Bonitasoft announced that the Bonita platform is now available with advanced low-code features that permit better collaboration between citizen developers and professional developers.
Security and the Twelve-Factor App - Step 5
A blog series by WhiteHat Security
October 29, 2018
The previous chapter in this WhiteHat Security series examined the security component of step four of the Twelve-Factor methodology - backing services. Twelve-Factor suggests treating these as attached resources, but from a security standpoint it's important to understand the security posture of the backing service, as well as proactively securing communications and encapsulating security checks within the Resource abstraction.
Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
This next chapter highlights the build, release and run stages within the app-building process, which step 5 recommends separating.
Defining Build, Release, Run in the Twelve-Factor App
Factor 5 of the Twelve-Factor App relates more to processes and advises strictly separating the build and run stages. The emphasis is on identifying and separating each stage of app development, and encouraging automation between each so as to accelerate the process.
To explain in more detail, a codebase is transformed into a (non-development) deploy through three stages:
■ The build stage is a transform which converts a code repository into an executable bundle known as a build. Using a version of the code at a commit specified by the deployment process, the build stage fetches vendors dependencies and compiles binaries and assets.
■ The release stage takes the build produced by the build stage and combines it with the deploy's current configuration. The resulting release contains both the build and the configuration and is ready for immediate execution in the execution environment.
■ The run stage (also known as “runtime”) runs the app in the execution environment, by launching some set of the app's processes against a selected release.
The twelve-factor app uses strict separation between the build, release, and run stages.
Applying Security to the Build, Release, Run Stages
From a security point of view, keep in mind these key activities during the build, release and run stages:
■ Build - enforce security policy. The Build Stage is responsible for automating enforce of the security policy, and breaking builds that fail the said policy.
■ Release - security go/no-go. The Release Stage should provide a consolidated view of the application's risk, thereby allowing for a "go/no-go" decision with respect to Release.
■ Run - production protection. The Run Stage should provide capabilities to reduce business impact of exploited vulnerability (whether known or unknown).
Read Security and the Twelve-Factor App - Step 6 about processes, which encourages executing the app as one or more stateless processes by using small programs that communicate over the network, and the security implications of this step.
Industry News
December 11, 2019
Solo.io announced WebAssembly Hub, a service for building, sharing, discovering and deploying WebAssembly (Wasm) extensions for Envoy Proxy-based service meshes.
December 11, 2019
Datawire unveiled the new Ambassador Edge Stack 1.0, an integrated edge solution that empowers developer teams to rapidly configure the edge services required to build, deliver and scale their applications running in Kubernetes.
December 10, 2019
Compuware has signed a definitive agreement to acquire the assets of INNOVATION Data Processing, a provider of enterprise data protection, business continuance and storage resource management solutions serving the mainframe market.
December 10, 2019
Dynatrace announced its Autonomous Cloud Enablement (ACE) Practice to accelerate DevOps’ movement to autonomous cloud operations.
December 09, 2019
NS1, announced the expansion of its suite of integrations to include Kubernetes, Consul, Avi Networks (VMWare NSX), NGINX, and HAProxy.
December 09, 2019
CloudBees announced an extension of its partnership with Google. As a Google Cloud Run launch partner, CloudBees will offer developers more flexibility in their deployment of containerized applications.
December 09, 2019
EPAM Systems has expanded its crowdtesting software solutions to enable user story testing.
December 05, 2019
Parasoft announced the newest release of Parasoft C/C++test, the unified C and C++ development testing solution for enterprise and embedded applications.
December 05, 2019
Datadog announced Security Monitoring, a new product that enables real-time threat detection across the entire stack and deeper collaboration between security, developers, and operations teams.
December 05, 2019
Pulumi announced the availability of Pulumi Crosswalk for Kubernetes, an open source collection of frameworks, tools and user guides that help developers and operators work better together delivering production workloads using Kubernetes.
December 04, 2019
CloudBees announced a Preview Program for CloudBees CI/CD powered by Jenkins X, a Software as a Service (SaaS) continuous integration and continuous delivery solution running on Google Cloud Platform.
December 04, 2019
Rancher Labs announced the general availability of K3s, their lightweight, certified Kubernetes distribution purpose built for small footprint workloads, along with the beta release of Rio, their new application deployment engine for Kubernetes that delivers a fully integrated deployment experience from operations to pipeline.
December 04, 2019
WhiteSource announced a new integration with Codefresh, the Kubernetes-native CI/CD solution.
