Push Technology announced the launch of a new Kafka Adapter for their Diffusion Intelligent Data Mesh.
Security and the Twelve-Factor App - Step 11
A blog series by WhiteHat Security
October 15, 2019
In the previous chapter of this WhiteHat Security series, DEV/product parity was the key focus area, and relates to keeping development, staging and production as similar as possible. The security posture to adopt when striving for DEV/prod parity as you move through the Twelve-Factors is to ensure that product secrets are not shared.
Step 11 suggests treating logs as event streams.
Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Start with Security and the Twelve-Factor App - Step 8
Start with Security and the Twelve-Factor App - Step 9
Start with Security and the Twelve-Factor App - Step 10
Defining Logs in the Twelve-Factor App
12.factor.net explains that Logs, which are the stream of aggregated, time-ordered events collected from the output streams of all running processes and backing services, offer visibility into the behaviour of a running app.
A twelve-factor app never concerns itself with routing or storage of its output stream. It should not attempt to write to or manage logfiles. Instead, each running process writes its event stream, unbuffered, to stdout. During local development, the developer will view this stream in the foreground of their terminal to observe the app’s behavior.
Applying Security to Step 11
The most important security step in this factor is to log for security in such a way that anyone who is aggregating the log can easily extract the security log messages to avoid being burdened with stack traces for example.
In other words, create a log record for each security critical event with supporting information, as well as a "SECURITY" log record category to assist in aggregation.
In the final chapter we cover Step 12, which is all about admin processes and running admin/management tasks as one-off processes.
Industry News
August 06, 2020
Appvia announced the launch of its Cost Prediction and Visibility tool, integrated within the latest version of its Kore platform.
August 06, 2020
LogiGear announced the newest addition to the TestArchitect™ family, TestArchitect Gondola.
August 05, 2020
Logz.io announced a partnership with HashiCorp, a provider in multi-cloud infrastructure automation software.
August 05, 2020
Digitate, a software venture of Tata Consultancy Services, announced the release of ignio™ AI.Assurance, an autonomous assurance product that enables enterprises to deliver better software faster, enhancing their business performance.
August 05, 2020
Harness acquired self-service Continuous Integration firm Drone.io, the creator of the open-source project Drone.
August 04, 2020
Aqua Security announced that its Cloud Native Security Platform is available through Red Hat® Marketplace, an open cloud marketplace that makes it easier to discover and access certified software for container-based environments across the hybrid cloud.
August 04, 2020
Threat Stack announced the availability of Threat Stack Container Security Monitoring for AWS Fargate.
August 04, 2020
OpenLogic by Perforce now provides an enterprise-class alternative to Oracle Java by offering OpenJDK distributions backed by OpenLogic support.
August 03, 2020
MuseDev launched on Github Marketplace the Early Access version of its code analysis platform, Muse, to help developers find and fix critical security, performance, and reliability bugs, efficiently, before they reach QA or production.
August 03, 2020
Styra announced Rego Policy Builder for the Styra Declarative Authorization Service (DAS).
August 03, 2020
Felicis Ventures has invested an additional $5M in Sourcegraph, bringing the total raised to over $46M, including a $23M Series B in March 2020 led by Craft Ventures.
July 30, 2020
New Relic delivered strategic updates to New Relic One.
July 30, 2020
IT Revolution announced the DevOps Enterprise Summit Las Vegas 2020 will be going virtual.
July 30, 2020
Adaptavist announced the acquisition of Go2Group, a US technology firm specializing in Agile and DevOps services and cloud solutions for the enterprise.
