Security and the Twelve-Factor App - Step 5
A blog series by WhiteHat Security
October 29, 2018

Eric Sheridan
WhiteHat Security

The previous chapter in this WhiteHat Security series examined the security component of step four of the Twelve-Factor methodology - backing services. Twelve-Factor suggests treating these as attached resources, but from a security standpoint it's important to understand the security posture of the backing service, as well as proactively securing communications and encapsulating security checks within the Resource abstraction.

Start with Security and the Twelve-Factor App - Step 1

Start with Security and the Twelve-Factor App - Step 2

Start with Security and the Twelve-Factor App - Step 3

Start with Security and the Twelve-Factor App - Step 4

This next chapter highlights the build, release and run stages within the app-building process, which step 5 recommends separating.

Defining Build, Release, Run in the Twelve-Factor App

Factor 5 of the Twelve-Factor App relates more to processes and advises strictly separating the build and run stages. The emphasis is on identifying and separating each stage of app development, and encouraging automation between each so as to accelerate the process.

To explain in more detail, a codebase is transformed into a (non-development) deploy through three stages:

■ The build stage is a transform which converts a code repository into an executable bundle known as a build. Using a version of the code at a commit specified by the deployment process, the build stage fetches vendors dependencies and compiles binaries and assets.

■ The release stage takes the build produced by the build stage and combines it with the deploy's current configuration. The resulting release contains both the build and the configuration and is ready for immediate execution in the execution environment.

■ The run stage (also known as “runtime”) runs the app in the execution environment, by launching some set of the app's processes against a selected release.

The twelve-factor app uses strict separation between the build, release, and run stages.

Applying Security to the Build, Release, Run Stages

From a security point of view, keep in mind these key activities during the build, release and run stages:

Build - enforce security policy. The Build Stage is responsible for automating enforce of the security policy, and breaking builds that fail the said policy.

Release - security go/no-go. The Release Stage should provide a consolidated view of the application's risk, thereby allowing for a "go/no-go" decision with respect to Release.

Run - production protection. The Run Stage should provide capabilities to reduce business impact of exploited vulnerability (whether known or unknown).

Read Security and the Twelve-Factor App - Step 6 about processes, which encourages executing the app as one or more stateless processes by using small programs that communicate over the network, and the security implications of this step.

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Industry News

October 22, 2020

Puppet announced Puppet Comply, a new product built to work with Puppet Enterprise aimed at assessing, remediating, and enforcing infrastructure configuration compliance policies at scale across traditional and cloud environments.

October 22, 2020

Harness announced two new modules: Continuous Integration Enterprise and Continuous Features.

October 22, 2020

Render announced automatic preview environments which are essential for rapid and collaborative development of modern applications.

October 21, 2020

Conducto is launching a toolkit for simplifying complex CI/CD and data science pipelines, having raised $3 million in seed funding led by Jump Capital.

October 21, 2020

Snyk Intel vulnerability database will be integrated into IBM Cloud security capabilities to enhance security for enterprise workloads.

October 21, 2020

Accurics announced $20 million across seed and series A financing raised in the past six months, with Intel Capital leading the Series A and ClearSky leading the seed.

October 20, 2020

Splunk announced the Splunk Observability Suite, the most comprehensive and powerful combination of monitoring, investigation, and troubleshooting solutions designed to help organizations become cloud-ready and accelerate their digital transformation.

October 20, 2020

Tricentis announced Vision AI, the core technology that will now power Tosca.

October 20, 2020

MuseDev has extended its code analysis platform to deliver bug reports via Github's code scanning UI.

October 20, 2020

Digital Shadows announced the ability to detect exposed access keys.

October 19, 2020

StackRox and Robin.io announced a new partnership bringing together Robin’s application-focused approach to Kubernetes data management with StackRox’s Kubernetes-native security and compliance capabilities.

October 19, 2020

PubNub announced new Chat UI Kits to streamline chat development.

October 19, 2020

Secure Code Warrior announced support for GitHub’s new code scanning functionality in conjunction with a new collaboration with Snyk.

October 15, 2020

Couchbase announced version 2.8 of Couchbase Lite and Couchbase Sync Gateway for mobile and edge computing applications.

October 15, 2020

Kong unveiled the private beta release of Kong Konnect, a full-stack platform for cloud native applications delivered as a service.