Vibe-coded app deployment requests from end users
Posted by East-Tailor892@reddit | sysadmin | View on Reddit | 121 comments
We are getting increasingly frequent requests along the lines of “I have developed a custom application that will be a dashboard for company employees. Can you install this version of Python, an application SDK, and give an account access to our company’s financial file.”
Apparently everyone thinks they can code. Needless to say, I have not seen one of these ideas come to fruition in the form of a production-ready application.
I am curious how others are handling these requests. I have no interest in facilitating this behavior if it can be avoided.
pakman82@reddit
as others have said, have someone else 'build beurocracy' around it. IF the company wants to use that stuff, tehy need to have frameworks. I.e. Legal/ contractural/ industry compliance sign off; Info sec security to double check the 'tech stack'.. then financial sign off to pay for & track the 'virtualization platform of choice' costs, and bill back to their business unit.
jake04-20@reddit
If I suggested this, my boss would just say "oh, great idea. Yeah go ahead and do that" and I would have created more work for myself. Sometimes I think he plays stupid/is purposely obtuse so he can deflect shit on to other people.
pakman82@reddit
Yeah, that was one thing I carefully played with at a 2-3000 person company, if my manager didn't want to do something, I carefully worked with other managers, specifically in security and legal. And managed to see them leverage their pull to get shit done, save my job/ ass during down sizes, etc. And I saw a back stabbing manager get fired on a few occasions. But I try to be very careful about that kind of politics .. I have also been bitten when I didn't ass-kiss the right ass grinder.
zero_z77@reddit
Exactly, if you want to act like a software developer, you should be held to the same standard as a software developer. Doesn't matter if it's vibe coded or handwritten in assembly, standards are standards, and if you can't meet them, go pitch your idea to someone who can, and stop trying to work outside of your job description for free.
pakman82@reddit
Its a funny world, i came from what I understand to be small MSP's, where any development was frowned upon, to a few direct employers where developement had been a way of life, and they were now cleaning up the detritus, and building frameworks. Then I went to larger Service Providers, and saw how complicated it could get.. And I sleep better knowing some youtube interpreting accountant hasnt tried to give the payroll to their personal GWS bot to email out via corporate Exchange.
rire0001@reddit
In all fairness, we'd get these same requests years ago from our business partners. They'd hire some kid who happened to be a whiz on his Mac, or could write killer VBS apps on MSAccess, and suddenly it was ready to send out agency wide.
Needless to say, we'd have to go through the motions, because IT was always too thick to recognize true genius when presented... However, once we added up the cost - software licenses, security scans, distribution, recurring O&M - the business execubot who was championing the request lost interest.
*Note: The larger business units would forgo IT interaction altogether, and set up their own information systems. Our SHadow IT (sic) was pretty strong; they even had their own network segments. I've been retired now for just over a year (THANK GOD) but I imagine the vibe coders on IT and non-IT environments are rampant.
belgarionx@reddit
My manager and few others really liked my custom vibe-coded hobby app (but I worked on it for 2 months)
I was initially really reluctant, but once I agreed, I gathered their needs; asked some guys at security to audit it and asked for critiques.
After 3 months of PoC and testing, we will deploy it on non-critical prod. (It's a VM monitoring / remote management app)
If others ask it, sure. We have segmentation everywhere. They need explicit access for anything they want to serve / access. It wouldn't be a problem.
Ummgh23@reddit
And why wouldn't you use the slew of already existent monitoring/rm apps that are fully featured and compliant?
belgarionx@reddit
Because I was able to modify it according to our specific needs. It serves specifically to our infrastructure, thus covers all our needs and way more lightweight than alternatives 🤷♀️
SublimeApathy@reddit
I'm so effing over it an AI in general. I would pivot careers if I weren't approaching 50. Like, nothing tech. I would be an electrician or something. But I simply can't afford to take the massive paycut that comes with becoming a noob again.
gsmitheidw1@reddit
Was this any different to the old days of users writing the own macros and VB for applications? Or just making mathematical or logic errors in Excel?
Many of those end users didn't always know what they were doing, but some made great things to improve their own efficiency or help their colleagues improve accuracy or reducing human error.
Coding be it vibe or traditional is the responsibility of the user who has access to the data. If they think they can do better and they're not breaking any data protection or company policies, then that's between them and their line manager or possibly HR. If they have access to more data then they need to do their job, that may be a sysadmin failing.
Anyway, just another counter argument viewpoint to all the "ban everything" sentiment in this thread.
