Security and the Twelve-Factor App - Step 10
A blog series by WhiteHat Security
September 16, 2019

Eric Sheridan
WhiteHat Security

In the previous chapter of this WhiteHat Security series, we recommended applying signatures and expirations to limit the life of derived security assertions. This is relevant for Twelve-Factor App’s Step 9, which focuses on disposability i.e. apps built using the twelve-factor methodology can be started or stopped at a moment’s notice.

Step 10 highlights DEV/product parity and relates to keeping development, staging and production as similar as possible.

Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Start with Security and the Twelve-Factor App - Step 8
Start with Security and the Twelve-Factor App - Step 9

Defining DEV/Product Parity in the Twelve-Factor App

The tenth factor, DEV/product parity, suggests keeping development, staging and production as similar as possible. According to 12.factor.net, historically there have been significant gaps between development, edits to a local deploy of the app and production.

The twelve-factor app is designed for continuous deployment by keeping the gap between these as small and similar as possible.

Applying Security to Step 10

The Twelve-Factor app methodology puts a lot of emphasis on keeping services the same between the various phases of the product development lifecycle. However, when striving for DEV/prod parity as you move through the Twelve-Factors, it’s important that product secrets are not shared. Uber found this out the hard way when it stored a sensitive database key on a public GitHub page.

Enforce the separation of duties. This means that DEV can’t see any secrets in QA, QA can’t see any secrets in STAGE, and STAGE can’t see any secrets in PROD.

Replicate security services. Simply put, product security services must be replicated in the DEV, QA, and STAGE processes.

Read Security and the Twelve-Factor App - Step 11

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Related Links

www.whitehatsec.com
www.12factor.net
Security and the Twelve-Factor App - Step 1

Industry News

JFrog Artifactory Integrates with MLflow
April 25, 2024

JFrog announced a new machine learning (ML) lifecycle integration between JFrog Artifactory and MLflow, an open source software platform originally developed by Databricks.

Copado Launches Test Copilot
April 25, 2024

Copado announced the general availability of Test Copilot, the AI-powered test creation assistant.

SmartBear Adds GenAI-Powered No-Code Test Automation GenAI to Zephyr Scale
April 25, 2024

SmartBear has added no-code test automation powered by GenAI to its Zephyr Scale, the solution that delivers scalable, performant test management inside Jira.

Opsera Announces New Patents for AI-powered, Cloud-Native Unified DevOps Platform
April 24, 2024

Opsera announced that two new patents have been issued for its Unified DevOps Platform, now totaling nine patents issued for the cloud-native DevOps Platform.

mabl Introduces Mobile Application Testing
April 23, 2024

mabl announced the addition of mobile application testing to its platform.

Spectro Cloud Achieves AWS Competency Designation
April 23, 2024

Spectro Cloud announced the achievement of a new Amazon Web Services (AWS) Competency designation.

GitLab Duo Chat Released
April 22, 2024

GitLab announced the general availability of GitLab Duo Chat.

SmartBear Integrates Stoplight's Spectral, Elements, and Prism into SwaggerHub
April 18, 2024

SmartBear announced a new version of its API design and documentation tool, SwaggerHub, integrating Stoplight’s API open source tools.

Red Hat Expands Red Hat Trusted Software Supply Chain
April 18, 2024

Red Hat announced updates to Red Hat Trusted Software Supply Chain.

Tricentis Copilot Released
April 18, 2024

Tricentis announced the latest update to the company’s AI offerings with the launch of Tricentis Copilot, a suite of solutions leveraging generative AI to enhance productivity throughout the entire testing lifecycle.

CIQ Launches Support for Upstream Kernels in Rocky Linux
April 17, 2024

CIQ launched fully supported, upstream stable kernels for Rocky Linux via the CIQ Enterprise Linux Platform, providing enhanced performance, hardware compatibility and security.

Redgate Monitor Enterprise Released
April 17, 2024

Redgate launched an enterprise version of its database monitoring tool, providing a range of new features to address the challenges of scale and complexity faced by larger organizations.

Snyk Supports Google Cloud's Gemini Code Assist
April 17, 2024

Snyk announced the expansion of its current partnership with Google Cloud to advance secure code generated by Google Cloud’s generative-AI-powered collaborator service, Gemini Code Assist.

Kong Konnect Dedicated Cloud Gateways Available on AWS
April 16, 2024

Kong announced the commercial availability of Kong Konnect Dedicated Cloud Gateways on Amazon Web Services (AWS).

Pega Infinity '24.1 Released
April 16, 2024

Pegasystems announced the general availability of Pega Infinity ’24.1™.

More Industry News