How secure is my application source code on heroku?

我只是一个虾纸丫 提交于 2021-01-21 06:34:15

问题


I want to migrate my webapp from cloudfoundry to heroku. But there is still one thing i'm confused about.

Everytime you want to deploy your application to heroku, you've to push your source code to their git repository. How secure is this repository? What if i don't want to give my source code into someone others hands?

What's your opinion about that?


回答1:


The Problem

You aren't understanding how interpreted languages or hosting providers work. If you're using an interpreted language like Ruby, you need to have your source on the service platform. Even if your code is compressed, obfuscated, or byte-compiled, it has to be on the service platform to be served up, so this is going to be a problem for you with any language or hosting provider.

You're also not understanding the nature of byte code. A byte code interpreter can read your files. In addition, there are Java decompilers out there to turn byte code back into source code. A search Stack Overflow will show you posts discussing Java decompilers. Unless you think "security through obscurity" is useful, you should probably stop thinking of your byte code as secure in any meaningful way.

The Solutions

  1. Build good software, run a good business, and don't lose sleep worrying about someone copying your for-loops. This is probably your easiest solution.
  2. If you don't trust hosting providers or co-location facilities, then you'll have to host your own files internally. Even then, you'll have to trust someone to maintain the systems, unless you plan to do it all yourself.
  3. Consider some tin-foil haberdashery.

Git repositories on Herku are not public repositories like you'd find on GitHub. It's no less "safe" than transferring your files around by any other means, and certainly more secure than the usual FTP uploads on many service platforms.

Security is always a trade-off. It's definitely important, but unless you've defined a better threat model than general distrust, you won't be able develop adequate controls.




回答2:


It depends

Cause to measure "security" you have to think about possible "risk". Is the investigation of stealing source code from such a platform worth the effort? So, how much value can people get from your source code?

I think nobody was really successful by simply stealing source code. It is more about stealing ideas. To maintain and extend code you have not written is hard. You will need time to get comfortable with the source code (month / years, depending on the code base). Loosing all this time and effort. Experts who learn faster can also start from scratch, maybe they will end up with a better result.

  • Facebook publishes strategies, papers and technological insights. A lot of Facebook copycats are around there, nobody cares.

  • Success with your business it is not only about software. Important parts are the brand loyalty/trust in your product, the user experience and the visible overall success.

  • Why is your source code so special compared to thousands of applications that are running on Heroku. It will be even hard to find your repository between all this nice stuff there. Things that will have success and some that will not, nobody knows.

But, if a few single technical algorithms are your core business (crypto software, graphic driver algorithms,...) and they are simply adoptable, it may be worth to steal it.

data vs. code

Things you can worry about: Where to store sensitive customer information? The most people have a much bigger interest in selling email addresses, phone numbers, names, financial information about your business and your customers. But,... If you have not enough sensible data, you are not interesting. So, does your application contain 100 million Sony Network credit card accounts? ;)

Okay, if the application contain all blueprints, data, secret ideas and designs of the IPhone 5 & 6 it may be also interesting.




回答3:


You are using somebody's service to run your app. There's no way to do that without giving your code to them, no matter what service you use. Even if you forget about the cloud and colocate your own server, it will still be in the hands of the people running your data center.



来源:https://stackoverflow.com/questions/11115918/how-secure-is-my-application-source-code-on-heroku

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!