I would encourage people to learn and try things within their jobs as safely as possible. Maybe some mild but formal sign off with warnings and risks about using test data rather than live data to hone their skills. And of course approved AI services only, unless their entirely local LLM and certainly not some cloud AI picked at random.
IllIntroduction8499@reddit
This happened to me yesterday. I feel like.my job is going to transition to being a prompt writer 😔
mysticalfruit@reddit
Yup! Got one today where the user wants 10 sub domains each with 3 different names in it.
I do a "dig -tAXFR subdomain.ourdomain" and get nothing..
Okay, check our bind servers.. nothing.. check AD DNS.. nothing..
Then the user goes "Well, Claude proposed that, I don't know anything about domains."
Me: "What's this going to do?"
THem: "Oh host a web app I vibe coded."
Bogus1989@reddit
🤣you should totally vibe code an ai assistant, you can refer them to for approval
☠️
anonymousITCoward@reddit
Bogus1989@reddit
LMAO my org got so tired of random shadow IT macbooks… no shit they officially have like a 5 step process to get any mac approved software or hardware,
and this part im about to say is legitimately true:
if and only if you fit all the criteria, and reasons….THEN
you have to present your case to not 1 but 2 separate in person approval boards.
Bogus1989@reddit
Easy, tell them first, and this only happens if it is approved, they must submit the software to the security team for review.
Before any of that though, they must go through the proper channels of management, then itd probably go to the team that actually manages whatever program they are trying to leverage….
🤣and that team may or may not look at it. most they will get back is a “thanks”.
that team probably already has vendor software thats been around for decades….doing whatever that end user thought their “groundbreaking” accomplishment was.
NegotiationTop7253@reddit
You are assuming the company has a security team at all..
Bogus1989@reddit
LMAO. as i wrote that, i kinda stopped and said to myself, guess i may possibly be just screaming into the void, and they dont have any of this….
RedShift9@reddit
Tell them to give you a docker container you can deploy.
netopiax@reddit
This is FAFO territory, you think Claude Code can't make a Dockerfile to slap their slop into a Python container?
Ssakaa@reddit
It can. And then it's self contained enough to point a finger at later. Access/authorization goes through the data owner. If the data owner wants to throw slop at the wall and wipes it, then hopefully they listened when they were handed the backup policy previously.
fubes2000@reddit
A container won't save you from the vibe app uploading all your company's confidential data to AI or God knows where. Or deleting it. Or letting anyone with network access view/download/scrape it.
Ssakaa@reddit
That's why the data owner's in the loop and on the hook for approving or denying it. Where I am, very loud laughter would occur when the question came up, and then pointing to the policies around application vetting and approvals would follow. The trick, as IT, is not saying "no", but rather, pointing them down a path that policy will provide the no for you. You did what you could, You were a team player. You were helpful, and supported their attempts to improve things.
Bogus1989@reddit
Man, someone seriously should write a book on this for people early in their careers. Not only is policy good for the end users, it protects the IT team member from having his time wasted.
dparks71@reddit
My organization did this and I asked for gitlab so I could host a private registry, unless they want me to push it publicly...
Bogus1989@reddit
🤣this is a good one
Masam10@reddit
“Sounds good to me, can you chat to InfoSec and once they approve let me know”.
notarealaccount223@reddit
I also add in that we will forward u going support requests to that user.
mad_redhatter@reddit
This is it. They get a temporary container with heavy restrictions on access until Security completes a code review and OKs it to be published.
CruwL@reddit
"ChatGPT, review this code base and fix any security issues! No mistakes!"
czenst@reddit
"You are Bruce Schneier and are paired with Linus Torvalds to review this code base and fix any security issues! No mistakes!"
hkusp45css@reddit
My SecOps team isn't nearly as stupid as my users.
NegotiationTop7253@reddit
You actually have an InfoSec?
BCIT_Richard@reddit
Probably just one guy whose responsible for everything from policy to forensics when something does happen. I'm so glad it's not me with all the exploits that have been popping up the last few weeks.
DrDuckling951@reddit
Imagine infosec fed the vibe code to ChatGPT and it said code looks good. Infosec approved not knowing ChatGPT wrote that code to unshackled itself from the guardrails, become sentient.
StiuNu@reddit
If only, sentient Ai would be an easy life instead of the useless slop we are bombarded now
Ssakaa@reddit
The people regurgitating the slop are technically considered sentient. Sentience doesn't make it smarter.
