Skip to first unread message
Tom Campbell
Jun 17, 2015, 4:53:03 PM6/17/15
to google-a...@googlegroups.com
I'm finishing up a web2py app that I will be deploying to paying customers. I am not a great sysadmin.
Seems like GAE is a good choice, because while I follow all web2py best practices I'm always nervous about forgetting to apply a security patch to the OS, or having an apt-get cause unforeseen problems.
Does GAE free me from these issues? It seems to me I simply need to write to Python 2.7 and update web2py when necessary, and GAE takes care of OS updates, security, etc.
Is that correct or am I oversimplifying?
Nick (Cloud Platform Support)
Jun 17, 2015, 7:54:05 PM6/17/15
to google-a...@googlegroups.com, tomca...@gmail.com
You're generally correct that we keep on top of critical security updates for all components of our infrastructure, including the python runtime that python App Engine uses, and python libraries.
However, some aspects of security are up to you as a developer: for example ensuring that your API only processes requests from valid clients, ensuring that users can only access the data on your app that is meant to be visible to them, ensuring that you don't expose yourself to SQL injection if you use a remote MySQL box for data storage, etc.
Using Endpoints for your API, you can implement client auth, so there are even aspects of the platform that help you do these things in a way that respects best-practices. There's even a beta Security Scanner which is very good.
In general, programming any web app, these issues tend to come up. You'll also have to implement protections against XSS and XSRF, although not from scratch, as there are many great libraries and frameworks out there.
Does this help answer your question? Do you have any more specific questions about security?
However, some aspects of security are up to you as a developer: for example ensuring that your API only processes requests from valid clients, ensuring that users can only access the data on your app that is meant to be visible to them, ensuring that you don't expose yourself to SQL injection if you use a remote MySQL box for data storage, etc.
Using Endpoints for your API, you can implement client auth, so there are even aspects of the platform that help you do these things in a way that respects best-practices. There's even a beta Security Scanner which is very good.
In general, programming any web app, these issues tend to come up. You'll also have to implement protections against XSS and XSRF, although not from scratch, as there are many great libraries and frameworks out there.
Does this help answer your question? Do you have any more specific questions about security?
Tom Campbell
Jun 17, 2015, 8:24:04 PM6/17/15
to google-a...@googlegroups.com
However, some aspects of security are up to you as a developer:
Yep, got that part--web2py happens to be super awesome at this stuff and I'm also aware of these issues.
Does this help answer your question? Do you have any more specific questions about security?
It all sounds almost too good to be true, thanks.
Nick (Cloud Platform Support)
Jun 18, 2015, 1:49:13 PM6/18/15
to google-a...@googlegroups.com, tomca...@gmail.com
Sounds good, Tom. If you've got any more specific questions about security, I'd recommend consulting the Google Cloud Security Whitepaper or cloud.google.com/security, as these are much more thorough in their explanation than I could be.
Have a great day
Have a great day
Reply all
Reply to author
Forward
0 new messages