Building trust with security-conscious customers

Submit your app’s security and compliance information to the App Directory

Slack API
Slack API
Feb 3, 2020 · 4 min read
Image for post
Image for post
Illustration and design by Kelsey Wroten.

Apps make work more pleasant and productive for teams in Slack. To make that happen, apps request permission to access information in a workspace.

Slack admins use app approvals to maintain control over the apps installed on their workspaces and to protect company data from security threats. Before installing an app, admins review what permissions an app is requesting, as well as its policies for security and data retention — but obtaining and reviewing this information can add time and friction to the app approval process.

Starting today, we’re kicking off the process of collecting security and compliance details for apps published in the App Directory. When submitting your app for review, you’ll find a section called Security & Compliance where you can start filling out information.

About security & compliance information

As a developer on Slack, surfacing security & compliance information in the App Directory allows you to answer critical questions for Slack admins, helping them make faster, more informed decisions about your app.

Here are the four categories of information you can provide — plus a peek at the new Security & Compliance tab in your app listing:

General

Admins want to know who built your app. In some cases, an app developer won’t be the same as the parent software company — at Slack, we built the Google Calendar app in-house.

By sharing your official developer name, where your company is located, and a link to your terms of service, you can establish an identity for your app.

Image for post
Image for post
The design of this section is subject to minor changes

Privacy & data governance

The data that flows through your app falls under to the Slack Developer Policy and API Terms of Service. With the security & compliance section, you can get more specific on how your app manages data, including details about retention, archive, storage and removal practices.

Articulating your approach to data governance can give admins confidence that your service has strong data management practices in place to identify, locate, and retrieve information as needed, in a timely and reliable manner.

Image for post
Image for post
The design of this section is subject to minor changes

Certifications & compliance

There are general audits and certifications that any service can acquire to verify that they operate under a specified set of security standards, like ISO 27001 or SOC 2. Depending on the industry, there might also be more nuanced standards, like HIPAA compliance or FedRAMP compliance.

By making links to your app’s certifications & compliance easily accessible in one place, Slack admins can spend less time searching for information and more time learning about your app.

Image for post
Image for post
The design of this section is subject to minor changes

Security

Certifications and audits take time, but, chances are, you already have a few of the building blocks that make up a strong security program. For example if your service supports security features like SAML authentication and SSO, that’s a simple way to let admins know there’s a level of security in place to authenticate users.

There are also ways to pressure test your app against real-world scenarios — like penetration tests, which simulate a cyber attack to identify any security vulnerabilities.

To supplement pen testing schedules, some services will establish more scaled, community-based programs to report potential vulnerabilities whenever they arise:

  • Vulnerability disclosure programs rely on the good will of the developers to crowdsource potential security vulnerabilities
  • Bug bounty programs incentivize developers to report any vulnerabilities in exchange for compensation
Image for post
Image for post
The design of this section is subject to minor changes

Opting to be transparent with Slack admins builds credibility. Even if some security and compliance details are not applicable for your app, each piece of the puzzle you provide can help admins make better decisions about your app.

Getting started

You can start submitting security and compliance details today, as part of the open beta. Under your app’s Settings, you’ll find a new section called Security & Compliance where you can start filling out information. We’ll review your submission, but it’s up to the developer to ensure the accuracy of these details.

Starting July 31, 2020, the App Directory will require newly submitted apps to provide certain security & compliance details. Existing Slack apps on the App Directory will be required to input this information by December 4, 2020.

Questions or feedback? Email feedback@slack.com or tweet @SlackAPI.

Slack Platform Blog

Several bots are typing…

Slack API

Written by

Slack API

The Slack Developer Blog. Other Slack news, features and tips can be found at http://slackhq.com but this? This is all API, all the time

Slack Platform Blog

Several bots are typing…

Slack API

Written by

Slack API

The Slack Developer Blog. Other Slack news, features and tips can be found at http://slackhq.com but this? This is all API, all the time

Slack Platform Blog

Several bots are typing…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store