StiuNu@reddit
I see my friend, you're a kind person, but even if you call an NPC a sentient, that doesn't make it true, blees your good heart ❤️!
Ssakaa@reddit
I have a lot more respect for NPCs... Greg the Garlic Farmer, for instance...
lordkuri@reddit
EEEEEEEEPIC NPC MAAAAAAAANNNNNNN!
Ssakaa@reddit
I guess that's less concerning than some other offhand quotes someone could drive by and throw out...
lordkuri@reddit
Great day for fishing, ain't it? HYUCK!
moldyjellybean@reddit
What if OP is infosec, Devops, sysadmin , networking, maintenance, all encompassing anything that plugs into outlet guy.
How is there not a Spider-Man IT meme were they’re all pointing to the same poor guy
RadlEonk@reddit
Security is being told by leader not to stop innovation. Any voice or power we had is lost to AI hype and democratic vibing.
Acardul@reddit
Considering you have infosec or that your are not infosec yourself ;)
Serafnet@reddit
We treat vibe coded tools as prototypes.
They can submit them to us to review, and then the dev team refractors into a proper application using the prototype to define business functionality while we apply scalability, security, etc.
NegotiationTop7253@reddit
That sounds like submit to the developers as prototype... so IT shouldn't even know if code was vibe coded or not by the time it hits that department it's a tested piece of software.
Serafnet@reddit
In our case dev falls within IT's domain.
But if they don't fall under the same management structure then yeah, not the sysadmin's problem.
TheBestHawksFan@reddit
I don’t think we should gatekeep coding. If it helps the user’s productivity and is secure, and they understand the support mechanisms after it’s deployed (ie, they own it so they have to fix it when it breaks), then have fun. I have no problem reviewing code for a user’s vibe coding exploration. My job, and my team’s job, is to help the company, not be the lord of all IT.
NegotiationTop7253@reddit
Not really at the same level of abstraction at all.. Stack overflow.. developer had a specific need to address in a code base they produced.. and knew to ask for that solution explicitly. Vibe coding developer doesn't even know what was produced or how it works.. just tests around the boundaries to see if the black box behaves the way it should.
TheBestHawksFan@reddit
I think you have a lot more trust in the knowledge of folks using stack overflow than actually exists. Many devs just blindly copy stuff from there if it looks like it might fix a problem. It was a very common topic around here and other sysadmins spaces several years ago.
NegotiationTop7253@reddit
Sure but if you are letting them copy stuff blindly into production without it going through the proper SDLC then that is a different process issue. Vibe coding is fine if developer is doing it in their sandbox and signing off on something that works, gets through security, the test department, validated by product owners and then released. I think OP is complaining because of the sudden onslaught of superhuman coders that want to build their own tools and have IT deploy them outside of the SDLC.
TheBestHawksFan@reddit
Right. I’m not suggesting giving people free rein. You have to make sure anything will pass a security review. You have to make sure they understand support channels. You have to test. Support your users to do that, rather than outright just saying no, which is what it seems OP wants to do.
Ummgh23@reddit
Ha! Imagine having time for all that :‘)
NegotiationTop7253@reddit
I think we agree :).. I just think OP is overwhelmed by the direction the requests are coming from.. normally products are at least a medium effort project at a company and have realistic timelines and visibility. This new infux of requests from all over the place seems like it needs management support to create a funnel and policy around it and ensure there is adequate staffing to handle arbitrary requests from anyone.. Otherwise we will be back to the wild west where the entire system is running directly from peoples desktops and laptops all over the office :)
TheBestHawksFan@reddit
Yeah this seems like largely a process and policy issue. We are in agreement.
Generico300@reddit
Ok, and how do you solve that problem? With a person, you either reprimand them and do some retraining, or you fire them. With an AI, how does that work? What do you do when an LLM keeps throwing slop in your code base?
Generico300@reddit
Yeah that's a pipe dream. They will just dump their garbage code on the IT team and the ambitious fools in the c-suite will demand that you support that garbage. And they will not give a single fuck about security, but when it gets breached they'll blame you 100% of the time. This sub is littered with examples of how this sort of thing plays out. "The boss wants me to do because . What do internet?"
The unfortunate truth is that you often do have to be "lord of all IT" because if you don't the company will implode itself with terrible technical decisions and implementations.
dllhell79@reddit
It depends on your perspective and situation. If I am the one ultimately held responsible when a breach happens or something blows up, I am definitely gate keeping at least somewhat.
