Security recommendations for approving apps
Slack is most powerful when you connect it to tools you already use. With your permission, apps and integrations can access your workspace's information to help you automate tasks and get work done.
To better secure your data, it’s important to understand how apps work with Slack. That way you can determine a policy for reviewing and approving integrated tools.
1. Get to know apps for Slack
By default, members can install any app from the Slack Marketplace, or build internal integrations to fit your company's needs. Depending on your security preferences, Workspace Owners can control how apps are installed, and by whom.
Whether you're looking to use an existing service like Google Drive or Dropbox, or build your own, we've got a few resources to show you how to install and create the apps you need.
📒 Learn about apps and the Slack Marketplace
⚙️ Add an app to your workspace
🛠 Customize Slack with internal integrations
2. Understand app permissions
All apps in the Slack Marketplace have a unique set of permissions, called scopes, that tell you what information the app can access, and how that information can be used. Generally, an app will ask permission to do the following:
- Post information
- Perform actions
- Access information
An app's full set of permissions are listed when the app is installed. You can find a detailed list of scopes in our API documentation.
Tip: Some developers submit detailed information about their security and compliance practices to us. If available, you can see that info in the Security & Compliance tab on an app’s page in the Slack Marketplace.
3. Enable app approval settings
Workspace Owners can enable the Approve apps setting for a workspace to control how and what is installed.
🎛 Control which apps can be installed
Workspace Owners can control exactly which apps get installed by creating lists of approved and restricted apps. In the Slack Marketplace, members will clearly see which apps are approved for the workspace, which apps need approval, and which apps are not allowed.
👨✈️ Decide who can manage apps and integrations
By default, only Workspace Owners can manage apps. With the Approve apps setting turned on, Owners can allow selected members to manage approved apps and respond to app installation requests.
Turn on app approval
- From your desktop, click your workspace name in the sidebar.
- Select Tools & settings from the menu, then click Manage apps.
- Click App Management Settings in the left sidebar.
- Toggle on Approve apps.
Tip: For apps that require approval, set expectations with your team by letting them know how long it’ll take to review their app requests.
4. Develop an approval policy
Whether members are requesting apps or installing them as needed, protect your workspace by developing an app approval policy with help from your IT, security, and policy teams.
Carefully consider internal protocols around data management to craft a policy that feels right for your team. Here are some questions to include in your review:
Installing apps
- Is there a valid business reason for using the app?
- Are there other apps being used for this purpose?
- How long will the app be needed on the workspace?
- What is the app’s privacy policy?
- How often will the app post to a channel?
- Are there any additional costs or licenses?
Creating internal integrations
- Who will maintain the integration?
- Are additional servers, databases, or integrations needed?
- Does the app use token validation?
- Is data encrypted at rest?
- Is TLS being used to encrypt traffic?
- Have the OWASP Top 10 Application Security Risks been reviewed?
Note: Though we review all apps in the Slack Marketplace, including their requested permissions, Slack doesn't endorse or certify these apps. We recommend that you only install tools that you trust.
Learn more about apps
The Slack API has everything you need and more to learn about what goes into building an app. Check out our blog for more inspiration on how to make apps work for your team.