security
- Engineering
- Last Updated: April 30, 2024
- Wade
There’s obviously more to security than humans, technology, and vendors with all of their implementations and expertise. At Heroku we believe that security is a byproduct of excellence in engineering. All too often, software is written solely with the happy path in mind, and security assurances of that software has its own dangerous assumptions. A mature security program should challenge assumptions of security controls, move to testing continuously, and prepare for the unexpectable. This means asking hard questions about the bigger picture. Think bigger than the development lifecycle, backing away from the fixations of confirming effective corrections and remediations. This…
- Engineering
- Last Updated: April 04, 2024
- Joe Kutner
This blog post is adapted from a talk given by Joe Kutner at Devoxx 2018 titled "10 Mistakes Hackers Want You to Make." Building self-defending applications and services is no longer aspirational–it’s required. Applying security patches, handling passwords correctly, sanitizing inputs, and properly encoding output is now table stakes. Our attackers keep getting better, and so must we. In this blog post, we'll take a look at several commonly overlooked ways to secure your web apps. Many of the examples provided will be specific to Java, but any modern programming language will have equivalent tactics. 1. Ensure dependencies are up-to-date…
- News
- Last Updated: September 13, 2018
- Michael Friis
Today we're excited to announce Site-to-Site Virtual Private Network (VPN) support for Heroku Private Spaces. Heroku customers can now establish secure, site-to-site IPsec connections between Private Spaces on Heroku and their offices, datacenters and deployments on non-AWS clouds. VPN is a powerful, proven and widely-adopted technology for securely combining multiple networks (or adding individual hosts to a network) over encrypted links that span the public Internet. VPN is well-understood and in use by most enterprise IT departments, and is supported on all major cloud providers and by a range of hardware and software-based systems. VPN support complements Private Space VPC…
- News
- Last Updated: September 13, 2018
- Michael Friis
Today we’re announcing a powerful new network control for apps running in Heroku Private Spaces: Internal Routing. Apps with Internal Routing work exactly the same as other Heroku apps, except the web process type is published to an endpoint that’s routable only within the Private Space and on VPC and VPN peered networks (see the Private Space VPN support companion post). Apps with Internal Routing are impossible to access directly from the public internet, improving security and simplifying management and compliance checks for web sites, APIs and services that must not be publicly accessible. Internal Routing unlocks several exciting new…
- Engineering
- Last Updated: April 29, 2024
- chris le roy
Seccomp (short for security computing mode) is a useful feature provided by the Linux kernel since 2.6.12 and is used to control the syscalls made by a process. Seccomp has been implemented by numerous projects such as Docker, Android, OpenSSH and Firefox to name a few. In this blog post, I am going to show you how you can implement your own seccomp filters, at runtime, for a Go binary on your Dyno. Why Use Seccomp Filters? By default, when you run a process on your Dyno, it is limited by which syscalls it can make because the Dyno has…
- News
- Last Updated: August 23, 2018
- Jamie Arlen
Today we are proud to announce that Heroku has achieved several important compliance milestones that provide third party validation of our security best practices: ISO 27001 Certification: Widely recognized and internationally accepted information security standard that specifies security management best practices and comprehensive security controls following ISO 27002 best practices guidance. ISO 27017 Certification: A standard that provides additional guidance and implementation advice on information security aspects specific to cloud computing. ISO 27018 Certification: Establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with defined privacy principles for public cloud…
- Engineering
- Last Updated: May 22, 2018
- Craig Ingram
The Public Cloud Security (PCS) group at Salesforce partners very closely with Heroku engineering to review and advise on new product features across the platform, from infrastructure to applications. One of the most rewarding aspects about this partnership and working on this team for me is when we not only identify security concerns, but take an active role in building safe solutions. Heroku recently announced support for Active Storage in Rails 5.2, which introduces the ability to generate previews of PDFs and videos. As a security engineer, hearing about a new feature in a product that automatically parses media files…
- Engineering
- Last Updated: June 03, 2024
- Etienne Stalmans
At Heroku we consistently monitor vulnerability feeds for new issues. Once a new vulnerability drops, we jump into action to triage and determine how our platform and customers may be affected. Part of this process involves evaluating possible attack scenarios not included in the original vulnerability report. We also spend time looking for "adjacent" and similar bugs in other products. The following Ruby vulnerability was identified during this process. Vulnerability Triage A vulnerability, CVE-2017-8817, was identified in libcurl. The FTP function contained an out of bounds read when processing wildcards. As soon as the vulnerability was made public, we went…
- Engineering
- Last Updated: May 30, 2024
- Etienne Stalmans
Containers, specifically Docker, are all the rage. Most DevOps setups feature Docker somewhere in the CI pipeline. This likely means that any build environment you look at, will be using a container solution such as Docker. These build environments need to take untrusted user-supplied code and execute it. It makes sense to try and securely containerize this to minimize risk. In this post, we’re going to explore how a small misconfiguration in a build environment can create a severe security risk. It's important to note that this post does not describe any inherent vulnerability in Heroku, Docker, AWS CodeBuild, or…
- Engineering
- Last Updated: April 02, 2024
- Caleb Hearth
Observatory by Mozilla helps websites by teaching developers, system administrators, and security professionals how to configure their sites safely and securely. Let's take a look at the scores Observatory gives for a fairly straightforward Static Buildpack app, https://2017.keeprubyweird.com. Test Scores Test Pass Score Explanation Content Security Policy ✗ -25 Content Security Policy (CSP) header not implemented Cookies ― 0 No cookies detected Cross-origin Resource Sharing ✔ 0 Content is not visible via cross-origin resource sharing (CORS) files or headers HTTP Public Key Pinning ― 0 HTTP Public Key Pinning (HPKP) header not implemented (optional) HTTP Strict Transport Security ✗ -20…
Subscribe to the full-text RSS feed for Wade.