Security and the Twelve-Factor App - Step 10
A blog series by WhiteHat Security
September 16, 2019

Eric Sheridan
WhiteHat Security

In the previous chapter of this WhiteHat Security series, we recommended applying signatures and expirations to limit the life of derived security assertions. This is relevant for Twelve-Factor App’s Step 9, which focuses on disposability i.e. apps built using the twelve-factor methodology can be started or stopped at a moment’s notice.

Step 10 highlights DEV/product parity and relates to keeping development, staging and production as similar as possible.

Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Start with Security and the Twelve-Factor App - Step 8
Start with Security and the Twelve-Factor App - Step 9

Defining DEV/Product Parity in the Twelve-Factor App

The tenth factor, DEV/product parity, suggests keeping development, staging and production as similar as possible. According to 12.factor.net, historically there have been significant gaps between development, edits to a local deploy of the app and production.

The twelve-factor app is designed for continuous deployment by keeping the gap between these as small and similar as possible.

Applying Security to Step 10

The Twelve-Factor app methodology puts a lot of emphasis on keeping services the same between the various phases of the product development lifecycle. However, when striving for DEV/prod parity as you move through the Twelve-Factors, it’s important that product secrets are not shared. Uber found this out the hard way when it stored a sensitive database key on a public GitHub page.

Enforce the separation of duties. This means that DEV can’t see any secrets in QA, QA can’t see any secrets in STAGE, and STAGE can’t see any secrets in PROD.

Replicate security services. Simply put, product security services must be replicated in the DEV, QA, and STAGE processes.

Read Security and the Twelve-Factor App - Step 11

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Related Links

www.whitehatsec.com
www.12factor.net
Security and the Twelve-Factor App - Step 1

Industry News

Backslash Security Introduces Fix Simulation and AI-Powered Attack Path Remediation
July 25, 2024

Backslash Security introduced its Fix Simulation and AI-powered Attack Path Remediation capabilities.

Check Point Software Names New CEO
July 25, 2024

Check Point® Software Technologies Ltd. announced the appointment of Nadav Zafrir as Check Point Chief Executive Officer.

Sonatype SBOM Manager and Nexus Repository Now Available in AWS Marketplace
July 25, 2024

Sonatype announced that Sonatype SBOM Manager, its Enterprise-Class Software Bill of Materials (SBOM) solution, and its artifact repository manager, Nexus Repository, are now available in AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS).

Broadcom Announces VMware Cloud Foundation 5.2 and VMware vSphere Foundation 5.2
July 24, 2024

Broadcom unveiled the latest updates to VMware Cloud Foundation (VCF), the company’s flagship private cloud platform.

CAST Releases Free SBOM Manager
July 24, 2024

CAST launched CAST SBOM Manager, a new freemium product designed for product owners, release managers, and compliance specialists.

Zesty Introduces Cloud Insights and Automation Platform
July 24, 2024

Zesty announced the launch of its Insights and Automation Platform.

Progress Introduces MarkLogic FastTrack, Helping Organizations Harness the Power of Connected Data
July 23, 2024

Progress announced the availability of Progress® MarkLogic® FastTrack™, a UI toolkit for building data- and search-driven applications to visually explore complex connected data stored in Progress® MarkLogic® platform.

Snowflake Cortex AI to Host Llama 3.1 Collection of Multilingual Open Source LLMs
July 23, 2024

Snowflake will host the Llama 3.1 collection of multilingual open source large language models (LLMs) in Snowflake Cortex AI for enterprises to easily harness and build powerful AI applications at scale.

Secure Code Warrior Releases SCW Trust Agent
July 23, 2024

Secure Code Warrior announced the availability of SCW Trust Agent – a solution that assesses the specific security competencies of developers for every code commit.

GFT Launches AI Impact
July 23, 2024

GFT launched AI Impact, a new solution that leverages artificial intelligence to eliminate technical debt, increase developer efficiency and automate critical software development processes.

Code Metal Raises $16.5M in Seed Funding
July 23, 2024

Code Metal announced a $13M seed, led by Shield Capital.

Atlassian Achieves FedRAMP "In Process" Designation
July 22, 2024

Atlassian Corporation has achieved Federal Risk and Authorization Management Program (FedRAMP) “In Process” status and is now listed on the FedRAMP marketplace.

Check Point Software Named a Leader in Mobile Threat Defense Solutions Report
July 18, 2024

Check Point® Software Technologies Ltd. announced that it has received a Leader ranking in The Forrester Wave™: Mobile Threat Defense Solutions, Q3 2024 report.

Mission Cloud Engagements - DevOps Released
July 18, 2024

Mission Cloud announced the launch of Mission Cloud Engagements - DevOps, a platform designed to transform how businesses manage and execute their AWS DevOps projects.

Accelario Introduces Free Next-Gen TDM Version
July 18, 2024

Accelario announces the release of its free TDM solution, including database virtualization and data anonymization.

More Industry News