Jump to content

Slack integration: Security feedback


Recommended Posts

I've been using Evernote for years and I recently started with a new company and wanted to set-up the Slack integration. After talking to our security team they provided the following feedback:

Quote

We’ve reviewed Evernote’s Slack integration and found that it requires substantial access to our Slack workspace.

This includes the potential for the integration to see files posted in Slack and messages sent in public or, in some cases, private channels. It also requires knowledge of all members in the Slack workspace, which includes names and email addresses for everyone in the company and even some information for third parties we’ve invited to participate in certain channels.

As this vastly increases the scope of what Evernote will have access to, we are unable to approve the integration at this time. If Evernote updates their integration to use the newer Granular Permissions scheme in the future, we will be happy to reevaluate.

Our core policy is the Principle of Least Privilege. In Slack, that means an integration should have the fewest number of permissions necessary to do what it needs to do. This helps protect us from ourselves, for example sharing things we didn’t intend. And it helps protect us from Evernote in case there’s ever an issue on their side, be it a technical problem or a bad actor.
 
The Granular Permissions feature was designed by Slack with organisations like us in mind. It will allow integration creators to pick and choose very specifically what features they need for their software to work. Also of note, it’s likely that Evernote will eventually be required to comply with this new scheme in order to stay on Slack’s app directory.

 

Is Evernote planning to use the Granular Permissions feature in Slack? 

Thanks for your feedback

Link to comment
  • Level 5*

Hi.  This is a -mainly- user-driven Forum.  Evernote don't (usually) comment publicly on what may,  or may not be,  in development - and they tend to be particularly reticent about security issues.  As you're a subscriber I'd suggest raising this as a Support question for individual feedback - although the most likely response is "we're looking into this but have no timescale for any changes..."

Link to comment
8 minutes ago, gazumped said:

Hi.  This is a -mainly- user-driven Forum.  Evernote don't (usually) comment publicly on what may,  or may not be,  in development - and they tend to be particularly reticent about security issues.  As you're a subscriber I'd suggest raising this as a Support question for individual feedback - although the most likely response is "we're looking into this but have no timescale for any changes..."

Thanks for the feedback. I'll forward it to Evernote support. 

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...