How to build Enterprise grade apps
Imagine this: You’ve put days, months, or even years building a brand-new app, only to find out that IT administrators aren’t comfortable installing it on their workspaces. Many people have found themselves in this situation, and it can be an extremely frustrating experience.
Recently, our engineering team built the Box for Slack app, bringing the power of Box’s rich content management features to content shared in Slack. When we first started thinking about building an integration, we had a core set of end-user features and principles in mind. We wanted an easy, intuitive experience for users to make it easy to share, search, and collaborate on Box content directly within Slack. This sounds easy enough, but every customer has a different set of requirements. Here are some of the lessons learned from that process and tips for how to build apps that admins will happily adopt for their organizations:
Before we started building all these cool new features, we followed this framework:
- Customer study: On average, a customer uses 88 apps to get work done. However, as remote work is becoming the new normal, employees connect to their enterprise applications through unmanaged devices and connections. Because of this, it's even more essential to keep data and content flows secure across these applications. Every customer has a different security, legal, compliance requirements so it's essential to talk to multiple customers to gather these requirements.
- Identify patterns: Once you have conversations with a sample of your customers, you will automatically start noticing patterns. Finding these patterns is crucial because it will help you maximize the ROI of your development effort.
- Spec out features: The next step is to translate these patterns into features and app controls.
- Final validation: We are not done yet; the last but crucial step is to get back to these customers and validate these features before you give your development team the green light.
Now going back to Box for Slack app - we spoke with customers across a broad range of functions, sizes, and industries. After talking to these customers, we noticed some patterns emerge. While they were all thrilled about the new end-user features, they wanted admins to have more granular control over content access. Therefore, we built controls directly into the Box Admin Console that would enable admins to configure security settings for the specific needs of their organization. Then we went back to the same set of customers, shared the new security controls with them, and validated that all the right features were in place for them to start using the Box for Slack integration.
In addition to the customer study, here are some additional best practices we've learned when building a new app:
- Avoid using broad scopes in your app. As a general security practice, many admins operate under the principle of least privilege, which means a user or app should only have bare minimum privileges needed to perform their work. Make sure to use granular permissions. It will help you request only the information that your app needs to function, driving deeper adoption among security-conscious customers.
- Localize your app if possible. Localization is a great way to tailor your app to diverse audiences.
- Do a round of security and penetration testing on your app before you submit it. Pay extra attention to things like how and where client IDs and secrets are stored, restricting token usage based on IPs, and if your app verifies where requests are coming from.
- Do a legal and compliance review of your app. Your security and compliance-conscious customers will want to know where you store their sensitive PII data, how long it's being retained, how is it encrypted, etc. This review will help you cover all that.
- Last but not least, QA testing. It will not only improve the quality of your app, but also expedite the app review process.