SaaS Connector Security of Third Party Developed Connectors

This question is not targeted at the IDN Management SaaS Connector - which I have uploaded and use in my local tenant and find very useful - but I will reference it to provide context.

What is the best way to ensure the security of a SaaS Connector developed by a third party? For example, I would like to recommend the use of the IDN Management Connector to some clients but I cannot currently confirm that the code is safe and does not include, for example, bad actor code that might provide a backdoor to the clients IDN data.

Does the SaaS Developer Framework provide any control over what the developer can do within IDN?

What is the best way to ensure third party developed connectors are safe to use?

Any thoughts, guidance or best practice ideas in this space is gratefully received.

Adrian

If a connector is developed by a third party, you should do your own security review before deploying into your tenant. There are safegaurds in place to protect access in IDN, but you need to understand what network resources and dependencies are being implemented to ensure the connector is safe to use and will not send data to untrusted locations.

This is not a full list of things to check, but reviewing the dependencies listed in the package.json and running an npm audit check, while also reviewing all network calls in the connector code would be the first things to look for.