Security and the Twelve-Factor App - Step 10
A blog series by WhiteHat Security
September 16, 2019

Eric Sheridan
WhiteHat Security

In the previous chapter of this WhiteHat Security series, we recommended applying signatures and expirations to limit the life of derived security assertions. This is relevant for Twelve-Factor App’s Step 9, which focuses on disposability i.e. apps built using the twelve-factor methodology can be started or stopped at a moment’s notice.

Step 10 highlights DEV/product parity and relates to keeping development, staging and production as similar as possible.

Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Start with Security and the Twelve-Factor App - Step 8
Start with Security and the Twelve-Factor App - Step 9

Defining DEV/Product Parity in the Twelve-Factor App

The tenth factor, DEV/product parity, suggests keeping development, staging and production as similar as possible. According to 12.factor.net, historically there have been significant gaps between development, edits to a local deploy of the app and production.

The twelve-factor app is designed for continuous deployment by keeping the gap between these as small and similar as possible.

Applying Security to Step 10

The Twelve-Factor app methodology puts a lot of emphasis on keeping services the same between the various phases of the product development lifecycle. However, when striving for DEV/prod parity as you move through the Twelve-Factors, it’s important that product secrets are not shared. Uber found this out the hard way when it stored a sensitive database key on a public GitHub page.

Enforce the separation of duties. This means that DEV can’t see any secrets in QA, QA can’t see any secrets in STAGE, and STAGE can’t see any secrets in PROD.

Replicate security services. Simply put, product security services must be replicated in the DEV, QA, and STAGE processes.

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Related Links

www.whitehatsec.com
www.12factor.net
Security and the Twelve-Factor App - Step 1

Industry News

CloudBees Announces New Technical Alliance Partner Program
October 10, 2019

CloudBees launched a new partner program that expands ISV partners’ ability to align with CloudBees offerings and the global Jenkins community.

Nureva Expands Integration of Span Workspace with Jira Software
October 08, 2019

Nureva announced a key update to the Jira Software integration with Span Workspace, Nureva’s cloud-based digital canvas for visual planning and collaboration.

Fugue Adopts Open Policy Agent for its Policy-as-Code Framework for Cloud Security
October 08, 2019

Fugue announced support for Open Policy Agent (OPA), an open source general-purpose policy engine and language for cloud infrastructure.

Redgate Extends SQL Compare to Provide Linux Command Line Interface and Support for SQL Server 2019
October 03, 2019

Redgate announced the launch of SQL Compare v14, the latest version of its industry standard tool for quickly and accurately comparing and deploying SQL Server databases.

Harness Releases Continuous Insights
October 03, 2019

Harness announced the release of Continuous Insights, a new capability of its CD platform that enables organizations to see clearly into software delivery performance across their engineering and development teams without needing to manually collect, correlate, and report metrics that might take days or weeks.

OutSystems, Workato and Persistent Systems Announce Partnership on Low-Code and Automation
October 03, 2019

OutSystems and Workato announced a partnership aimed at allowing organizations to rapidly realize innovation, time to value, productivity, and mission-critical objectives through readily available application connectors.

Kong Acquires Insomnia
October 02, 2019

Kong announced an acquisition and several new products.

Contrast Security Provides Free DevSecOps Solution to .NET Community
October 02, 2019

Contrast Security announced the availability of .NET Core support on Contrast Community Edition (CE).

Checkmarx Achieves AWS Security Competency Status
October 02, 2019

Checkmarx earned Amazon Web Services (AWS) Security Competency status for its Software Security Platform.

Parasoft Launches Parasoft Selenic, an AI-Powered UI Testing Solution for Selenium
October 01, 2019

Parasoft announced the release of its newest product, Parasoft Selenic, a UI testing solution that makes Selenium smarter, to help organizations find real bugs faster.

Micro Focus Released Deployment Automation 6.3
October 01, 2019

Micro Focus announced the general availability of Deployment Automation 6.3, offering new deployment improvements for its Release Orchestration solution set.

Compuware Announces Topaz Enhancements and OpenLegacy Integration
October 01, 2019

Compuware announced enhancements to Topaz for Total Test and a partnership with OpenLegacy to help large enterprises speed mainframe software development and delivery while improving quality.

Deque Systems Releases Axe Pro
September 30, 2019

Deque Systems announced Axe Pro, a key addition to Axe, the web accessibility testing browser extension.

NIIT Technologies Announces Partnership with mabl Inc. on Automated Testing
September 30, 2019

NIIT Technologies and mabl, Inc announced a partnership to deliver AI-driven automated solution for faster, economical and better application testing services.

Rockset Unveils Real-Time SQL Analytics for Raw Events from Apache Kafka
September 30, 2019

Rockset announced the capability to analyze raw events from Apache Kafka in real time.

More Industry News