All posts tagged with security


The Public Cloud Security (PCS) group at Salesforce partners very closely with Heroku engineering to review and advise on new product features across the platform, from infrastructure to applications. One of the most rewarding aspects about this partnership and working on this team for me is when we not only identify security concerns, but take an active role in building safe solutions.

Heroku recently announced support for Active Storage in Rails 5.2, which introduces the ability to generate previews of PDFs and videos. As a security engineer, hearing about a new feature in a product that automatically parses media files definitely grabbed my attention. This post takes a look at...

At Heroku we consistently monitor vulnerability feeds for new issues. Once a new vulnerability drops, we jump into action to triage and determine how our platform and customers may be affected. Part of this process involves evaluating possible attack scenarios not included in the original vulnerability report. We also spend time looking for "adjacent" and similar bugs in other products. The following Ruby vulnerability was identified during this process.

Vulnerability Triage

A vulnerability, CVE-2017-8817, was identified in libcurl. The FTP function contained an out of bounds read when processing wildcards. As soon as the vulnerability was made public, we went through our...

Containers, specifically Docker, are all the rage. Most DevOps setups feature Docker somewhere in the CI pipeline. This likely means that any build environment you look at, will be using a container solution such as Docker. These build environments need to take untrusted user-supplied code and execute it. It makes sense to try and securely containerize this to minimize risk.

In this post, we’re going to explore how a small misconfiguration in a build environment can create a severe security risk.

It's important to note that this post does not describe any inherent vulnerability in Heroku, Docker, AWS CodeBuild, or containers in general, but discusses a misconfiguration issue that was...

Observatory by Mozilla helps websites by teaching developers, system administrators, and security professionals how to configure their sites safely and securely.

Let's take a look at the scores Observatory gives for a fairly straightforward Static Buildpack app, https://2017.keeprubyweird.com.

Test Scores

Test Pass Score Explanation
Content Security Policy -25 Content Security Policy (CSP) header not implemented
Cookies 0 No cookies detected
Cross-origin Resource Sharing 0 Content is not visible via cross-origin resource sharing (CORS) files or headers
HTTP Public Key Pinning 0 HTTP Public Key Pinning (HPKP) header not implemented (optional)
HTTP Strict Transport...

UPDATE: Friday, January 5 19:07 PST

As of 13:30 PST, AWS completed their patch deployment addressing tenant isolation threats. AWS reports they have restored the expected multi-tenancy protections similar to dedicated hardware, which leaves Heroku to address the kernel vulnerabilities in runtime host operating systems.

Heroku Performance, Private, and Shield dynos feature varying degrees of isolation from potentially hostile neighbors. However, the shared Common Runtime carries our highest priority for Meltdown (variant 3) mitigation work due to the nature of its shared infrastructure.

The ideal fix is to deploy the updated kernel from Canonical prior to the release of functional...

Browse the blog archives or subscribe to the full-text feed.