Hi! Aptible founder here. I wanted to make an important correction here.
Aptible has a built-in Security & Compliance Dashboard [0] that supports compliance automation and reporting (PDF and API exports) for HIPAA, HITRUST and other security frameworks. You can see a demo of the entire platform, including this Dashboard, in our "Aptible in 10 Minutes" video. [1]
You can also integrate Aptible with Vanta, Drata or another compliance automation tool, if you're running the self-hosted version of Aptible that runs in your own AWS account. If you do, you can expect fully passing tests for HIPAA and SOC 2 in Vanta or Drata with zero additional configuration. Most Aptible customers find our built-in dashboard sufficient, and don't feel the need to buy Vanta/Drata separately to ensure HIPAA compliance.
You might want to check us out: https://www.aptible.com/ . We built Aptible as an alternative to Heroku for startups that have more demanding requirements around security, compliance, reliability and scalability. Most of our customers look like yours: fast-growing startups who don't want to dedicate engineering resources to infrastructure.
Features required or useful for SOC 2 (like dedicated networking/load balancing/compute, SAML, granular RBAC) are core parts of the platform. Additional features like host/network IDS, vulnerability scanning and compliance dashboards/reporting are also available, at a much lower price than Heroku Enterprise.
I work at Aptible, another PaaS that follows the same host pattern you describe for providing one-off addresses when someone doesn't want to bring their own domain. The reasons you stated are both valid, along with the fact that a single domain means we don't need to _register_ new domains for every customer app.
Another note: we use `on-aptible.com` for our hosted app domains, separate from `aptible.com` for an important security reason: it is a second line of defense in avoiding cookie/CORS attacks (the first line of defense being setting cookies we control in a single subdomain and avoiding wildcards for CORS).
A related important measure for a PaaS using a single domain for subdomains owned by different accounts is to register that domain on the Public Suffix List [0], which prevents "supercookies" being set across these separately-owned subdomains.
It's possible for a PaaS to improve your security posture by implementing many of the security controls you'd otherwise be responsible for yourself. Every PaaS provider has a Shared Responsibility Model, like this one from AWS [0], and a good PaaS can eat up much of what would otherwise be your responsibility as an AWS customer: network architecture, secure configuration, IAM, system access (and auditing), intrusion detection, etc.
On the other hand, many PaaS providers obfuscate their security implementation, and ultimately your data could be compromised by their mistakes. Things you should look for when evaluating PaaS providers:
- How are resources, networks, etc. separated/isolated per customer?
- What are YOUR security responsibilities on the platform?
- How transparent is the provider about their security controls? Do they have security whitepapers, SOC 2 reports, etc. that are transparent and legit? Better yet, can they prove to you in the product how security controls are being implemented?
Disclaimer: I'm the CEO and founder of Aptible [1], a PaaS specifically built to meet and prove security requirements for companies in regulated/high-compliance environments.
I have a question about endpoints. It seems like you guys charge per endpoint. I don't quite understand this. So if I'm developing an api only application, every api endpoint I develop in my application will be charged? And for Aptible to keep track, would I have to register each endpoint I develop?
If my application was just serving dynamic html pages, I wouldn't be charged per url of my application right? So why would I be charged per api endpoint?
EDIT:
Another question. Do you guys offer any SSO solutions? If not, if I used say Auth0 for authentication, are there any issues with integrating with Aptible?
"Endpoints" on Aptible are load balancers. So you would pay for each load balancer your API needs (usually just 1), not every API endpoint. Thanks for the feedback on that — we will update the language to be clear that these are load balancers, not API endpoints.
We don't provide a solution for implementing SSO in your own application, but many of our customers do integrate with Auth0 without issue. For your own team's access _to Aptible_, we offer SSO through SAML integration with any provider (Google, Okta): https://deploy-docs.aptible.com/docs/sso
Another question. I tried looking for the answer on the website, but couldn't find it. Is it possible to use my own AWS account and integrate it with Aptible or does Aptible provide their AWS assets for my use? The former would be ideal for us as we would like to own (more accurately, rent them ourselves) all of our AWS assets and just have someone like Aptible help us to manage them.
Aptible hosts (and pays for) AWS resources on your behalf, similar to Heroku/Render/Railway. Last year, we built support for integrating Aptible into your own AWS account, but only a handful of existing customers are currently using that, and it's not available in the product by default. I'd be interested to learn why you prefer this model. If you're willing to chat about it, my email is in my profile.
Alternatively, have you checked out other PaaS-in-your-own-IaaS solutions like:
(Founder of Aptible, a Heroku-like PaaS focused on security and compliance)
> dev teams face limits on what they can build securely, platform teams face limits on what secure by default and monitoring features they have time to implement, security operations teams have a lot of data points to look at, and in theory even changes in personnel in a couple of teams can have an impact on the threat posture for a given set of a company.
