There are many applications that do all kinds of amazing things available. Users always want the latest and greatest. Many organizations have little control over their users. They may let them download and use whatever software they want. After all what can it hurt?

The unfortunate part is it can hurt a lot. Users can download applications with malware. Users can put in applications that have backdoors and rootkits and viruses. Even if an application is ok today, there is nothing to say it won't have vulnerabilities later that an attacker can use to compromise your systems and (or) network. If there is no control over your software, how do you know what software you have to look for updates on it? With Software as a Service (SaaS) applications that are so prevelant with the move to cloud, your users may be moving your data into an insecure location.

It is vital to have control over what applications your users are using. The less applications you have the less opportunties for compromise there are. This gets into a concept known as least privledge. Users should only be given access to things vital to doing their job. The least funcationility required to meet business needs. If its not part of their job, it should not be installed or used. Anything that is required should be given at least a basic cyber review. Look at google to see if there are issues with it. Look it up in the national vulnerability database (NVD) to see if there are open vulnerabilities. It should also be added to your inventory so that you can peform onoging vulnerability management of the application.