Oracle is making its popular APEX low-code development platform available as a managed cloud service that developers can use to build data-driven enterprise applications quickly and easily.
Security and the Twelve-Factor App - Step 11
A blog series by WhiteHat Security
October 15, 2019
In the previous chapter of this WhiteHat Security series, DEV/product parity was the key focus area, and relates to keeping development, staging and production as similar as possible. The security posture to adopt when striving for DEV/prod parity as you move through the Twelve-Factors is to ensure that product secrets are not shared.
Step 11 suggests treating logs as event streams.
Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Start with Security and the Twelve-Factor App - Step 8
Start with Security and the Twelve-Factor App - Step 9
Start with Security and the Twelve-Factor App - Step 10
Defining Logs in the Twelve-Factor App
12.factor.net explains that Logs, which are the stream of aggregated, time-ordered events collected from the output streams of all running processes and backing services, offer visibility into the behaviour of a running app.
A twelve-factor app never concerns itself with routing or storage of its output stream. It should not attempt to write to or manage logfiles. Instead, each running process writes its event stream, unbuffered, to stdout. During local development, the developer will view this stream in the foreground of their terminal to observe the app’s behavior.
Applying Security to Step 11
The most important security step in this factor is to log for security in such a way that anyone who is aggregating the log can easily extract the security log messages to avoid being burdened with stack traces for example.
In other words, create a log record for each security critical event with supporting information, as well as a "SECURITY" log record category to assist in aggregation.
In the final chapter we cover Step 12, which is all about admin processes and running admin/management tasks as one-off processes.
Industry News
January 14, 2021
Parasoft announced its C/C++test update to support IAR Systems' build tools for Linux for Arm.
January 14, 2021
Harness raised $115 million in financing, reaching a valuation of $1.7 billion in just three years after launching from stealth.
January 13, 2021
Slim.ai launched with its cloud-based DevOps automation platform built specifically for software developers.
January 13, 2021
WhiteSource announced new WhiteSource Advise support for JetBrains' PyCharm and WebStorm integrated development environments (IDEs).
January 11, 2021
KubeSphere announced its expanded relationship with AWS to offer KubeSphere as an AWS Quick Start.
January 07, 2021
Cigniti Technologies announced a partnership with Sonatype to help enterprise customers innovate faster and easily mitigate security risk inherent in open source.
January 07, 2021
Lacework announced a $525 million growth round with a valuation of over $1 billion.
January 06, 2021
BMC announced several new capabilities and enhancements for the BMC Automated Mainframe Intelligence (AMI) and Compuware portfolios that enable BMC mainframe customers to protect uptime and availability, defend the mainframe against cybersecurity threats, and advance enterprise DevOps.
January 06, 2021
Sysdig has achieved Service Organization Control (SOC) 2 Type II compliance for the Sysdig Secure DevOps Platform.
January 05, 2021
Allegro AI announced a rebranding of its key product Allegro Trains as ClearML.
January 05, 2021
Acryl unveiled a pilot service for Jonathan, an integrated AI platform that can be used in a variety of industries with a spectrum of users from non-experts to professional developers.
January 05, 2021
Weaveworks announced a $36.65 million Series C funding round.
