Security and the Twelve-Factor App - Step 10
A blog series by WhiteHat Security
September 16, 2019

Eric Sheridan
WhiteHat Security

In the previous chapter of this WhiteHat Security series, we recommended applying signatures and expirations to limit the life of derived security assertions. This is relevant for Twelve-Factor App’s Step 9, which focuses on disposability i.e. apps built using the twelve-factor methodology can be started or stopped at a moment’s notice.

Step 10 highlights DEV/product parity and relates to keeping development, staging and production as similar as possible.

Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Start with Security and the Twelve-Factor App - Step 8
Start with Security and the Twelve-Factor App - Step 9

Defining DEV/Product Parity in the Twelve-Factor App

The tenth factor, DEV/product parity, suggests keeping development, staging and production as similar as possible. According to 12.factor.net, historically there have been significant gaps between development, edits to a local deploy of the app and production.

The twelve-factor app is designed for continuous deployment by keeping the gap between these as small and similar as possible.

Applying Security to Step 10

The Twelve-Factor app methodology puts a lot of emphasis on keeping services the same between the various phases of the product development lifecycle. However, when striving for DEV/prod parity as you move through the Twelve-Factors, it’s important that product secrets are not shared. Uber found this out the hard way when it stored a sensitive database key on a public GitHub page.

Enforce the separation of duties. This means that DEV can’t see any secrets in QA, QA can’t see any secrets in STAGE, and STAGE can’t see any secrets in PROD.

Replicate security services. Simply put, product security services must be replicated in the DEV, QA, and STAGE processes.

Read Security and the Twelve-Factor App - Step 11

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Industry News

February 13, 2020

CyberArk announced the CyberArk Blueprint for Privileged Access Management Success, designed to help customers take a future-proof, phased and measurable approach to reducing privilege-related risk.

February 13, 2020

Cloudentity announced a partnership with Signal Sciences to provide a holistic approach for enterprise companies looking to secure their web applications and APIs.

February 13, 2020

OutSystems announced that the Portuguese government has agreed to co-finance €5.1 million through the Portugal 2020 economic development program for a pair of innovative research and development programs led by OutSystems.

February 12, 2020

Tata Consultancy Services (TCS) launched Jile 4.0, a major release of its on-the-cloud enterprise Agile DevOps platform that enables software teams to manage, automate and measure the end-to-end software delivery value stream from ideation to deployment.

February 12, 2020

Synopsys announced that on Feb. 18 it will release a major update to the Polaris Software Integrity Platform to extend its static application security testing (SAST) and software composition analysis (SCA) capabilities to the developer's desktop through the native integration of the Code Sight IDE plugin.

February 12, 2020

Tufin announced the availability of Tufin SecureCloud, a security policy automation service for enterprises needing to gain visibility and control of the security posture of their cloud-native and hybrid cloud environments.

February 11, 2020

Applause released its new Applause Accessibility Tool that automatically finds and fixes key accessibility issues earlier in the software development lifecycle.

February 11, 2020

Chef announced a new channel program specifically designed to ensure that partners and customers are able to take maximum advantage of Chef’s 100 percent open source business model.

February 11, 2020

IT Revolution announced the first round of speakers for DevOps Enterprise Summit London 2020.

February 10, 2020

Dynatrace announced new enhancements to its support for Kubernetes.

February 06, 2020

DevOps Institute announced its newly revamped Global Education Partner Program.

February 06, 2020

Automox raised $30 million in Series B funding.

February 05, 2020

Couchbase introduced Couchbase Cloud, a fully-managed Database-as-a-Service (DBaaS).

February 05, 2020

Univa announced the general availability of Navops Launch 2.0, its flagship cloud-automation platform, designed to help enterprises simplify the migration of HPC and AI workloads to their choice of cloud.

February 05, 2020

Fugue announced a Team plan to help cloud engineering teams collaborate and innovate faster and more securely.