Security and the Twelve-Factor App - Step 10
A blog series by WhiteHat Security
September 16, 2019

Eric Sheridan
WhiteHat Security

In the previous chapter of this WhiteHat Security series, we recommended applying signatures and expirations to limit the life of derived security assertions. This is relevant for Twelve-Factor App’s Step 9, which focuses on disposability i.e. apps built using the twelve-factor methodology can be started or stopped at a moment’s notice.

Step 10 highlights DEV/product parity and relates to keeping development, staging and production as similar as possible.

Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Start with Security and the Twelve-Factor App - Step 8
Start with Security and the Twelve-Factor App - Step 9

Defining DEV/Product Parity in the Twelve-Factor App

The tenth factor, DEV/product parity, suggests keeping development, staging and production as similar as possible. According to 12.factor.net, historically there have been significant gaps between development, edits to a local deploy of the app and production.

The twelve-factor app is designed for continuous deployment by keeping the gap between these as small and similar as possible.

Applying Security to Step 10

The Twelve-Factor app methodology puts a lot of emphasis on keeping services the same between the various phases of the product development lifecycle. However, when striving for DEV/prod parity as you move through the Twelve-Factors, it’s important that product secrets are not shared. Uber found this out the hard way when it stored a sensitive database key on a public GitHub page.

Enforce the separation of duties. This means that DEV can’t see any secrets in QA, QA can’t see any secrets in STAGE, and STAGE can’t see any secrets in PROD.

Replicate security services. Simply put, product security services must be replicated in the DEV, QA, and STAGE processes.

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Industry News

October 10, 2019

CloudBees launched a new partner program that expands ISV partners’ ability to align with CloudBees offerings and the global Jenkins community.

October 08, 2019

Nureva announced a key update to the Jira Software integration with Span Workspace, Nureva’s cloud-based digital canvas for visual planning and collaboration.

October 08, 2019

Fugue announced support for Open Policy Agent (OPA), an open source general-purpose policy engine and language for cloud infrastructure.

October 03, 2019

Redgate announced the launch of SQL Compare v14, the latest version of its industry standard tool for quickly and accurately comparing and deploying SQL Server databases.

October 03, 2019

Harness announced the release of Continuous Insights, a new capability of its CD platform that enables organizations to see clearly into software delivery performance across their engineering and development teams without needing to manually collect, correlate, and report metrics that might take days or weeks.

October 03, 2019

OutSystems and Workato announced a partnership aimed at allowing organizations to rapidly realize innovation, time to value, productivity, and mission-critical objectives through readily available application connectors.

October 02, 2019

Kong announced an acquisition and several new products.

October 02, 2019

Contrast Security announced the availability of .NET Core support on Contrast Community Edition (CE).

October 02, 2019

Checkmarx earned Amazon Web Services (AWS) Security Competency status for its Software Security Platform.

October 01, 2019

Parasoft announced the release of its newest product, Parasoft Selenic, a UI testing solution that makes Selenium smarter, to help organizations find real bugs faster.

October 01, 2019

Micro Focus announced the general availability of Deployment Automation 6.3, offering new deployment improvements for its Release Orchestration solution set.

October 01, 2019

Compuware announced enhancements to Topaz for Total Test and a partnership with OpenLegacy to help large enterprises speed mainframe software development and delivery while improving quality.

September 30, 2019

Deque Systems announced Axe Pro, a key addition to Axe, the web accessibility testing browser extension.

September 30, 2019

NIIT Technologies and mabl, Inc announced a partnership to deliver AI-driven automated solution for faster, economical and better application testing services.

September 30, 2019

Rockset announced the capability to analyze raw events from Apache Kafka in real time.