FAQ-001571 - SDK and Framework Security / Security Responsibility Documentation

To document that certain security controls are the responsibility of the developer implementing your framework, you can: 1. **Create a Corporate Security Policy**: Outline roles and responsibilities for securing the solution, specifying activities developers must perform (e.g., secure coding practices, CRUD/FLS checks, data validation). 2. **Provide Architecture Diagrams**: Include diagrams showing security controls and data flows to clarify responsibilities. 3. **Offer Secure Coding Guidelines**: Document best practices and processes for vulnerability management to guide developers. Let me know if you need help with anything else!

The FAQ content is well-structured and accurate. No significant changes are needed as the answer appropriately addresses the question about documenting security control responsibilities when developing frameworks. The content correctly identifies key documentation approaches: corporate security policies, architecture diagrams, and secure coding guidelines. For the related security rule ApexCRUDViolation: This rule is directly relevant because the FAQ specifically mentions "CRUD/FLS checks" as an example of security activities that developers must perform when implementing frameworks. The ApexCRUDViolation rule detects when CRUD (Create, Read, Update, Delete) permissions are not properly enforced in Apex code, which is exactly the type of security control that framework developers need to document as the implementing developer's responsibility. The FAQ's mention of "specifying activities developers must perform (e.g., secure coding practices, CRUD/FLS checks, data validation)" directly relates to what this security rule is designed to catch and prevent.