Conducto is launching a toolkit for simplifying complex CI/CD and data science pipelines, having raised $3 million in seed funding led by Jump Capital.
Security and the Twelve-Factor App - Step 10
A blog series by WhiteHat Security
September 16, 2019
In the previous chapter of this WhiteHat Security series, we recommended applying signatures and expirations to limit the life of derived security assertions. This is relevant for Twelve-Factor App’s Step 9, which focuses on disposability i.e. apps built using the twelve-factor methodology can be started or stopped at a moment’s notice.
Step 10 highlights DEV/product parity and relates to keeping development, staging and production as similar as possible.
Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Start with Security and the Twelve-Factor App - Step 8
Start with Security and the Twelve-Factor App - Step 9
Defining DEV/Product Parity in the Twelve-Factor App
The tenth factor, DEV/product parity, suggests keeping development, staging and production as similar as possible. According to 12.factor.net, historically there have been significant gaps between development, edits to a local deploy of the app and production.
The twelve-factor app is designed for continuous deployment by keeping the gap between these as small and similar as possible.
Applying Security to Step 10
The Twelve-Factor app methodology puts a lot of emphasis on keeping services the same between the various phases of the product development lifecycle. However, when striving for DEV/prod parity as you move through the Twelve-Factors, it’s important that product secrets are not shared. Uber found this out the hard way when it stored a sensitive database key on a public GitHub page.
■ Enforce the separation of duties. This means that DEV can’t see any secrets in QA, QA can’t see any secrets in STAGE, and STAGE can’t see any secrets in PROD.
■ Replicate security services. Simply put, product security services must be replicated in the DEV, QA, and STAGE processes.
Industry News
October 21, 2020
Snyk Intel vulnerability database will be integrated into IBM Cloud security capabilities to enhance security for enterprise workloads.
October 21, 2020
Accurics announced $20 million across seed and series A financing raised in the past six months, with Intel Capital leading the Series A and ClearSky leading the seed.
October 20, 2020
Splunk announced the Splunk Observability Suite, the most comprehensive and powerful combination of monitoring, investigation, and troubleshooting solutions designed to help organizations become cloud-ready and accelerate their digital transformation.
October 20, 2020
Tricentis announced Vision AI, the core technology that will now power Tosca.
October 20, 2020
MuseDev has extended its code analysis platform to deliver bug reports via Github's code scanning UI.
October 20, 2020
Digital Shadows announced the ability to detect exposed access keys.
October 19, 2020
StackRox and Robin.io announced a new partnership bringing together Robin’s application-focused approach to Kubernetes data management with StackRox’s Kubernetes-native security and compliance capabilities.
October 19, 2020
PubNub announced new Chat UI Kits to streamline chat development.
October 19, 2020
Secure Code Warrior announced support for GitHub’s new code scanning functionality in conjunction with a new collaboration with Snyk.
October 15, 2020
Couchbase announced version 2.8 of Couchbase Lite and Couchbase Sync Gateway for mobile and edge computing applications.
October 15, 2020
Kong unveiled the private beta release of Kong Konnect, a full-stack platform for cloud native applications delivered as a service.
October 15, 2020
Sonatype unveiled the Advanced Development Pack.
October 14, 2020
JFrog announced the general availability of a free subscription of its universal, hybrid and multi-cloud DevOps Platform, including industry-leading DevSecOps capabilities offered at no cost.
October 14, 2020
ServiceNow announced four new external DevOps integrations with Continuous Improvement/Continues Delivery (CI/CD) toolsets.
