Home Heroku’s Security Slip-Up – Is It Time for a PaaS Security Certification Standard?

Heroku’s Security Slip-Up – Is It Time for a PaaS Security Certification Standard?

Today Heroku, a Ruby platform-as-a-service which was recently acquired by Salesforce.com, disclosed a serious security issue. The vulnerability has been fixed, and there is no evidence that it was ever exploited.

Earlier this week, NodeFu had its databases deleted when admins revealed its CouchOne password on Github. Missteps by PaaS providers leave customers at risk and jeopardize the reputation of the public cloud.

Is it time for a PaaS security certification standard?

First of all, credit where credit is due. The Heroku security issue was discovered by David E. Chen, the founder of Heroku competitor Duostack. Chen notified Heroku and didn’t disclose the issue on his own blog until Heroku issued a statement about it. Heroku also deserves credit for publicly disclosing the issue.

I’ve written before that the public cloud can be more secure than on-premise solutions. That still holds true. But no solution offers perfect security, as these incidents demonstrate. Infrastructure-as-a-service gives customers more control over their data. There are government standards for software-as-a-service that private companies can also use to assess the security of a service. PaaS customers usually have less transparency into how the system works than IaaS customers, but more power (and therefore more room for error) than SaaS customers. Although providers should be responsible for customer’s security, Chen notes that customers shouldn’t be helpless when it comes to their own security on platforms:

Take security into your own hands. Users should be responsible for verifying that their providers meet their needs. Ask questions. Ultimately, you are responsible for your app and it’s up to you to find out what your provider really does for your app’s security behind the shallow promises of marketing materials.

That’s a good starting point, but what questions should be asked? If PaaS really is the future, as we’ve predicted, then we’re going to need some some good questions.

One particular question to ask is suggested by Chen: how are users partitions segmented from each other? Chen writes:

There are two strategies for providers to partition the resources for each user I would like to discuss: virtualization, or operating system/runtime privileges. In the first, each user is provided with a contained copy of what appears to be a complete machine dedicated to their use. In the latter, many users share one machine (which may be virtualized itself). Heroku has chosen the latter approach, though this is likely not apparent to many users.

That’s a good starting point. However, “Have you ever posted your database password in Github?” is probably not going to be a helpful question. There are still going to be slip-ups, and gauging a providers reputation and security procedures is going to be increasingly important. What if there was a way for providers to receive certification? A set of best practices for PaaS security, along with an independent auditing organization, could be just the thing the industry and its customers need right now.

Image credit: Bichuas (E. Carton)

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.