Strengthening Security Through Software Visibility
From a security point of view, one of the biggest challenges for any organization is to keep track of all the software or third-party apps being used by the organization and employees. Security teams are often handed a partial list: the things procurement bought, the things IT deployed, and the things that showed up in an audit sample. Everything else is discovered after an incident or a frantic Slack thread.
The table below is a practical checklist. Some rows belong in a mature vendor-management program; others are “dirty” in the sense that they rely on traces people leave in finance, email, laptops, and code. Use it with clear goals to ensure that you have maximum coverage.
Discovery sources
| Source | Collect or review | Partner with |
|---|---|---|
| Corporate card transactions | Look for spends related to software purchases. Check subscriptions and receipts. | Finance Team |
| Employee reimbursements | These won’t show up on corporate cards, so we need to look at invoices for software purchased by employees and later reimbursed. | Finance, AP |
| Mailbox “subscriptions” / similar (e.g. Google) | Per-user or admin export where policy allows viewing managed subscriptions for each user. | IT, Google / M365 admin |
| GitHub | Org GitHub Apps, OAuth apps, pending installs, PAT and deploy-key patterns. | Engineering security, org owners |
| GitLab / Bitbucket / package registries | Installed integrations, tokens, mirroring | Engineering |
| Slack | Workspace apps, bots, workflows hitting external APIs | Slack admin, IT |
| Notion / Linear / Jira / Confluence / Asana / Monday (and peers) | Connected apps / integrations; guest users; public or link shares | Tool admins, IT |
| AWS / GCP / Azure | Org-wide service inventory, audit logs, deployed resources. | Cloud platform, security |
| Cloud IAM and integrations | Marketplace images, Lambda layers, IAM roles with external IDs (SaaS to cloud trust) | Cloud security, IAM |
| Non-prod accounts | Same scans on sandboxes and “eng” accounts | Engineering leads |
| 1Password / Vault / team password managers | Vault structure, naming, searches for vendor names, api_key, staging URLs | IT, security operations |
| IdP (Okta, Azure AD, Google Workspace, etc.) | Enterprise SAML/OIDC apps, OAuth consents, CA exceptions | IT, IAM |
| AI connectors and MCP Servers | Check for installed connectors, MCP Servers, and other different integrations | IT, app owners, security |
| Repositories and CI/CD | Secret scanning, webhooks, vendor SDKs, hardcoded hosts, Terraform / K8s manifests | Engineering, DevSecOps |
| Egress and gateways | API gateway allowlists, service mesh egress rules, outbound firewall logs | Platform, SRE, security |
| SBOM | Software Library SBOMs | Platform, SRE, security |
| MDM inventory | Installed apps and browser extensions on employee laptops | IT, endpoint team |
| Developer machines | Corporate policies for brew / npm / containers / base images | Engineering, IT |
| Contracts and questionnaires | DPAs, MSAs, order forms, security questionnaires | Legal, procurement |
| DNS and certificates | New subdomains, cert transparency, SaaS custom domains | IT, infrastructure |
| Email security and routing | Allowlists, “send to SaaS” rules, journaling targets | Email admin, IT |
| Support and CRM | Zendesk, Intercom, Salesforce, helpdesk apps and integrations | Support, RevOps |
| Marketing and analytics | Tag manager, CDP, pixels, consent tools | Marketing, privacy |
| Observability and incident tooling | Logging, APM, on-call vendors; sampling config | SRE, security |
| Meetings and calendars | Zoom / Meet / Teams marketplace apps; calendar add-ins | IT, collaboration admin |
| Payments and billing | Stripe, invoicing, revenue tools, middleware | Finance, engineering |
| HR and benefits | HRIS, payroll, background checks, perks platforms | People ops, IT |
| Internal docs | Wikis, onboarding checklists, “how we use X” pages | IT, people teams |
Once those findings are organized into structured records such as application name, ownership, and access method, they can be ingested into a SIEM or a SaaS inventory platform. This creates a centralized view of the environment, making it easier to monitor risk across all services. From there, you can track issues like internet exposure, known vulnerabilities, lingering access after employee offboarding, and other security gaps in a single place.