CyberArk announced the CyberArk Blueprint for Privileged Access Management Success, designed to help customers take a future-proof, phased and measurable approach to reducing privilege-related risk.
Security and the Twelve-Factor App - Step 10
A blog series by WhiteHat Security
September 16, 2019
In the previous chapter of this WhiteHat Security series, we recommended applying signatures and expirations to limit the life of derived security assertions. This is relevant for Twelve-Factor App’s Step 9, which focuses on disposability i.e. apps built using the twelve-factor methodology can be started or stopped at a moment’s notice.
Step 10 highlights DEV/product parity and relates to keeping development, staging and production as similar as possible.
Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Start with Security and the Twelve-Factor App - Step 8
Start with Security and the Twelve-Factor App - Step 9
Defining DEV/Product Parity in the Twelve-Factor App
The tenth factor, DEV/product parity, suggests keeping development, staging and production as similar as possible. According to 12.factor.net, historically there have been significant gaps between development, edits to a local deploy of the app and production.
The twelve-factor app is designed for continuous deployment by keeping the gap between these as small and similar as possible.
Applying Security to Step 10
The Twelve-Factor app methodology puts a lot of emphasis on keeping services the same between the various phases of the product development lifecycle. However, when striving for DEV/prod parity as you move through the Twelve-Factors, it’s important that product secrets are not shared. Uber found this out the hard way when it stored a sensitive database key on a public GitHub page.
■ Enforce the separation of duties. This means that DEV can’t see any secrets in QA, QA can’t see any secrets in STAGE, and STAGE can’t see any secrets in PROD.
■ Replicate security services. Simply put, product security services must be replicated in the DEV, QA, and STAGE processes.
Industry News
February 13, 2020
Cloudentity announced a partnership with Signal Sciences to provide a holistic approach for enterprise companies looking to secure their web applications and APIs.
February 13, 2020
OutSystems announced that the Portuguese government has agreed to co-finance €5.1 million through the Portugal 2020 economic development program for a pair of innovative research and development programs led by OutSystems.
February 12, 2020
Tata Consultancy Services (TCS) launched Jile 4.0, a major release of its on-the-cloud enterprise Agile DevOps platform that enables software teams to manage, automate and measure the end-to-end software delivery value stream from ideation to deployment.
February 12, 2020
Synopsys announced that on Feb. 18 it will release a major update to the Polaris Software Integrity Platform to extend its static application security testing (SAST) and software composition analysis (SCA) capabilities to the developer's desktop through the native integration of the Code Sight IDE plugin.
February 12, 2020
Tufin announced the availability of Tufin SecureCloud, a security policy automation service for enterprises needing to gain visibility and control of the security posture of their cloud-native and hybrid cloud environments.
February 11, 2020
Applause released its new Applause Accessibility Tool that automatically finds and fixes key accessibility issues earlier in the software development lifecycle.
February 11, 2020
Chef announced a new channel program specifically designed to ensure that partners and customers are able to take maximum advantage of Chef’s 100 percent open source business model.
February 11, 2020
IT Revolution announced the first round of speakers for DevOps Enterprise Summit London 2020.
February 10, 2020
Dynatrace announced new enhancements to its support for Kubernetes.
February 06, 2020
DevOps Institute announced its newly revamped Global Education Partner Program.
February 06, 2020
Automox raised $30 million in Series B funding.
February 05, 2020
Couchbase introduced Couchbase Cloud, a fully-managed Database-as-a-Service (DBaaS).
February 05, 2020
Univa announced the general availability of Navops Launch 2.0, its flagship cloud-automation platform, designed to help enterprises simplify the migration of HPC and AI workloads to their choice of cloud.
February 05, 2020
Fugue announced a Team plan to help cloud engineering teams collaborate and innovate faster and more securely.
