James Randall Musings on software development, business and technology.
DigitalOcean App Platform - Security Concerns
Cloud Security

While recently reviewing my options for hosting a new project (SPA, API, database - pretty stock stuff) I took a good look at DigitalOcean.

With the recent addition of their managed App platform their hosting solution is simple to use, competitively priced, and very appealing for simple apps. I did some basic experimentation and had a dev system running in it for a while and it all seemed pretty good.

However as I looked to deploy a production environment I came across what, to me, is a glaring issue. The App Platform can only communicate with a Managed Database if you disable the “trusted sources” and this means that your database is sat on the public Internet without even an IP restriction in place. If you try and associate an App with a managed database you are given a link to explain how to disable trusted sources. And when you do so you get this sensible warning:

Image

I attempted to engage on Twitter to see if I was missing something and was advised to raise a ticket. I’ve done that and they’ve confirmed this is the case.

Let that sink in a moment: DigitalOcean thought it was ok to launch a platform, designed for ease of use, that contravenes their own otherwise recommended (and very sensible) security practices and requires maanged databases to be sat without even an IP restriction on a public network.

The “workaround” is to deploy using droplets - but, to me, this defeats the point of using such a high level platform.

Addressing this is on the backlog apparently but that this made it to market in this fashion raises, for me at least, all manner of questions about the culture at DigitalOcean in respect to security and rules them out as a vendor I am comfortable hosting my data and systems with.

Terrifying that they are leading people down this path and I wonder just how many databases are sat exposed as a result.

I’ve terminated my own experiments and am deleting my account.

Note: as per the post I’ve reached out on via Twitter and to DigitalOcean to ensure the information is accurate - if anyone at DigitalOcean disagrees I’m easy to get in touch with on Twitter.