[pid-1]

I don't use Heroku, nor Render, and I definitely think anyone using Heroku should be moving out, but...

Do you have any evidence Render actually takes security seriously?

Not shitting on their platform, I actually never used it, I just think as an industry we should be way past the point we trust platforms by default.

[oxff]

I asked about this too. Everyone meme'ing these alt platforms essentially assumes they are safer than Heroku by virtue of the fact that Heroku had a pretty severe incident. I haven't actually seen these platforms prove that they're safer than Heroku, they could be as bad or worse in security.

[hthrowaway5]

I wouldn't move off of Heroku because of the incident. I would move off of them because of their response to the incident.

They plainly lied. Responses take weeks and are very incomplete. They have so few people they can't possibly run a secure, stable system anymore. They don't have a plan or backing from sfdc to get back to a solid foundation.

I can't speak to competitors but I can say with certainty that Heroku is simply not an option for you anymore. Whether that means you use another PaaS or fire up an EC2 instance yourself you must move away at this point.

[bmulholland]

I had to switch from Render to Heroku a year or so ago because Render had no security documentation at all. I asked them about it at the time and was told security docs were perhaps six months out. There's still none, so it's clear that demonstrating security is not something that's a priority.

[anurag]

I agree we haven't focused on demonstrating security, but obviously, internally, we are quite paranoid about it. Still, this comment is well-deserved because as much as we'd like them to, our customers can't simply read our minds.

[anurag]

Update: we now have https://render.com/security

[duckmysick]

> I just think as an industry we should be way past the point we trust platforms by default.

That's a great point and I fully agree.

I'm struggling to come up with reliable ways of checking security of the companies I'm not familiar with. It's not like I can rely on their landing page. And they are likely not on the market long enough to see how they responded to past security incidents.

The only thing I can think of is checking how they handle registration and logins - but it's not that strong of a signal anyway. Does anyone have other ideas?

[anurag]

(Render founder) Security and uptime are the only two existential threats to Render, so you can imagine we lose enough sleep over it. We regularly fill out security questionnaires that lead to successful migrations. Still, we can do a better job explaining and documenting our security posture publicly.