@marktuff Anybody chime in on this yet? I just realized my privacy roles were wide open and have tried to lock them down but would like to check in with an expert.
@cococubmobileapps, not yet! Perhaps with our bumping this thread we’ll be fortunate that someone with expert knowledge can chime in!
@marktuff @cococubmobileapps When you have data API exposed for specific data types, it is visible to users based on the privacy roles defined for that data type. If you have a condition like ‘current user is logged in’ for ‘Contact Us’, all logged in users can see that data type.
Hello!
Is this still the best post on security? I have an enterprise customer asking some pretty generic questions but want to make sure I answer them accurately.
When you and @josh and the team work on the security documentation, can you please please please include screenshot examples for an example app?
For example the 3 answers you gave above are still not understandable to me without you using actual data examples from a real example app with actual screenshots. Everyone learns differently and I don’t get things unless there are real life examples in pictures and using real data examples. Because of this, these 3 answers don’t mean anything to me.
I know I can’t be the only visual learner in the forum…
Very useful. You are awesome.
@josh - one-way hashing is great, but what hashing function do you use? bcrypt, scrypt, pbkdf2, argon2id? Hashed passwords could still be attacked via the login form.
Are you considering improving the privacy conditions? Right now, if the app is somehow complex, and needs pivot tables to link Things, it is not possible to use privacy conditions.
The way the privacy conditions are designed now are for in-table lists, where you can look up the lists (or the fields within the table), but if the data to grant/block access is in a pivot table, then it’s not possible to use the privacy settings.
Or am I missing something?
Thanks!
Hello,
I have a similar question.
I’m not sure if that’s possible, but it would be great if we will be able to make a kind of limited searches. For example, Do a search for Things (with constraints): count > 0.
Right now, I find myself duplicating data everywhere so I can actually use the Privacy rules.
It’s also hard to know when Privacy rules are preventing you from seeing data. I wonder if there’s a good way to know when privacy rules are being applied (perhaps in the console panel?)
Hello Guys…just signed up to come and take a look. Early views are…
The platform isn’t as easy to grasp as I thought. There is still a learning curve to understand it.
The security issues are a huge hurdle for me. I could only ever use bubble to build a concept. It simply isn’t secure enough for me to trust storing data in it - and I have to say - after all the time since this thread started, still no sight of a document that clearly outlines the standards and methods to secure data is not good. In 2020 a user would be hung out to try for a data breach. It looks like some are drawing a distinction on the ‘level’ of data security dependent on what it is used for. I don’t see that kind of distinction in GDPR for example. Twitter would be hung out to dry just as much as HSBC if it had a data breach exposing its Euro users to harm. So, for me, data security is a must and this will hold Bubble back until all aspects of data security and the workflow to control it is clearly - very clearly - laid out. Until then it seems as though there is an element of buck passing that when you provide the tools to ‘write’ the code (be it through visualisation or otherwise) you have to take responsibility for how it is used and implemented if you don’t provide clear direction to secure the most effective security principles. So, for me, I can’t use it until the methods for ensuring security and privacy are laid out very clearly.
Hi, first thakn you @josh and all the community for explaining all these terms.
I am currently in the process of creating an app that helps hotels manage their pool and the sitting of guests around the pool.
My potential clients, hotels executives, are asking me to provide security process because their clients, hotel guests, are giving out sensitive information that is collected by my app, such as phone number and name.
They say my company has access to this sensitive data and since I am a third party company to them, I need to provide security process to ensure the data collection is safe and data is not being used by my company and belongs to them as primary users of the app.
I am not really sure what they mean by “provide them with security process” regarding the data. Is there anyone that has experience regarding sensitive data collection as a third party company ?
Thank you for your help.
OK, so @josh ‘s FAQ was three years ago. Since then, Bubble has had a funding event and resources are now available to give us MUCH MORE DOCUMENTATION about security practices. I’m trying to sell my application (Prograds.com) to universities. I try to explain that Bubble is a PaaS and handles security according to industry standards with tools on its AWS infrastructure. But here’s the kind of answer I get:
" For your data-in-transit, do utilize TLS 1.1 or greater?
Under the ‘Firewalls, IDS, IPS, and Networking’ section, these questions are meant to be answered for your administration of Cloud application security. While Bubble are your Cloud host, I do not know what kind of AWS subscription you have from them (PaaS, IaaS, EC2, etc.). Typically, security administration, such as WAFs, SPIs, IDS/IPS, is left to application owners. Can you explain what subscription you have with Bubble and what kind of security is in place on your customer’s instances’ data?"
So I CAN’T SELL MY AMAZING APPLICATION to these customers unless I get better documentation from Bubble. Surely it’s not too much to ask and Bubble’s customers need this to succeed with their SaaS businesses built on Bubble. If Bubble can’t provide this, we should make it clear to prospective bubblers that B2G(overnment) is impossible. It’s basically a non-starter to try to sell a Bubble SaaS application to any mature business or public institution because we can’t give them straight answers about what network security measures are in place. It’s not productive for Bubble to say that it’s more secure than running a traditional coded app on AWS; that may be true but it won’t help me sell this to the universities I need to buy my application.
PLEASE @josh and @emmanuel, let’s get something written up for people like me to use.
Fred Cutler
founder, Prograds
What I get from this whole post is this -
Your user’s data is secure but if you really want to you can see all their data yourself. Is this really acceptable?
This recent post helps fill in a few gaps