FAQ-001650 - Salesforce Platform Security Responsibility / Security Testing and Validation

**Addressing Platform Vulnerabilities During Security Testing:** To address potential platform vulnerabilities discovered during your own security testing: 1. **Identify and Document Vulnerabilities**: - Use tools like Salesforce Code Analyzer or other recommended security scanning tools - Document any false positives and address all valid issues 2. **Fix Vulnerabilities**: - Follow Salesforce's secure coding guidelines - Implement CRUD/FLS checks for object and field-level security - Securely store sensitive information using protected custom metadata or settings - Avoid insecure practices like direct DOM manipulation or outdated third-party libraries 3. **Test the Fixes**: - Rerun security scans after implementing fixes to confirm resolution - Include external endpoints in your testing scope if they interact with Salesforce data 4. **Prepare Documentation**: - For false positives, create a detailed document explaining why the issue is not a valid vulnerability, referencing Salesforce guidelines 5. **Submit for Review**: - If preparing for an AppExchange security review, ensure all fixes are implemented across the application - Submit the updated package with required materials, such as updated scan reports and false-positive documentation 6. **Follow Best Practices**: - Regularly update third-party libraries - Avoid using sample code in production - Ensure your solution adheres to Salesforce's security standards **Determining if Findings are Genuine Issues or False Positives:** To determine if a vulnerability flagged in your security review report is genuine or a false positive: 1. **Review the Report Details**: Understand the context and specifics of the flagged vulnerability 2. **Analyze the Code or Configuration**: Check if the issue is related to Salesforce standard platform features or custom implementation. Some flagged issues may stem from standard behaviors that are not exploitable 3. **Document False Positives**: If it's a false positive, prepare a detailed document explaining why it does not pose a security risk. Include justifications, references, and relevant Salesforce documentation 4. **Submit for Review**: Upload the false-positive documentation to the security review wizard in the AppExchange Partner Console and resubmit your solution. There is no fee for evaluating false-positive documentation 5. **Consult Salesforce Resources**: Use tools like the Secure Coding Guide and security scanner tools to validate your findings and ensure compliance with security guidelines 6. **Seek Clarification if Needed**: If you're unsure, open a case with Salesforce support for further clarification or assistance **For Penetration Testing Findings:** I couldn't find specific guidance on reporting and handling vulnerabilities identified in penetration tests that are part of the core Salesforce platform. I recommend opening a case with Salesforce support for further assistance. For further guidance, refer to Salesforce's secure coding and security review documentation or schedule a technical office hours session for specific queries.