Security and the Twelve-Factor App - Step 6
A blog series by WhiteHat Security
March 04, 2019

Eric Sheridan
WhiteHat Security

The previous blog in this WhiteHat Security series highlighted the individual build, release and run stages within the app-building process, and the appropriate security posture to incorporate within each of these phases.

Start with Security and the Twelve-Factor App - Step 1

Start with Security and the Twelve-Factor App - Step 2

Start with Security and the Twelve-Factor App - Step 3

Start with Security and the Twelve-Factor App - Step 4

Start with Security and the Twelve-Factor App - Step 5

Step 6 of the Twelve-Factor App methodology encourages executing the app as one or more stateless processes. Here is some actionable security-focused advice which developers and ops engineers can follow during the SaaS build and operations stages.

Defining Processes in the Twelve-Factor App

In this sixth step, the Twelve-Factor methodology encourages executing the app as one or more stateless processes by using small programs that communicate over the network. In other words Twelve-factor processes are stateless and contained in a shared-nothing (SN) architecture, a distributed-computing architecture in which each node is independent and self-sufficient, and there is no single point of contention across the system. More specifically, none of the nodes share memory or disk storage. The benefits of SN architecture include eliminating any single point of failure, allowing self-healing capabilities. and providing an advantage in offering non-disruptive upgrade.

Many organizations are undertaking a “re-platforming” journey, in which the overarching platform is broken up into smaller programs that are more service focused, enabling changes to be made more quickly.

Applying Security to Step 6

Unfortunately, a major security drawback of this journey is that when you start to break up a big building block into smaller pieces, the attack surface increases. This means there are more places where requests can be sent to your infrastructure, which equates to more opportunities to send an attack. Assumptions about how code would be invoked by their callers will change when migrating to service oriented architectures, and some of those changes impact security. By way of example, consider the WhiteHat Security 2018 Stats Report. This report compared vulnerability related security metrics between monolith and microservices architectures and found that for every 100KLOC, monolith applications had 39 vulnerabilities whereas microservices had 180 vulnerabilities. Be mindful of legacy code that is being exposed over the network as you break up your app into services, as such code may have been written without security in mind.

Read Security and the Twelve-Factor App - Step 7, which focuses on exporting services via port binding, and what to apply from a security point of view.

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Industry News

November 07, 2019

To help developers increase the speed and quality of their SQL coding, enhance efficiency, and take advantage of the latest improvements in SQL Server, Redgate has released a major upgrade for its most popular tool, SQL Prompt.

November 07, 2019

CloudBees announced a partnership with Atos and VMware surrounding a solution to help customers adopt DevOps best practices at scale on Atos’ recently announced Atos Digital Hybrid Cloud (DHC) powered by VMware Tanzu and CloudBees cloud native continuous integration/continuous delivery (CI/CD) enterprise solution.

November 07, 2019

Fugue announced the release of the Fugue Best Practices Framework to help cloud engineering and security teams identify and remediate dangerous cloud resource misconfigurations that aren’t addressed by common compliance frameworks.

November 06, 2019

Red Hat and the Quarkus community announced Quarkus 1.0.

November 06, 2019

Copado announced its Winter 20 release to provide Salesforce customers the fastest path to continuous innovation.

November 06, 2019

Applause announced its new solution for AI training and testing.

November 05, 2019

Broadcom announced an expanded collaboration with Infosys to help SAP customers mitigate risks and costs associated with the upgrade to SAP’s next-generation enterprise resource planning application, S/4HANA.

November 05, 2019

Opsani AI is now generally available for services providers running on Microsoft's Azure cloud computing platform.

November 05, 2019

Wind River announced the release of its latest version of Wind River Simics.

November 04, 2019

Red Hat announced the latest release of Red Hat Process Automation, unveiling new applied artificial intelligence (AI) capabilities for predictive decision modeling, and support for the development of process- and decision-based business applications using micro-frontend architectures.

November 04, 2019

JFrog announced the availability of the JFrog Platform package Cloud Pro X in the Microsoft Azure Marketplace.

November 04, 2019

Volterra​, a provider of distributed cloud services, launched from two years of stealth operations with over $50 million in funding to date.

October 31, 2019

Redgate this month celebrated its 20th anniversary as a software company dedicated to creating advanced database development solutions ...

October 31, 2019

Tidelift announced integration with the Bitbucket code collaboration platform.

October 31, 2019

Rancher Labs announced that The Cloud Native Computing Foundation (CNCF) has accepted the company’s vendor-neutral container storage solution - Longhorn - as its latest Sandbox project.