Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How secure is my application source code on heroku?

I want to migrate my webapp from cloudfoundry to heroku. But there is still one thing i'm confused about.

Everytime you want to deploy your application to heroku, you've to push your source code to their git repository. How secure is this repository? What if i don't want to give my source code into someone others hands?

What's your opinion about that?

like image 410
whitenexx Avatar asked Jun 20 '12 08:06

whitenexx


People also ask

Is code on Heroku private?

No, the code is not public. Do not confuse GIT with GITHUB. When you deploy to heroku the repository is private to the owner and the added collaborators.

Is it possible to retrieve your source code from Heroku?

Just go to https://dashboard.heroku.com/apps/YOUR_APP_NAME/deploy/heroku-git. If you haven't already, log in to your Heroku account and follow the prompts to create a new SSH public key. Use Git to clone YOUR_APP_NAME's source code to your local machine.

Is it safe to deploy on Heroku?

Our platform is designed to protect customers from threats by applying security controls at every layer from physical to application, isolating customer applications and data, and with its ability to rapidly deploy security updates without customer interaction or service interruption.


2 Answers

The Problem

You aren't understanding how interpreted languages or hosting providers work. If you're using an interpreted language like Ruby, you need to have your source on the service platform. Even if your code is compressed, obfuscated, or byte-compiled, it has to be on the service platform to be served up, so this is going to be a problem for you with any language or hosting provider.

You're also not understanding the nature of byte code. A byte code interpreter can read your files. In addition, there are Java decompilers out there to turn byte code back into source code. A search Stack Overflow will show you posts discussing Java decompilers. Unless you think "security through obscurity" is useful, you should probably stop thinking of your byte code as secure in any meaningful way.

The Solutions

  1. Build good software, run a good business, and don't lose sleep worrying about someone copying your for-loops. This is probably your easiest solution.
  2. If you don't trust hosting providers or co-location facilities, then you'll have to host your own files internally. Even then, you'll have to trust someone to maintain the systems, unless you plan to do it all yourself.
  3. Consider some tin-foil haberdashery.

Git repositories on Herku are not public repositories like you'd find on GitHub. It's no less "safe" than transferring your files around by any other means, and certainly more secure than the usual FTP uploads on many service platforms.

Security is always a trade-off. It's definitely important, but unless you've defined a better threat model than general distrust, you won't be able develop adequate controls.

like image 54
Todd A. Jacobs Avatar answered Oct 08 '22 10:10

Todd A. Jacobs


It depends

Cause to measure "security" you have to think about possible "risk". Is the investigation of stealing source code from such a platform worth the effort? So, how much value can people get from your source code?

I think nobody was really successful by simply stealing source code. It is more about stealing ideas. To maintain and extend code you have not written is hard. You will need time to get comfortable with the source code (month / years, depending on the code base). Loosing all this time and effort. Experts who learn faster can also start from scratch, maybe they will end up with a better result.

  • Facebook publishes strategies, papers and technological insights. A lot of Facebook copycats are around there, nobody cares.

  • Success with your business it is not only about software. Important parts are the brand loyalty/trust in your product, the user experience and the visible overall success.

  • Why is your source code so special compared to thousands of applications that are running on Heroku. It will be even hard to find your repository between all this nice stuff there. Things that will have success and some that will not, nobody knows.

But, if a few single technical algorithms are your core business (crypto software, graphic driver algorithms,...) and they are simply adoptable, it may be worth to steal it.

data vs. code

Things you can worry about: Where to store sensitive customer information? The most people have a much bigger interest in selling email addresses, phone numbers, names, financial information about your business and your customers. But,... If you have not enough sensible data, you are not interesting. So, does your application contain 100 million Sony Network credit card accounts? ;)

Okay, if the application contain all blueprints, data, secret ideas and designs of the IPhone 5 & 6 it may be also interesting.

like image 37
Martin K. Avatar answered Oct 08 '22 08:10

Martin K.