Browser extension security system

What is claimed is: 1. A computer-implemented method comprising: obtaining, from a user device of a plurality of user devices associated with an organization, a first request to install a browser extension for a browser of the user device, wherein the first request comprises an extension identifier and a business justification for the browser extension; in response to obtaining the first request to install the browser extension, generating, for the browser extension, a risk score that is based on risk values for each of one or more permissions requested in a second request by the browser extension, wherein each permission provides access to particular data of the browser; determining whether the browser extension satisfies risk standards of the organization by comparing the risk score to a threshold value for the organization; and in response to determining that the browser extension satisfies the risk standards, automatically adding the browser extension to a whitelist of permitted extensions for approved installation on the plurality of user devices. 2. The computer-implemented method of claim 1 , further comprising generating a risk assessment report by: accessing, via an application programming interface, information pertaining to the browser extension from a browser extension store; and analyzing the information to generate the risk assessment report. 3. The computer-implemented method of claim 2 , wherein the information comprises one or more of: manifest information, permission information, content security policy, and extension metadata. 4. The computer-implemented method of claim 2 , wherein analyzing the information comprises determining whether the browser extension includes one or more of: a vulnerability in a third-party library, a dangerous function, and a dangerous entry point. 5. The computer-implemented method of claim 1 , further comprising: in response to automatically whitelisting the browser extension, transmitting an instruction to the user device to install the browser extension. 6. The computer-implemented method of claim 1 , wherein the browser includes a gatherer extension, and wherein the gatherer extension obtains the extension identifier from the browser. 7. The computer-implemented method of claim 1 , further comprising: determining that an updated version of the browser extension is available; generating, for the updated version of the browser extension, an updated risk score that is based on risk values for each of one or more permissions requested by the updated version of the browser extension; determining whether the updated version of the browser extension satisfies risk standards of the organization by comparing the updated risk score to a threshold value for the organization; and in response to determining that the browser extension does not satisfy the risk standards, removing the browser extension from the whitelist. 8. The computer-implemented method of claim 1 , wherein a user of the user device is prompted to provide the business justification for installation of the browser extension. 9. An apparatus comprising: a communication interface configured to enable network communications; one or more computer processors; one or more computer readable storage media; and program instructions stored on the one or more computer readable storage media for execution by at least one of the one or more computer processors, that when executed by the one or more computer processors, cause the one or more computer processors to: obtain, from a user device of a plurality of user devices associated with an organization, a first request to install a browser extension for a browser of the user device, wherein the first request comprises an extension identifier and a business justification for the browser extension; in response to obtaining the first request to install the browser extension, generate, for the browser extension, a risk score that is based on risk values for each of one or more permissions requested in a second request by the browser extension, wherein each permission provides access to particular data of the browser; determine whether the browser extension satisfies risk standards of the organization by comparing the risk score to a threshold value for the organization; and in response to determining that the browser extension satisfies the risk standards, automatically add the browser extension to a whitelist of permitted extensions for approved installation on the plurality of user devices. 10. The apparatus of claim 9 , wherein the program instructions to generate a risk assessment report further cause the one or more processors to: access, via an application programming interface, information pertaining to the browser extension from a browser extension store; and analyze the information to generate the risk assessment report. 11. The apparatus of claim 10 , wherein the information comprises one or more of: manifest information, permission information, content security policy, and extension metadata. 12. The apparatus of claim 10 , wherein the program instructions to analyze the information comprise instructions to determine whether the browser extension includes one or more of: a vulnerability in a third-party library, a dangerous function, and a dangerous entry point. 13. The apparatus of claim 9 , wherein the program instructions further comprise instructions to cause the one or more processors to: in response to automatically whitelisting the browser extension, transmit an instruction to the user device to install the browser extension. 14. The apparatus of claim 9 , wherein the browser includes a gatherer extension, and wherein the gatherer extension obtains the extension identifier from the browser. 15. The apparatus of claim 9 , wherein the program instructions further comprise instructions to cause the one or more processors to: determine that an updated version of the browser extension is available; generate, for the updated version of the browser extension, an updated risk score that is based on risk values for each of one or more permissions requested by the updated version of the browser extension; determine whether the updated version of the browser extension satisfies risk standards of the organization by comparing the updated risk score to a threshold value for the organization; and in response to determining that the browser extension does not satisfy the risk standards, remove the browser extension from the whitelist. 16. One or more non-transitory computer readable storage media encoded with program instructions that, when executed by one or more processors, cause the one or more processors to: obtain, from a user device of a plurality of user devices associated with an organization, a first request to install a browser extension for a browser of the user device, wherein the first request comprises an extension identifier and a business justification for the browser extension; in response to obtaining the first request to install the browser extension, generate, for the browser extension, a risk score that is based on risk values for each of one or more permissions requested in a second request by the browser extension, wherein t each permission provides access to particular data of the browser; determine whether the browser extension satisfies risk standards of the organization by comparing the risk score to a threshold value for the organization; and in response to determining that the browser extension satisfies the risk standards, automatically add the browser extension to a whitelist of permitted