How to review Slack apps
Creating the perfect app approval process for your organization
Custom Slack apps are a powerful way to quickly improve your working life — but they come with risk, since Slack gives you the tools to deeply customize. Everyone should feel empowered to use Slack efficiently and securely. If you’re interested in better evaluating and selecting the best apps for your team, read on.
Reasons for app approvals
To uphold security standards, Slack implemented a flow for app approvals — which requires turning on admin app approvals. If an unvetted app is requested for install, it will go to an admin group for review — members ranging from security, platform, and business technology teams at Slack.
Requests are tracked in the #plz-apps channel, where users can check request status and admins can ask for more information. Having an approval flow allows us to better understand the data each app accesses, especially now that apps are built on a new, granular permissions model.
Step by step
We conduct several steps to evaluate apps — which you can also leverage in your app review process:
- What permissions is the app requesting? We prefer the principle of least privilege here, to ensure the app is requesting only the information necessary to function.
- Who will use the app? Occasionally, we approve apps that are generously permissioned, because the actual users of the app are a select group with proper knowledge and restrictions. App permissions allow for very powerful apps to do amazing things to streamline work, and we don’t want to miss out, so we consider the app in context!
It’s essential to understand the risks and benefits of the different app permissions. Formulate a list of pre-approved permissions, so you can more quickly evaluate on a case-by-case basis. Here’s our template! This also helps users understand permissions and the apps they request.
Time-saving tips
Efficiency is key, so productivity isn’t blocked. Let’s look at some tricks we use in our review process:
- Known and trusted developers: Is this an app from a vendor that we’ve already performed a full security review on? Have we worked with this developer before? Is this a custom app built by Slack? All these things can help accelerate the review.
- Minimize functional repetition: There are so many awesome apps out there that solve the same problem. We try to restrict the number of apps that do the same thing, and if we receive duplicative requests, we try to find out if a need isn’t being met by our currently approved apps. By minimizing this repetition, we’re able to reduce our threat surface and time spent reviewing apps.
- Leveraging Grid workspaces: We use Enterprise Grid at Slack, with dedicated workspaces for each business pillar — including a social workspace for fun banter, company culture, and bonding. We don’t want to deny anyone their social apps, but we also don’t want them installed on sensitive workspaces. So, we keep the fun on our social workspace without adding security stress across the grid.
Driving accountability at your company
Create an FAQ to indicate permissions that are never allowed, and how to best search for more secure app alternatives. It’s also helpful to remind users that they can review a library of available apps, by simply clicking on “Apps” in the Slack sidebar.
Conduct a threat modeling exercise to better build out your concept of what your organization’s risk tolerance is and how you want to handle apps that fall beyond that risk tolerance. Leverage the matrix we provided above, or check out some of our essential apps. Talk to other Slack admins, too — we suggest connecting on the Slack Community!
There is no one-size-fits-all solution to for apps you should and should not install on your workspace. However, apps truly are one of the ways that Slack can change your working life to be simpler, more pleasant and productive.
Check out this webinar: “Managing apps securely and at scale” for more tips and best practices about app management.
Questions or feedback? As always, please email feedback@slack.com.
