You're generally correct that we keep on top of critical security updates for all components of our infrastructure, including the python runtime that python App Engine uses, and python libraries.
However, some aspects of security are up to you as a developer: for example ensuring that your API only processes requests from valid clients, ensuring that users can only access the data on your app that is meant to be visible to them, ensuring that you don't expose yourself to SQL injection if you use a remote MySQL box for data storage, etc. Using Endpoints <https://cloud.google.com/appengine/docs/java/endpoints/> for your API, you can implement client auth <https://cloud.google.com/appengine/docs/java/endpoints/auth>, so there are even aspects of the platform that help you do these things in a way that respects best-practices. There's even a beta Security Scanner <https://cloud.google.com/tools/security-scanner/> which is very good. In general, programming any web app, these issues tend to come up. You'll also have to implement protections against XSS and XSRF, although not from scratch, as there are many great libraries and frameworks out there. Does this help answer your question? Do you have any more specific questions about security? On Wednesday, June 17, 2015 at 4:53:03 PM UTC-4, Tom Campbell wrote: > > I'm finishing up a web2py app that I will be deploying to paying > customers. I am not a great sysadmin. > > Seems like GAE is a good choice, because while I follow all web2py best > practices I'm always nervous about forgetting to apply a security patch to > the OS, or having an apt-get cause unforeseen problems. > > Does GAE free me from these issues? It seems to me I simply need to write > to Python 2.7 and update web2py when necessary, and GAE takes care of OS > updates, security, etc. > > Is that correct or am I oversimplifying? > > > > > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/0e630471-ed56-4962-ae5a-011e510f0eda%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
