All posts tagged with security


We are thrilled to announce that Apache Kafka on Heroku Shield is now generally available and certified for handling PHI, PII, and HIPAA-compliant data. Our newest managed data service unifies Heroku Shield, a set of Heroku platform services that offer additional security features needed for building high compliance applications, with Apache Kafka on Heroku, our fully-managed service based on the leading open-source solution for handling event streams.

Organizations of all sizes face relentless pressure to bring better apps and experiences to market, and those with a strong focus on data security like Health and Life Sciences (HLS) organizations need to balance safety and agility. Their...

There are many reasons to choose Heroku Data services, but keeping the services you use secure and up-to-date rank near the top. This foundation of trust is the most important commitment we make to our customers, and frequent and timely maintenances are one way we deliver on this promise.

We do everything we can to minimize downtime, which is typically between 10 – 60 seconds per maintenance. There are ways for you to minimize disruption too (see the tips and tricks below). The rest of the post explains how we think about Heroku Data maintenances, how we perform them, and when we perform them.

An Ounce of Prevention...

Hackers exploit known but unpatched vulnerabilities or out-of-date...

There’s obviously more to security than humans, technology, and vendors with all of their implementations and expertise. At Heroku we believe that security is a byproduct of excellence in engineering.

All too often, software is written solely with the happy path in mind, and security assurances of that software has its own dangerous assumptions. A mature security program should challenge assumptions of security controls, move to testing continuously, and prepare for the unexpectable.

This means asking hard questions about the bigger picture. Think bigger than the development lifecycle, backing away from the fixations of confirming effective corrections and remediations. This means taking...

This blog post is adapted from a talk given by Joe Kutner at Devoxx 2018 titled "10 Mistakes Hackers Want You to Make."

Building self-defending applications and services is no longer aspirational--it’s required. Applying security patches, handling passwords correctly, sanitizing inputs, and properly encoding output is now table stakes. Our attackers keep getting better, and so must we.

In this blog post, we'll take a look at several commonly overlooked ways to secure your web apps. Many of the examples provided will be specific to Java, but any modern programming language will have equivalent tactics.

1. Ensure dependencies are up-to-date

Every year, OWASP, a group of...

Today we're excited to announce Site-to-Site Virtual Private Network (VPN) support for Heroku Private Spaces. Heroku customers can now establish secure, site-to-site IPsec connections between Private Spaces on Heroku and their offices, datacenters and deployments on non-AWS clouds.

VPN is a powerful, proven and widely-adopted technology for securely combining multiple networks (or adding individual hosts to a network) over encrypted links that span the public Internet. VPN is well-understood and in use by most enterprise IT departments, and is supported on all major cloud providers and by a range of hardware and software-based systems.

Browse the blog archives or subscribe to the full-text feed.