Security and the Twelve-Factor App - Step 10
A blog series by WhiteHat Security
September 16, 2019

Eric Sheridan
WhiteHat Security

In the previous chapter of this WhiteHat Security series, we recommended applying signatures and expirations to limit the life of derived security assertions. This is relevant for Twelve-Factor App’s Step 9, which focuses on disposability i.e. apps built using the twelve-factor methodology can be started or stopped at a moment’s notice.

Step 10 highlights DEV/product parity and relates to keeping development, staging and production as similar as possible.

Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Start with Security and the Twelve-Factor App - Step 8
Start with Security and the Twelve-Factor App - Step 9

Defining DEV/Product Parity in the Twelve-Factor App

The tenth factor, DEV/product parity, suggests keeping development, staging and production as similar as possible. According to 12.factor.net, historically there have been significant gaps between development, edits to a local deploy of the app and production.

The twelve-factor app is designed for continuous deployment by keeping the gap between these as small and similar as possible.

Applying Security to Step 10

The Twelve-Factor app methodology puts a lot of emphasis on keeping services the same between the various phases of the product development lifecycle. However, when striving for DEV/prod parity as you move through the Twelve-Factors, it’s important that product secrets are not shared. Uber found this out the hard way when it stored a sensitive database key on a public GitHub page.

Enforce the separation of duties. This means that DEV can’t see any secrets in QA, QA can’t see any secrets in STAGE, and STAGE can’t see any secrets in PROD.

Replicate security services. Simply put, product security services must be replicated in the DEV, QA, and STAGE processes.

Read Security and the Twelve-Factor App - Step 11

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Related Links

www.whitehatsec.com
www.12factor.net
Security and the Twelve-Factor App - Step 1

Industry News

New Relic Delivers Reimagined Observability Platform
July 30, 2020

New Relic delivered strategic updates to New Relic One.

DevOps Enterprise Summit Las Vegas Announces New Dates and Virtual Conference Format
July 30, 2020

IT Revolution announced the DevOps Enterprise Summit Las Vegas 2020 will be going virtual.

Adaptavist Acquires Go2Group
July 30, 2020

Adaptavist announced the acquisition of Go2Group, a US technology firm specializing in Agile and DevOps services and cloud solutions for the enterprise.

Panaya and Worksoft Partner to Deliver Change Intelligence
July 29, 2020

Panaya announced a new partnership with Worksoft providing SAP IT organizations with a best in class Change Intelligence solution that enables SAP ECC users to migrate or optimize their system risk-free.

Splice Machine Kubernetes Ops Center Introduced
July 29, 2020

Splice Machine launched the Splice Machine Kubernetes Ops Center, deployed with Helm Charts.

CirrusHQ Achieves AWS DevOps Competency Status
July 29, 2020

CirrusHQ, an Amazon Web Services (AWS) Advanced Consulting and Solution Provider partner, has achieved AWS DevOps Competency Status.

NetSPI Launches SAST and SCR Services
July 28, 2020

NetSPI launched Static Application Security Testing (SAST) and Secure Code Review (SCR) services.

Centrify Empowers DevSecOps with New Approach to Identity and Access Management
July 28, 2020

Centrify debuted Delegated Machine Credentials (DMC) as part of the Centrify Privileged Access Service to reduce risk and empower automation in increasingly complex, infrastructure-as-code-based elastic environments.

Tricentis Expands SAP Partnership
July 28, 2020

Tricentis announced an expansion of its strategic partnership with SAP.

Puppet Open Sources Scenario Planning Toolkit
July 27, 2020

Puppet announced the release of an open source Scenario Planning Toolkit for enterprise technology leaders to make more informed, strategic decisions and meaningfully drive forward their businesses during uncertain times.

CloudPassage Expands Cloud Security Capabilities for Docker, Kubernetes, and Container-Related Services on AWS
July 27, 2020

CloudPassage announced expanded container-related security capabilities for its Halo cloud security platform.

Sysdig Secure DevOps Platform Offers 5-Minute Set-Up
July 27, 2020

The latest release of Sysdig Secure DevOps Platform provides a 5-minute setup, a fast path to delivering container and Kubernetes security and visibility with a SaaS-first offering.

Forrester Names ACCELQ as a Leader in Continuous Functional Test Automation Suites Report
July 23, 2020

ACCELQ and its automation testing suite have been recognized by leading research firm, Forrester.

Summer Release of Puppet Enterprise Announced
July 23, 2020

Puppet announced updates to Puppet Enterprise making it easier and faster to automate complex infrastructure operations for improved application deployments, fewer errors and disruptions, and greater operational repeatability and efficiency.

Latest Tasktop Release Supports Jira Align
July 23, 2020

Tasktop announced that its latest release of the Tasktop Value Stream Management platform supports Jira Align.

More Industry News