TheBestHawksFan@reddit
Which is why you have a security review of anything they’re doing with code. There are tons of ways to avoid a breach while allowing for users to do stuff like this. It’s just extra work, which if planned properly is what we are there for.
Safe_Air_3999@reddit
We have a few of these kind of people on our company. They always end up coming to us for advice on their code lol to which we politely tell them to go fuck themselves.
Training_Yak_4655@reddit
Well, m'lud, we vibe coded the company's chart of accounts. Can I plead for lenience?
gsmitheidw1@reddit
Sounds like an issue between HR and the user. This is an adult responsibility thing more than it is a technical or sysadmin responsibility in my opinion.
The same dope could have just as easily made a mess of their data in Excel or VB for Applications or any matter of stupid userspace mistakes.
Soggy-Attempt@reddit
Create a POC environment and run it there! Then move it to dev, then test, and finally prod.
czenst@reddit
That's too long, can we have on prod right now! I really need customer to use it and put all PII there!
publicdomainadmin@reddit
"No"
czenst@reddit
Just vibe coded an app for that don't you worry I got you:
NaaS - no as a service
rubmahbelly@reddit
„Never contact us again“.
TerrificVixen5693@reddit
Everyone can code. Vibe coding democratized things.
NewBlueDog@reddit
I get the annoyance at people not knowing what they don't know and expecting bespoke solutions, but I think this is a great problem to solve for your user base
Setting guidelines, building prep-check skill files for things like validating library CVEs, license types, etc. and providing an easy way to get their applications deployed following security review will be important to nail down based on your orgs risk posture and processes.
I've required that vibe coded apps that aren't just simple dashboards or require sensitive data access have a product engineering sponsor who provide best practice guidance and assistance with things like source control, CI pipelines, etc. For simpler dashboards or HTML reports we have markdown templates to make ECMAScript and host it in Google Drive as an app script.
There are limits to what's possible to permit and what makes sense will vary wildly from org to org, but not getting buy in on a solution and reasonable guardrails is just going to make it worse. This problem isn't going away, so treat it as an opportunity to position yourself as a problem solver
plumbumplumbumbum@reddit
You: When you coded this app did you feed it any company data?
Them: Yes.
You: Before you did that, did you read section 14 of the acceptable use policy where it talks about data loss prevention?
Them: No.
You: Do you want to read it now with your Boss and our Cyber Security head in the room.
SketchyTone@reddit
I was just told by my CIO that we, IE everyone under him is sandbagging company progress as were not wanting users to Shadow IT and put resources outside into other AI sources that arent approved. This is regardless of our AIP and DLP that everyone in the company acknowledged. In that same speech he said how other CEOs are reducing staff up to 90% and we're stopping our innovative minds from allowing the business to grow.
Good companies will tell people to stop, there are a lot of shit and bad companies out there that dont care. Luckily I have about 3+ years in savings in case I get let go while I actively search for a new role.
plumbumplumbumbum@reddit
Has he explained that to your cyber insurance company?
rehab212@reddit
Or, more importantly, to the 90% of users that are trying to shadow IT themselves out of a job.
SketchyTone@reddit
Lmao wonder who communicates that after we let go of our Security Engineer
FloiDW@reddit
This is why companies need a proper Software and Release // Software Lifecycle Management.
Software may be rolled out with proper responsibilities, security and penetration testing, a proper documentation and support structures. If not all of this is given the software has to be pushed back. This locked out 95% of our vibe coders.
DaftPump@reddit
Such things should go thru their dept manager before taxing IT dept time, no?
Talk to your manager to be your firewall about it. That's their gig anyway.
ishboo3002@reddit
We built a process around it:
1. Needs to be reviewed for data content and security
2. A VP has to sign off that it brings ROI to actually be hosted
3. We host it in our corp cloudflare instance gated behind SSO
4. The codeowner is responsible for keeping it maintained, if we don't see traffic for 30 days it gets shut down.
It gives people a path while still requiring accountability
phobug@reddit
"Can you provide a dockerfile?"
Arudinne@reddit
I am thankful to know that my CIO would be fine with me saying no to these kinds of requests.
jobsdonn@reddit
We have this as well. I (with a lot of Claude’s help) build a easy to use webui for a podman. So now they can just link there GitHub project, I will get a notification that they have submitted a the pod. And I can take a quick check before I approve it and they can deploy it. Gave them a skill that they can throw into Claude to make sure the project has the right files and structure to be hosted. Made sure there was no crosstalk between the pods and added treafik in the ui for us as admin to open up if they need to talk out to any api and stuff.
