When it comes to hosting your apps on Heroku, it’s important to consider security. As a Platform-as-a-service (PaaS) provider, Heroku handles many things for you, but it’s important to understand what is done for you on the security front, and what isn’t. There’s a reason that there are security add-ons like Sqreen in the Heroku marketplace after all!
In this post, we’re going to be talking about securing applications on Heroku. We’ll first consider how we should think about security on a PaaS like Heroku before going through three big-impact techniques to apply to your Heroku application.
Why secure your application?
As you’re the type of person who reads articles about security, you clearly aren’t ignorant to how important security is. Nonetheless, let’s take a moment to highlight why application security should be a top priority for you and your company, even when you’re running on a PaaS solution like Heroku.
Security is hard in an ever-changing environment. Not only are new vulnerabilities and attack tactics discovered with some frequency, but each time you push code, you open up the chance for new vulnerabilities. In today’s cloud-first world, the application layer is one of the most targeted and fruitful attack vectors for attackers, which makes application security more relevant than ever. What this means is that security is a journey. The aim is to constantly improve, rather than reach some magical “fully secure” state.
So, I think it’s safe to say that securing your application should be a high priority for you and your business. But I know what you’re thinking: Hey, we’re running on Heroku! They handle most of this for us. Well, kind of. Let’s take a closer look at what security Heroku handles and what you need to deal with yourself.
Security in a PaaS world
Before we dive into the specifics of how you can improve security on your Heroku application, let’s pause to consider where the boundaries of your responsibilities lie. Take a look at the “Separation of Responsibilities” graph at this webpage.
Heroku is known as a PaaS. This means that you have more responsibility than when using a software as a service (such as Jira or GitHub) but less responsibility than when using an infrastructure as a service (like AWS or GCP). And you definitely have less responsibility than running your own data center. So, with a PaaS, you’re somewhere in the middle in terms of your security responsibilities; some things you can ignore, but other things you should still consider.
With a PaaS setup, you’re not as responsible for topics like network security or ensuring that data is appropriately encrypted in storage. So, you can worry less about those—thanks, Heroku! But if Heroku is helping to deal with those bits, what’s left to deal with?
You still have the responsibility of securing your application. Heroku will ensure that intruders can’t access your infrastructure through a side door, but you need to secure your application so an intruder can’t just walk straight through the front door, proverbially speaking.
So, to ensure that your application is secure, what should you focus on?
Where to start your security efforts?
If we’re focusing on security, it makes sense to work on the highest value—the areas that are most likely to be attacked. Protecting against the OWASP Top 10 is a great place to start when securing your application. Begin by fixing some of the highest probability attack vectors in your application. At a high level, you’ll want to ensure that you protect your application and data from attacks, know when attacks happen, understand what vulnerabilities you have, and know how to remediate them.
With this list in mind, let’s look at three ways you can protect your application from vulnerabilities while on Heroku.
Update your dependencies and monitor against attacks
In many modern applications, it’s common to have many third-party dependencies. In most applications, these third-party libraries make up the majority of your code. This means that one of the largest attack vectors sits outside of your code repository and in a repository belonging to someone else.
To protect yourself from potential vulnerabilities, you can ensure that you’re running the latest and patched versions of these third-party dependencies. Since it’s quite likely that you’re running a lot of them, keeping track of where you’re at with all your dependencies can be hard.
A simple way to manage dependencies is with a tool, such as Sqreen. Depending on your ecosystem and language, there will be a dependency tool out there to automate these checks, identify which dependencies are outdated, and what vulnerabilities you’re exposed to. Check the Heroku marketplace.
Beyond being vigilant against vulnerabilities in your dependencies, it’s smart to protect against attackers exploiting vulnerabilities in your own code or in your dependencies before they get patched. Using automation is a great way to scale your security efforts and to ensure that you can monitor and protect your application in real time. In fact, Heroku has a whole list of security add-ons that you can use for different security efforts, including monitoring and protection tools like Sqreen, which will help you go that extra step with your application security.
Keep secrets secret
Unless your application is living in isolation, it’s probably connected to other services. And most applications connected to other services require some form of authentication to do so. Typically, authentication is done via some form of key, secret, or password. Whatever the precise method you use, it’s important to ensure that these credentials are not leaked from your application.
To keep your secrets safe, you should encrypt them before you ever store them in version control—or, even better, avoid storing them in version control where possible. Why avoid version control for secrets? Because even private version control isn’t immune from attack. A disgruntled ex-colleague can easily gain access to systems if they retain the code post-employment. And remember that if a secret is leaked in version control, it’s likely still accessible in the history, even if it’s not obvious on the surface.
Apply the “principle of least privilege”
On the topic of secrets, you should ensure that your secrets have the smallest access (or privilege) possible. It’s easy to get a bit blasé and grant users or credentials full admin rights. Fiddling with security rules can be a pain—I get it. But large permission grants would be like a dream come true for an attacker.
If a potential attacker compromises your secrets or keys, it’s important that you keep your “blast radius” (the amount of damage a potential attacker can cause) to a minimum. You can ensure small blast radiuses when you judiciously apply the principle of least privilege to your application boundaries and secrets.
Take a common Heroku example: databases. Do you currently have a database hosted on Heroku? If so, then do all of your developers need full access to the database? And for those that don’t need full access, can you give these developers read-only access? Or perhaps access only to certain environments, such as staging rather than production?
You should question who has access to your different resources and proceed with scrutiny when you delegate power and permissions to individuals or credentials. Ask yourself, “If this credential were compromised, what is the damage that could be caused?” A simple place to start is by locking down your Heroku user access rights.
Keep it secure
That covers the three security practices that you can apply to your Heroku application. I hope this article gave you some insight into ways you can start to lock down your Heroku application.
Because you’re using a PaaS, you do have less responsibility—but that doesn’t mean you should reduce your security diligence. You still need to actively focus on building your applications with security in mind, and protecting them once they hit production. If you take security seriously, you can sleep easy knowing that your application, data, and users are safe.
To start monitoring and protecting your Heroku application from critical and advanced attacks in minutes, try the Sqreen add-on. You can detect attackers early and block attacks in real-time, freeing you up to focus on other concerns.