Security

A House of Cards: An Exploration of Security When Building Docker Containers

Engineering
Last Updated: May 30, 2024
Etienne Stalmans

Containers, specifically Docker, are all the rage. Most DevOps setups feature Docker somewhere in the CI pipeline. This likely means that any build environment you look at, will be using a container solution such as Docker. These build environments need to take untrusted user-supplied code and execute it. It makes sense to try and securely containerize this to minimize risk.

In this post, we’re going to explore how a small misconfiguration in a build environment can create a severe security risk.

It's important to note that this post does not describe any inherent vulnerability in Heroku, Docker, AWS CodeBuild, or …

Using HTTP Headers to Secure Your Site

Engineering
Last Updated: April 02, 2024
Caleb Hearth

Observatory by Mozilla helps websites by teaching developers, system administrators, and security professionals how to configure their sites safely and securely.

Let's take a look at the scores Observatory gives for a fairly straightforward Static Buildpack app, https://2017.keeprubyweird.com.

Test Scores

Test
Pass
Score
Explanation

Content Security Policy
✗
-25
Content Security Policy (CSP) header not implemented

Cookies
―
0
No cookies detected

Cross-origin Resource Sharing
✔
0
Content is not visible via cross-origin resource sharing (CORS) files or headers

HTTP Public Key Pinning
―
0
HTTP Public Key Pinning (HPKP) header not implemented (optional)

HTTP Strict Transport Security
✗
…

Meltdown and Spectre Security Update

News
Last Updated: January 05, 2018
Trey Ford

UPDATE: Friday, January 5 19:07 PST

As of 13:30 PST, AWS completed their patch deployment addressing tenant isolation threats. AWS reports they have restored the expected multi-tenancy protections similar to dedicated hardware, which leaves Heroku to address the kernel vulnerabilities in runtime host operating systems.

Heroku Performance, Private, and Shield dynos feature varying degrees of isolation from potentially hostile neighbors. However, the shared Common Runtime carries our highest priority for Meltdown (variant 3) mitigation work due to the nature of its shared infrastructure.

The ideal fix is to deploy the updated kernel from Canonical prior to the release of functional …

Announcing Free and Automated SSL Certs For All Paid Dynos

News
Last Updated: March 21, 2017
Brett Goulder

We are happy to announce the general availability of Automated Certificate Management (ACM) for all paid Heroku dynos. With ACM, the cumbersome and costly process of provisioning and managing SSL certificates is replaced with a simple experience that is free for all paid Dynos on Heroku’s Common Runtime. Creating secure web applications has never been more important, and with ACM and the Let’s Encrypt project, never easier.

ACM handles all aspects of SSL/TLS certificates for custom domains; you no longer have to purchase certificates, or worry about their expiration or renewal. ACM builds directly on our recent release of …

How We Found and Fixed a Filesystem Corruption Bug

Engineering
Last Updated: February 15, 2017
Owen Jacobson

As part of our commitment to security and support, we periodically upgrade the stack image, so that we can install updated package versions, address security vulnerabilities, and add new packages to the stack. Recently we had an incident during which some applications running on the Cedar-14 stack image experienced higher than normal rates of segmentation faults and other “hard” crashes for about five hours. Our engineers tracked down the cause of the error to corrupted dyno filesystems caused by a failed stack upgrade. The sequence of events leading up to this failure, and the technical details of the failure, …

How We Sped up SNI TLS Handshakes by 5x

Engineering
Last Updated: December 22, 2016
Fred Hebert

During the development of the recently released Heroku SSL feature, a lot of work was carried out to stabilize the system and improve its speed. In this post, I will explain how we managed to improve the speed of our TLS handshakes by 4-5x.

The initial reports of speed issues were sent our way by beta customers who were unhappy about the low level of performance. This was understandable since, after all, we were not greenfielding a solution for which nothing existed, but actively trying to provide an alternative to the SSL Endpoint add-on, which is provided by a dedicated …

SSL Is Now Included on All Paid Dynos

News
Last Updated: May 02, 2024
Brett Goulder

Encrypted communication is now the norm for applications on the Internet. At Heroku, part of our mission is to spread encryption by making it easy for developers to setup and use SSL on every application. Today we take a big step forward in that mission by making Heroku SSL generally available, allowing you to easily add SSL encryption to your applications with nothing more than a valid SSL certificate and custom domain.

Heroku SSL is free for custom domains on Hobby dynos and above and relies on the SNI (“Server Name Indication”) extension which is now supported by the vast …

Announcing Heroku Free SSL Beta and Flexible Dyno Hours

News
Last Updated: April 29, 2024
Brett Goulder

Editor's Note: SSL Is Now Included on All Paid Dynos as of September 22, 2016

At Heroku, we want to make it easy for everyone to be able to learn and explore our service, and the related ecosystem of technologies, for free – be it student, professional developer, hobbyist or just curious individual. We view this as both part of our mission and our business model; it has never been a more interesting – or important – time to be a developer, and we want to help everyone become one.

Today we are announcing two important updates to help bring …

SSO for Heroku now in Public Beta

News
Last Updated: December 17, 2015
Ike DeLorenzo

We're pleased to announce the beta of SSO for Heroku. With this beta, Heroku now supports the current and most widely supported SSO standard known as SAML 2.0, and has partnered with leading identity providers (IdPs) for easy set-up. Customers can use their existing identity provider like Salesforce Identity, Okta, PingOne, Microsoft Active Directory, and PingFederate for their employees' single sign-on to Heroku Enterprise.

SSO is expected to be generally available in early February. Initially, it will be available to Heroku Enterprise customers. For enterprise customers who want to use the feature during the beta period, it …

Integrated security with Heroku Identity Federation

News
Last Updated: April 11, 2024
Balan Subramanian

Apps are at the heart of modern businesses, and are important assets that need a secure platform geared for compliance and security. We launched Heroku Enterprise earlier this year with this in mind and today we are excited to announce the beta of Heroku Identity Federation for Heroku Enterprise customers. This feature unifies the login experience across Salesforce's new App Cloud that we announced today.

As customers like Forever Living, TV4 and Macy’s run more of their apps and business-critical services on Heroku, they need tighter integration with their existing security infrastructure. With our new identity federation feature, customers can …

Subscribe to the full-text RSS feed for Security.

World Economic Forum Powers the Davos Attendee Experience with Heroku

Building AI Search on Heroku