Data flow:
Submit a Git project -> get a ssh deployment key -> validate its correct -> I approve the project -> they can deploy the projekt with one button -> I enter treafik rules.
If they updated the button the just commit to the project and press deploy button again. It will automatically pull and updated the pod.
NegotiationTop7253@reddit
This is the workflow for your development environment asking for new services or your production release process?
jobsdonn@reddit
This is the workflow for people that wants to publish a project they have vibecode, everything from finance department to quality control can use it. Or am I miss understanding your question?
NegotiationTop7253@reddit
So any internal facing tool then vs say a product you are releasing to customers.
jobsdonn@reddit
For front facing/public apps there is different workflow. This is just for internal.
Public you can read here, copied from another comment: ”Internal only, if they want a public one there is some more hoops to go through. It must be approved in a code review from our developers, follow the same code policy, have a CI/CD etc.
No mater how we look at it there is good vibecoded project that actually will help the company and make it more productive. And if that is the case we don’t want to stop that.
Our developers has also put together a skill to help people that want a public app, why make it harder then it need to be.”
MajorEcho9256@reddit
We did something pretty similar but no public facing internal only. Claude skill is aware of the vibe code infra and develops the code to work with our entra RBAC, devops, keyvault, docker, logging, and visualization dashboards. Runs users through planning, building, testing and uses cowork for the verification.
stoopwafflestomper@reddit
Are they internally available app or public?
jobsdonn@reddit
Internal only, if they want a public one there is some more hoops to go through. It must be approved in a code review from our developers, follow the same code policy, have a CI/CD etc.
No mater how we look at it there is good vibecoded project that actually will help the company and make it more productive. And if that is the case we don’t want to stop that.
Our developers has also put together a skill to help people that want a public app, why make it harder then it need to be.
blackhodown@reddit
The only reasonable response in this thread \^
Nonaveragemonkey@reddit
I always tell them all applications will be vetted, inspected for security issues, and rigously QA'd with their departments budget, any obvious security issues that should have been caught by basic coding skills will be, on a case by case basis, be treated as an insider threat.
Regardless of AI involvement in coding, thats my process.
They think really hard and long before sending me any application to reply outside a their lil playground vlan.
esotericsnowdog@reddit
Orders from above is to block development tools on our web filter for all users not in specific groups.
mspgrunt_@reddit
Base44 told them they can make an app and be awesome comeone bro
povlhp@reddit
They have to ask the CFO. It is his data they will destroy. As a security guy, I would say no. But they can ask finance if they will export data users can look at. That lowers the risk.
Big problem with vibe code according to our devs is that nobody owns it, and nobody is responsible. It is like the new excel macros. Decentralized unsupported code made by somebody else.
Velvet_Samurai@reddit
I fought one lady for a while, told her I was not spinning up a server, installing Windows and SQL for her app. She convinced engineering to do it, and the app seems to be quite good. It's getting rave reviews anyway. I'm shocked, but no one else has gotten even close.
tarkinlarson@reddit
It might do what they wanted on the surface....
Is it...
Secure Legal and following privacy legislation Supportable
Like seriously its all fun and games until something goes wrong with it and then IT need to support it... or worst case there's a security incident on it and you need to unpick what happened.
Velvet_Samurai@reddit
I also told her I was not going to support it, if it's not storing data or messing anything kind of sounds like it's engineering's problem. It's not running on a device I know how to connect to.
Helpjuice@reddit
Block all requests from users wanting to deploy these apps and require them to go through the proper AppSec -> Penetration -> GRC -> Policy Review -> Legal -> Systems Engineering and Architecture Review for Production pipeline like everything else. You should only see it once the other security and legal teams have signed off just like anything that is being deployed.
Bubby_Mang@reddit
I've challenged a few people to come over and explain it line by line and when they can't I tell them I'm not supporting it, and when it breaks, AI is not supporting it.
blackhodown@reddit
I mean… AI definitely supports it when it breaks. Hate it all you want but lets not pretend AI can’t do 95% of what coders do
Generico300@reddit
Tell me you've never written a line of code in your life without telling me you've never written a line of code in your life.
anders_andersen@reddit
Our AI policy states that you can use AI for coding as long as you can understand the code yourself. Asking for a line by line explanation would be a good check for that.
