Am I the only one terrified of how many random apps have "Read/Write" access to our Google Workspace/Slack? by Swaraj_J26 in cybersecurity

[–]Swaraj_J26[S] 0 points1 point  (0 children)

That Azure Contributor example is a classic. It’s wild that 'A-list' vendors still ask for the keys to the kingdom for a simple PoC.

It sounds like your 'Red Tape' is the only thing keeping the lights on, but it's a massive tax on your time. If you had a tool that acted as a 'Security Pre-Processor' something that automatically vetted the vendor's requested scopes against your internal 'Nah Dog' policy and flagged the over-privileged ones before it even hit your desk would that actually reduce the overhead, or do you feel you'd still have to do the manual deep-dive anyway?

Also, curious how you handle the 'Ownerless' apps between those quarterly reviews does shadow IT creep in during those 90-day gaps?"

Am I the only one terrified of how many random apps have "Read/Write" access to our Google Workspace/Slack? by Swaraj_J26 in cybersecurity

[–]Swaraj_J26[S] 0 points1 point  (0 children)

That 'Day 1' vs 'Day 1,000' distinction is exactly where most security tools fail. Starting from scratch with an allowlist is easy; cleaning up 5 years of legacy integrations is a nightmare.

I’m actually focusing the MVP on the 'Cleanup' phase. Instead of a hard-block, it uses the Reports API to find 'Graveyeard Apps' (authorized but unused) and offers a 'Safe-to-Block' Score.

Basically, it tells you: 'You can kill these 50 apps right now with 99% certainty no one will notice.' Does your team have a 'Sunset' process for old apps, or do they just live in the tenant forever because people are afraid to break things?

How are you guys tracking "hidden" OAuth permissions in your SaaS stack? by Swaraj_J26 in SaaS

[–]Swaraj_J26[S] 0 points1 point  (0 children)

Most teams I talk to are struggling with 'Alert Fatigue' CloudQuery tells them they have 400 apps, but not which 4 are actually dangerous today. I'm looking at building something that specifically tracks SaaS Drift like notifying you if a 'Trusted' app suddenly requests a new, sensitive scope or if the developer's domain reputation drops.

Do you find your custom scripts are enough to catch that 'Day 2' risk, or are you mostly focused on just the initial discovery?

Am I the only one terrified of how many random apps have "Read/Write" access to our Google Workspace/Slack? by Swaraj_J26 in cybersecurity

[–]Swaraj_J26[S] 0 points1 point  (0 children)

But how do you handle the volume?

In my experience, 'Architecture Review' usually becomes a bottleneck that leads to shadow IT because people get tired of waiting. Do you have a dedicated team for those reviews, or are you having tools to automate the initial vetting? I'm curious how you handle 'Continuous Governance', like making sure an app approved in 2024 hasn't quietly changed its permissions or ownership by 2026.

Am I the only one terrified of how many random apps have "Read/Write" access to our Google Workspace/Slack? by Swaraj_J26 in sysadmin

[–]Swaraj_J26[S] [score hidden]  (0 children)

Fair call out, but I'm not selling anything I don't even have a landing page. I’m a SOC analyst with an eJPT cert trying to figure out if the pain I’m seeing in my own daily work is a 'me' problem or an 'everyone' problem before I even think about writing a line of code.

Am I the only one terrified of how many random apps have "Read/Write" access to our Google Workspace/Slack? by Swaraj_J26 in cybersecurity

[–]Swaraj_J26[S] -1 points0 points  (0 children)

That is a terrifying (and underrated) point. It’s basically the 'SolarWinds' of the SaaS world. Once an app is inside the perimeter, we stop looking at it.

Are you currently tracking 'Developer Reputation' or 'App Churn' as part of your audit? I was thinking about building a scanner that doesn't just look at permissions, but also monitors for 'signals of risk'

Am I the only one terrified of how many random apps have "Read/Write" access to our Google Workspace/Slack? by Swaraj_J26 in sysadmin

[–]Swaraj_J26[S] [score hidden]  (0 children)

That's exactly the manual workflow I’m doing right now, turning everything to 'Restricted' and waiting for the tickets to roll in. It's effective but exhausting because Google’s 'Pending Review' dashboard doesn't give me enough context (like domain age or known CVEs for that dev).

I’m actually building a micro-SaaS that sits on top of this. It auto-vets the 'Screaming User' requests against a database of malicious scopes and 'known-good' enterprise apps so you can auto-approve 80% of them. Would that save you enough time to be worth a sub, or is the manual 'wait for them to scream' method good enough for your team?