Because Heroku/Salesforce doesn't have real security. Requiring special characters in passwords and sending out emails that have http and not https links to a password reset page. Their security is a joke.
Heroku _used_ to have their own security team which was quite good and had some scary talented people on it. However, over the last 3 years or so Salesforce has been forcing Heroku to adopt Salesforce's operations practices, and this has not only wrecked productivity but completely destroyed morale and caused many, many of those talented people to quit. I for one decided to quit after only working there for around 8 months due to a horrific overreach by Salesforce into Heroku's operations.
Among other things, Salesforce forced us to adopt:
- their internal ticket tracking system, which _runs in an instance of salesforce_ (barf)
- their slack instance, which lost us many of our customizations and broke a bunch of integrations for weeks (I wouldn't be altogether surprised if this was one of the causes of the delay in notifying Herokai as to what was going on)
- their incident management process, which requires us to notify "Salesforce ops HQ" anytime there's an outage that meets certain criteria.
This last one was especially bad, and meant that we no longer had full agency to act during incident response situations. I had one incident I responded to where the problem got worse while we waited for Salesforce IM to spin up, so that we ended up having what would have been a 10 minute outage turn into a 2 hour outage because the issue got out of control.
In short, the problem isn't the people trying to administer Heroku; they're great folks under a lot of pressure with very few resources. The problem is, and has always been, Salesforce's "leadership" deciding what's best for a cloud platform they couldn't give less of a damn about.
At this point, I'm not sure why SFDC even bought Heroku.. Is there major overlap between CRM users/buyer (salespeople) and Heroku's who are mainly devs, hobbyists and startups (i'm guessing)? Surely they didn't try to buy hero to compete with the big 3 cloud providers?
Welcome to the existential question of Heroku from the inside :) No one knew what the point of the product was anymore. My vibe is that SFDC's goal was to use Heroku as their cloud provider for everything, and when that didn't work (more due to lack of focus than technical issues), they tried to shoehorn Heroku into the Salesforce platform as a tack on feature. It was all very weird, no one knew what we were doing, and everyone was upset about it. I originally joined the org because I was really excited to help the early startup/small business/hobbyist/student sector, and SFDC writ large just did not care about those customers IMO.
I don't want to start a flamewar, but it wasn't an integration; it was a hostile takeover. Heroku was doing just fine without SFDC's interference, and when Salesforce not only refused to believe that employees might have negative opinions about integrating but actively prevented us from speaking up about it, people got rationally angry and left. I remember talking with an architect on the Heroku side about how he felt about all of it, and he told me that it wasn't presented to him as a choice, and senior leadership was convinced that Herokai would see this as a good thing despite his (and others') warnings.
Heroku _used_ to have their own security team which was quite good and had some scary talented people on it. However, over the last 3 years or so Salesforce has been forcing Heroku to adopt Salesforce's operations practices, and this has not only wrecked productivity but completely destroyed morale and caused many, many of those talented people to quit. I for one decided to quit after only working there for around 8 months due to a horrific overreach by Salesforce into Heroku's operations.
Among other things, Salesforce forced us to adopt:
- their internal ticket tracking system, which _runs in an instance of salesforce_ (barf)
- their slack instance, which lost us many of our customizations and broke a bunch of integrations for weeks (I wouldn't be altogether surprised if this was one of the causes of the delay in notifying Herokai as to what was going on)
- their incident management process, which requires us to notify "Salesforce ops HQ" anytime there's an outage that meets certain criteria.
This last one was especially bad, and meant that we no longer had full agency to act during incident response situations. I had one incident I responded to where the problem got worse while we waited for Salesforce IM to spin up, so that we ended up having what would have been a 10 minute outage turn into a 2 hour outage because the issue got out of control.
In short, the problem isn't the people trying to administer Heroku; they're great folks under a lot of pressure with very few resources. The problem is, and has always been, Salesforce's "leadership" deciding what's best for a cloud platform they couldn't give less of a damn about.