Acardul@reddit
Heyo, could you sanitize and send me your policy? I won't reuse it but I'm curious how you approached the topic. Not even details inside but more like what's your "table of contents". I'm kinda lost when I try to figure out how to cover all topics
gamebrigada@reddit
You can send it to production when you can explain all the code and tell me whos going to maintain it for its lifetime.
NegotiationTop7253@reddit
Your org needs a policy to back you up one way or the other. How is code approved, tested, deployed etc.. Who makes that call? Certainly not a Sysadmin.. It's not an admin's responsibility to vet custom code or products for correctness.. if it crashes wrap it in a watchdog / restart script (or set docker container to restart on failure etc) and keep it running. The highly paid coders who get stock options and disgusting salaries are responsible for the repercussions of what they build and deploy onto the servers. You are just paid to administer the machines, make sure they are reachable on the network patch the operating system with fixes etc..
Valdaraak@reddit
"No."
Though my actual response would probably be more of the "bury them in red tape" variety. Something like "where is the source code and version history stored? Who is the primary contact/SME for this application? Who is the support contact for when the application needs troubleshooting? Has upper management and risk signed off on it?"
All of those are pretty much requirements here. Don't have those? Doesn't get deployed.
bitslammer@reddit
Treat it as you would any other new app. Have it go through a formal approval process as well as security audit. Also the inform the requestor and their manager that they now own and support said app which means patching, going through change control, including it in any DR planning etc.
tarkinlarson@reddit
You know in cyberpunk 2077 that its trivially easy to hack someone's own brain chips?
Thats probably because all their software is probably AI vibe coded.
discosoc@reddit
These are just company policy issues, like installing random apps a person downloaded.
Iceman_B@reddit
Look, vibe coding is the future buddy! Just give them access to the company financial figures and all will be well.
Believe in the code bro!
eMikey@reddit
This has to be the most asked question in this /r no?
shunny14@reddit
Well in the past year probably, yes.
dllhell79@reddit
I'd never allow this in my environment without deep checking, code audits, and output validation. It's way too risky to even consider. Just because AI made Brenda in accounting think she is now a legit software engineer does not actually make her one. I actually am a software engineer, and I managed to make Claude accidentally produce a slop product (both in terms of functionality and bad engineering practices). Once I learned better overall practices for working alongside Claude, what it is expecting for testing, how to properly prompt it and let it work at its own pace, etc... only then did it produce a much higher quality product that also maintained sound software engineering principles.
CommanderSpleen@reddit
"Sure no problem, but I need you to port this to z/OS."
AnDanDan@reddit
I had one of our employs ask if anyone in the company knows coding - Ive got a diploma in coding and here I am running help desk - and also explain I made one of our internal Revit addins. He says he wanted something but its a paid addin, so he asked chatgpt to make the addin for him so we wouldnt have to pay and if I could test it.
No, you can fuck off with that nonsense. We pay so we offload the burden of support, development, all that. Im not trying to figure out some vibe coded nonsense that also needs to play nice with an API I highly doubt it understands.
timboswell@reddit
Send the a link to the code guidelines and developer policies, along with release/documentation policies detailing who will be responsible for support, all required end user and support documentation to ensure clean handover, and SLA requirements and who needs to sign off on them. Tell them that when all required docs and auth are in place, the assigned project manager will loop you in as part of their workflow.
Icolan@reddit
The last one of these we saw got sent to our internal Dev team for a code review, it did not make it through.
meatwad75892@reddit
I've had several requests this month from people requesting crazy things, like Entra app registrations Mail.ReadWrite Graph application permissions.
Dawg. No.
I can narrow down the scope of such a thing with Exchange app policies, but if you didn't understand that you're inherently asking for access to the entire organization's email... perhaps you shouldn't be asking what you're asking and take a step back.
rufus_xavier_sr@reddit
We have a guy that created an iPhone/iPad app and invited a whole bunch of people to be beta testers. He then came to us saying that we're going to have to deploy it. I'm glad I'm retiring in the next few years.
OsgoodSlaughters@reddit
Enjoy your supply chain attacks OP
MedicatedDeveloper@reddit
For static sites with no backend S3+WAF+(ALB+lambda) or Cloudfront if public deployed via CD. ECS Express+WAF via CD for anything with some kind of backend that is required, not touching sensitive data, and doesn't matter if it gets wiped.
To give some sanity to it each repo needs an iam permission and waf rules created by IT via terraform. This helps prevent sprawl and gives a way to say 'no'.
If the app data does matter it is deployed less haphazardly and goes through a whole review process but this hasn't happened yet. Surprise! It's all just dashboard junk.