Docker has extended its strategic collaboration with Microsoft to simplify code to cloud application development for developers and development teams by more closely integrating with Azure Container Instances (ACI).
Security and the Twelve-Factor App - Step 5
A blog series by WhiteHat Security
October 29, 2018
The previous chapter in this WhiteHat Security series examined the security component of step four of the Twelve-Factor methodology - backing services. Twelve-Factor suggests treating these as attached resources, but from a security standpoint it's important to understand the security posture of the backing service, as well as proactively securing communications and encapsulating security checks within the Resource abstraction.
Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
This next chapter highlights the build, release and run stages within the app-building process, which step 5 recommends separating.
Defining Build, Release, Run in the Twelve-Factor App
Factor 5 of the Twelve-Factor App relates more to processes and advises strictly separating the build and run stages. The emphasis is on identifying and separating each stage of app development, and encouraging automation between each so as to accelerate the process.
To explain in more detail, a codebase is transformed into a (non-development) deploy through three stages:
■ The build stage is a transform which converts a code repository into an executable bundle known as a build. Using a version of the code at a commit specified by the deployment process, the build stage fetches vendors dependencies and compiles binaries and assets.
■ The release stage takes the build produced by the build stage and combines it with the deploy's current configuration. The resulting release contains both the build and the configuration and is ready for immediate execution in the execution environment.
■ The run stage (also known as “runtime”) runs the app in the execution environment, by launching some set of the app's processes against a selected release.
The twelve-factor app uses strict separation between the build, release, and run stages.
Applying Security to the Build, Release, Run Stages
From a security point of view, keep in mind these key activities during the build, release and run stages:
■ Build - enforce security policy. The Build Stage is responsible for automating enforce of the security policy, and breaking builds that fail the said policy.
■ Release - security go/no-go. The Release Stage should provide a consolidated view of the application's risk, thereby allowing for a "go/no-go" decision with respect to Release.
■ Run - production protection. The Run Stage should provide capabilities to reduce business impact of exploited vulnerability (whether known or unknown).
Read Security and the Twelve-Factor App - Step 6 about processes, which encourages executing the app as one or more stateless processes by using small programs that communicate over the network, and the security implications of this step.
Industry News
May 28, 2020
Eggplant announced updates to its Digital Automation Intelligence (DAI) platform.
May 28, 2020
Aptum launched its Managed DevOps Service in partnership with CloudOps, a cloud consulting and professional services company specializing in DevOps.
May 27, 2020
Red Hat announced an expansion of its application services portfolio with the addition of Quarkus as a fully supported framework in Red Hat Runtimes.
May 27, 2020
Couchbase has completed a $105 million all-equity Series G round of fundraising.
May 27, 2020
Aqua Security closed a Series D round of $30M led by Greenspring Associates.
May 26, 2020
GitLab is releasing 13.0 of its DevSecOps platform to enable organizations to efficiently adapt and respond to new and dynamic business challenges.
May 26, 2020
Solo.io announced the availability of the Istio Developer Portal to streamline the developer onboarding process for improved developer experience and increased productivity with added security features.
May 26, 2020
WhiteHat Security will offer free application scanning services to any education institution to support secure online learning.
May 21, 2020
Exadel announced the Grand Prize winner of the “Appery.io COVID-19 Virtual Hackathon.”
May 21, 2020
CloudBees announced significant advances for its Software Delivery Management (SDM) platform – integrations with additional continuous integration and continuous delivery (CI/CD) engines, including Google Cloud Build and Tekton, and extension of the availability of CloudBees’ SDM Preview Program.
May 21, 2020
OutSystems is announcing over 70 development accelerators that ensure web and mobile applications created on the OutSystems low-code development platform can comply with the highest accessibility standards and regulations.
May 20, 2020
Styra announced that Styra Declarative Authorization Service (DAS) now supports microservices and extends context-based authorization to the service mesh.
May 20, 2020
Optimizely announced that its free feature flagging plan for development teams, Rollouts, now also includes A/B testing and feature configuration.
May 20, 2020
StackRox announced new runtime security features in the latest release of the StackRox Kubernetes Security Platform.
