security standards before the official review, follow these steps: 1. **Secure Your Solution**: Align with industry best security standards and ensure Lightning Ready compliance if applicable. 2. **Comprehensive Testing**: Use manual testing and automated tools like Salesforce Code Analyzer and Checkmarx. Include all external endpoints interacting with your solution. 3. **Address Security Issues**: Fix flagged issues or document false positives. 4. **Create Documentation**: Prepare architecture diagrams showing data touchpoints, information flows, authentication, authorizations, and security controls. 5. **Update Third-Party Libraries**: Maintain an inventory of third-party libraries, ensuring they're secure and up-to-date. 6. **Periodic Security Scans**: Conduct scans throughout development to identify and resolve vulnerabilities early. 7. **Permissions for Testing**: Obtain permissions for security testing on external endpoints and follow Salesforce's IP and domain guidelines. 8. **Document Security Practices**: Include your software development lifecycle methodology, vulnerability management, and breach response procedures. 9. **Consult with Security Teams**: Schedule technical office hours with the Product Security team via the Partner Security Portal for guidance on secure design and potential vulnerabilities. These steps will help you minimize risks and improve your chances of passing the security review on the first submission.

The FAQ content is accurate and comprehensive. The minor improvement made was changing 'they are secure and up-to-date' to 'they're secure and up-to-date' to align with the conversational tone guidelines that recommend using contractions. No other changes were needed as the content appropriately covers proactive security architecture review practices. For the security rules selected, I chose rules that directly relate to the types of vulnerabilities and security issues that developers would discover during proactive security testing as described in the FAQ: - ApexBadCrypto, ApexCRUDViolation, ApexCSRF, ApexDangerousMethods, ApexInsecureEndpoint, ApexOpenRedirect, ApexSharingViolations, ApexSOQLInjection, ApexSuggestUsingNamedCred, ApexXSSFromEscapeFalse, ApexXSSFromURLParam: These rules relate to the FAQ's mention of 'Comprehensive Testing' and 'automated tools like Salesforce Code Analyzer' - these are exactly the types of Apex security vulnerabilities that would be flagged during proactive testing. - AvoidApiSessionId, AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls: These relate to the FAQ's guidance about 'Address Security Issues' and securing solutions according to 'industry best security standards'. - AvoidInsecureHttpRemoteSiteSetting, AvoidDisableProtocolSecurityRemoteSiteSetting: These relate to the FAQ's mention of 'external endpoints interacting with your solution' and ensuring secure endpoint configurations. - LibraryWithKnownCriticalSeverityVulnerability, LibraryWithKnownHighSeverityVulnerability, LibraryWithKnownMediumSeverityVulnerability, LibraryWithKnownLowSeverityVulnerability: These directly relate to the FAQ's point about 'Update Third-Party Libraries: Maintain an inventory of third-party libraries, ensuring they are secure and up-to-date.'