Seeking a way to convince WikiPakk is safe

[novice002]

Hello,
A rather strange question here:
I am looking for a way to convince our IT security team that WikiPakk is safe.

The security team usually scans the application files as precaution before the app is enabled/installed.
So I originally planned to provide the WikiPakk source code for the security scanning.
But, since WikiPakk is now deployed only via AppSource, I can't offer them anything to scan.

Any thought on how I should convince them?
Doesn't have to be the file. Only if there is some sort of proof/certificate for its safety :-(

Thank you!

[heinrich-ulbricht]

Hi @novice002. I don't consider this a strange question. It's common for clients to validate the solutions they are about to deploy.

Now there are different approaches to convincing stakeholders that WikiPakk is safe.

Trust Microsoft's AppSource: The initial reason I switched to publishing via AppSource was a rather large client having this as requirement by their security team. No sideloading to SharePoint, just Microsoft's AppSource is allowed as source.

Trust me: Ok, why would you? But I had clients reaching out which told me after the fact: I needed to see that you are a real person and not a bot. This option always depends on what is necessary to prove I'm not a bot 😄

Check WikiPakk's behavior: Which permissions does it ask for when being added to the tenant app catalog? Only access to the SharePoint API. Does it reach out to external systems? Only for one purpose: refreshing the license key (which is optional). No core functionality depends on any backend, except SharePoint. It's a pure client-side SharePoint Framework (SPFx) solution.

Scan the solution: Not sure how accessible the installed solution and belonging files are. But you/the team might install the solution in a test environment, maybe a short-lived demo tenant from Microsoft, and have a look at the tenant app catalog site and the files it deploys there.

Security questionnaire: I often get those and am willing to answer questions, which then can be reviewed. This is a more structured approach that makes security requirements explicit, allows me to address them, allows your company measuring compliance, and also covers a lot of the above.

I'm here to help.

[novice002]

Thank you, Heinrich, for the detailed answers - I really appreciate it.
I will try to have Security Team member to contact you if you don't mind via the contact information provided in the product page.

Thank you again!