[hobbescotch]

Speaking for myself, the issue is that I don’t know enough about devops/security to go barebones (esp if for a side project accepting payments w/ sensitive data). It’s of course dead simple to set up a server barebones, but to do it in a way for a service open to the internet with uptime requirements requires more specialization of knowledge these days.

[TekMol]

OS level security? What does a service like Heroku even offer in this regard?

You can turn on autoupdates or run "apt update && apt upgrade" regularely. If an OS level exploit slips through that, you will probably be affected no matter where you are hosting.

But OS level exploits are super rare. The problem is usually your application. And Heroku and Co cannot guard you against those problems.

I'm not sure what you mean by setting up a server "in a way for a service open to the internet". "apt install php" gives you pretty much all you need. And it is ready for the open internet.

[fartcannon]

It's crazy how the cloud companies/Windows/Apple have encouraged modern developers to be scared of running apt update/upgrade.

Can marketing cause learned helplessness?

[brodsky]

This has nothing to do with the companies you mentioned, and everything to do with the emergence and acceptance of DevOps/SRE best-practices over the last decade or so, which can hardly be reduced to an occasional `apt update`. There is a saying how "The building codes are written in blood". this translates quite well to modern software development lifecycle. It takes a non-trivial amount of work to maintain an internet-facing system in a secure, fault-tolerant, and scalable fashion, especially when e-commerce comes into play. At least if it's anything more serious than a toy project page or "brochureware". And modern developers don't want to deal with this toil - it's a solved problem at this point - they want to code features and build products, and it's wonderful that platforms exist that enable them to do so without having to lose sleep over the CVE du-jour.

[fartcannon]

It's just websites.

[tyingq]

Heroku does isolate the application somewhat. You would have to add some amount of itables configuration, ssh setup, web server config, "don't run everything as root", and so on to your list. All doable of course, but there's a reason people pay for things like heroku.

[TekMol]

You don't have to do any of those security wise.

On a plain Debian installation, do "apt install php", throw your files into /var/www/html/ and your application is up and running in a secure fashion.

[christophilus]

You do need to at least: set up automatic security patching (a one-line command), turn off password authentication, disable root, and probably run ufw or something. It’s not hard, but it is slightly more effort than Heroku.

[D13Fd]

The hard part is making sure this random list of things I found on the internet is sufficient to keep the site secure, and taking the blame if it turns out not to be.

[Handytinge]

As opposed to trusting the random black box company on the internet? Don't you take the blame still for picking a company whose product you are unable to do due diligence on?

[tyingq]

The OP wanted updates to happen in some automated fashion from a git repo. Also, didn't say specifically, but I'm guessing they wanted https and certificates.

[slowwriter]

Indeed. Besides GitHub integration, Automatic Certificate Management (ACM) is actually a feature I really appreciate on Heroku. Some might describe it as glorified Let’s Encrypt but nonetheless I appreciate things like that just working out of the box

[nojs]

This comment is kind of ironic given that the recent Heroku breach presumably triggered the OP’s question :)

[christophilus]

There’s an added advantage to running your own server or VM. Heroku is a big, juicy attack target. Your little side project is not. If you take the basic precautions, your VPS will probably be just fine unless you become super successful and a juicy target in your own right.

[kasey_junk]

The security history of VPS’ don’t lend much credibility to your argument. It was a running gag for awhile how frequently Linode was getting owned up (they may be great now this was a while ago).

[christophilus]

Yeah, I don’t run the provider’s software on my VPSs, so it’s mostly a non-issue, especially if you encrypt your disks.