Yea, reading your page detailing the CVEs, you show that all reported grade 6 or higher CVEs against Wordpress in 2014-2015 were not ever exploitable against the Sandstorm hosted app. Of course, it's just a static page reflection, so that certainly helps your attack surface!

But I 100% agree with your premise, providing dependable security (even at a reduced functional footprint) is a key deliverable for Sandstorm and adds tremendous value to the platform. I assume you have found that adoption is hindered significantly by people "nervous" to try it? The premise is if you can make Sandstorm feel more safe, easy, reliable, it could it become mainstream. So security benefits are a huge bonus.

It also looks like the Sandstorm authentication design has really paid off. I think it's part of the initial complexity of evaluating your system, which is unfortunate, but it's great to see it providing real-world protection for a lot of your apps.

Yeah... Honestly Wordpress is my least-favorite example because it's the one case where the Sandstorm version of the app has significant features removed (namely, the ability to post comments). This is why we push it to the bottom of the app market, despite being a popular app. However, as noted in the document, we could produce a version of Wordpress on Sandstorm which has comments and is still just as secure. It's just that we'd need to spend some engineering time on it, and there are so many Wordpress hosting services out there that I just don't feel like it's the most valuable use of our limited resources. :/

For apps like Etherpad, on the other hand, Sandstorm has blocked several serious security vulnerabilities with zero loss in functionality -- in fact, Etherpad on Sandstorm has more robust sharing / access control than Etherpad stand-alone. :)

The depth you are going into security hardening and analyzing vulnerabilities potential impact on your system seems almost extreme ;-) https://github.com/seccomp/libseccomp/issues/27

I see you have an App Market -- is anyone selling apps for Sandstorm, or are they all free? If there was a way to monetize, I'm surprised someone wouldn't invest the time to make Wordpress support comments and then sell it on your market?

To me this is a really interesting monetization model... can a few small developers write a Sandstorm app which potentially 1M+ users could one day be deploying and self hosting, while charging some nominal annual fee to fund the development?

When I saw the YC W16 startup on the front page a few days ago selling the pretty box to enterprises who wanted to self-host, first thing I thought of was Sandstorm. Why sell hardware? You are making the platform which makes managing the apps possible for 90% of businesses, that has to be where the value is.

We plan to support paid apps at some point (more precisely, in-app purchases, which my friends who worked on Android say is far more effective than paying for the apps themselves), but haven't gotten there yet.

> (It's funny how many people initially react to this idea with something like: "How is that not obviously wrong?" Guess what? It works. And no, it's not inefficient -- our managed hosting service runs a healthy profit margin.)

It's natural to wonder why everyone isn't doing it, if it's this easy. Or where the innovative part lies. Whenever someone claims a major advance, some skepticism is probably correct.

Abstracting the storage/object model of a program as in Cap'N Proto is the new advance, though Cap'N Proto's security model isn't fully innovative -- it's based on object capabilities which have been around since the 70s and this particular model since the 90s in the E programming language. The isolation properties of capabilities have been well understood for quite some time.

Sandstorm just took this well understood security model and the innovative storage abstraction and applied it to any language with Cap'N Proto bindings. Pretty cool.

The reason most people aren't doing it is beacuse most people don't really understand capability security, despite its simplicity. They've been raised and trained in the access control list model and it's deeply ingrained at this point.