I couldn't agree more. It's too bad, because I believe most companies should be solving this by building on a battle-tested platform that provides a safe path for devs. In theory, platforms like Heroku improve cloud security by reducing margin for error. In practice though (as we're seeing), these platforms can introduce new security vulnerabilities in the layer they introduce on top of IaaS.
I also very much appreciate your comment about having a better way to evaluate the security of platforms without relying on public breach reports, or implicitly trusting what platforms say. I think the best thing is for platforms to be 100% transparent in how they implement security, namely by:
1. Running alongside IaaS services instead of layering a black box on top of them (coordinating, not fully abstracting)
2. Providing clear accountability for security defaults: every security default enforced by the platform should be represented in a validation that end users can view (if not alter)
That's how most of our customers use Aptible, yes. That said, we currently have our first customers running Aptible as an integration with AWS, and we believe this will be the most popular way to use Aptible in the future.
With this new product model, you integrate Aptible with your AWS account, and we provide functionality to provision high-level constructs like apps and databases that simply set up and coordinate AWS services like ECS, EKS, RDS, etc. Aptible only needs permission to write to a set of SQS queues in your account. To make sure things stay compliant, we set up AWS Config checks for every security control relevant to your chosen compliance framework(s), and maintain a set of managed IAM roles that you can assign to your dev team to ensure least-privilege access without having to constantly update IAM.
Aptible (YC S14) | https://aptible.com/ | REMOTE (PT through ET Time Zones) | Marketing, DevRel, and additional opportunities
For developers at high growth companies who want to focus on building products and shipping code, Aptible automates the security of resources across their entire cloud infrastructure. Our platform as a service is used by thousands of developers, especially those at digital health startups, to ship complex architectures without needing to stop and think about security, compliance, or IaaS best practices.
Aptible founder here. Since you mentioned compliance: Aptible is a PaaS focused on enabling cloud deployments that meet rigorous security and compliance benchmarks (HIPAA, HITRUST, SOC 2, ISO 27001, FedRAMP, etc.)
We're not directly competitive with Render but our solution is similar — we support turnkey app deployment, PostgreSQL, Redis and other OSS databases. Our focus is on the problem of simplifying compliance in the cloud. We're also building a self-hosted SaaS version of our product for companies who want the benefits of PaaS but direct access to their AWS/GCP/Azure infrastructure as well.
Aptible (YC S14) | https://aptible.com | REMOTE (PT through ET Timezones) | Senior to Principal Software Engineer
Aptible helps create a more trustworthy internet by improving data security and compliance. We make it simple for modern businesses to manage compliance so that they can build customer trust.
- Deploy Engineer: https://boards.greenhouse.io/aptible/jobs/4000574004
Tech stack: Primarily Ruby, Ember, Postgres, Docker, and AWS (although we both use and support a wide range of other languages and tools)
Aptible (YC S14) | https://aptible.com/ | REMOTE (PT through ET Time Zones) | Engineering, Product, and additional opportunities
Aptible helps create a more trustworthy internet by improving data security and compliance. We make it simple for modern businesses to manage compliance so that they can build customer trust.
Open Roles: Lead Application Security Engineer, Senior Software Engineer, Service Reliability Engineer, Senior Product Manager, and more. All roles listed here: https://boards.greenhouse.io/aptible
Aptible (YC S14) | https://aptible.com/ | REMOTE (PT through ET Time Zones) | Engineering, Product, and additional opportunities
Aptible helps create a more trustworthy internet by improving data security and compliance. We make it simple for modern businesses to manage compliance so that they can build customer trust.
If you're interested, apply directly through our website: https://aptible.com/company/careers. Or feel free to email Recruiting at careers@aptible.com!
Aptible has a built-in Security & Compliance Dashboard [0] that supports compliance automation and reporting (PDF and API exports) for HIPAA, HITRUST and other security frameworks. You can see a demo of the entire platform, including this Dashboard, in our "Aptible in 10 Minutes" video. [1]
You can also integrate Aptible with Vanta, Drata or another compliance automation tool, if you're running the self-hosted version of Aptible that runs in your own AWS account. If you do, you can expect fully passing tests for HIPAA and SOC 2 in Vanta or Drata with zero additional configuration. Most Aptible customers find our built-in dashboard sufficient, and don't feel the need to buy Vanta/Drata separately to ensure HIPAA compliance.
[0] https://www.aptible.com/docs/intro-compliance-dashboard [1] https://www.youtube.com/watch?v=mhNzGO9KbWY