FAQ-001639 - Salesforce Platform Security Responsibility / False Positive Identification and Documentation

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How do I properly document Connected App consumer keys and other default Salesforce configurations as false positives?
Answer
To document Connected App consumer keys and other default Salesforce configurations as false positives: 1. **Location**: Specify the code location or configuration where the consumer key or default setting is used 2. **Detailed Explanation**: - Specify that the consumer keys are securely stored and not exposed inappropriately - Justify why the flagged configuration does not pose a security risk (e.g., the consumer key is securely stored and not exposed to unauthorized access) 3. **Security Measures**: - Highlight the use of secure storage mechanisms, such as protected custom settings or metadata - Explain how access to the keys is restricted to authorized users only - Describe additional security measures like restricted access, encryption, or admin-configurable options 4. **Use Cases**: Provide relevant use cases to justify the configuration and describe any special circumstances that require the configuration 5. **References**: Reference any Salesforce-approved practices or guidelines that support your approach 6. **Supporting Evidence**: Attach relevant documentation, such as Salesforce security guidelines, use case explanations, or prior approvals for similar findings Ensure the document is clear, professional, and includes all necessary references to help reviewers understand the context and rationale.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
AvoidHardcodedCredentialsInFieldDeclsAvoidHardcodedCredentialsInVarDeclsAvoidHardcodedCredentialsInVarAssignApexSuggestUsingNamedCred
Question
How do I properly document Connected App consumer keys and other default Salesforce configurations as false positives?
Recommended Answer Update
To document Connected App consumer keys and other default Salesforce configurations as false positives: 1. **Location**: Specify the code location or configuration where the consumer key or default setting is used 2. **Detailed Explanation**: - Confirm that the consumer keys are securely stored and not exposed inappropriately - Justify why the flagged configuration doesn't pose a security risk (e.g., the consumer key is securely stored and not exposed to unauthorized access) 3. **Security Measures**: - Highlight the use of secure storage mechanisms, such as protected custom settings or metadata - Explain how access to the keys is restricted to authorized users only - Describe additional security measures like restricted access, encryption, or admin-configurable options 4. **Use Cases**: Provide relevant use cases to justify the configuration and describe any special circumstances that require the configuration 5. **References**: Reference any Salesforce-approved practices or guidelines that support your approach 6. **Supporting Evidence**: Attach relevant documentation, such as Salesforce security guidelines, use case explanations, or prior approvals for similar findings Ensure the document is clear, professional, and includes all necessary references to help reviewers understand the context and rationale.
Reasoning
The FAQ content is largely accurate but contains minor language improvements for clarity and conciseness. Changed 'Specify that' to 'Confirm that' for more direct language, and 'does not pose' to 'doesn't pose' for more conversational tone per the brand guidelines. The core technical content remains unchanged as it accurately describes the false positive documentation process. Regarding security rules selected: AvoidHardcodedCredentialsInFieldDecls relates to the FAQ's discussion of 'Connected App consumer keys' which are credentials that could be flagged by scanners when found in field declarations. AvoidHardcodedCredentialsInVarDecls and AvoidHardcodedCredentialsInVarAssign are relevant because the FAQ discusses documenting 'consumer keys' as false positives, which would apply when these credentials appear in variable declarations or assignments. ApexSuggestUsingNamedCred is relevant because the FAQ mentions 'securely stored' credentials and 'secure storage mechanisms' which aligns with the rule's purpose of encouraging Named Credentials for secure credential storage.
Reasoning References