Security and the Twelve-Factor App - Step 7
A blog series by WhiteHat Security
April 08, 2019

Eric Sheridan
WhiteHat Security

The previous blog in this WhiteHat Security series recommended executing the app as one or more stateless processes by using small programs that communicate over the network. From a security standpoint it’s key to always assume that all process inputs are controlled by hackers, and create one or more processes that are dedicated exclusively to security services.

Start with Security and the Twelve-Factor App - Step 1

Start with Security and the Twelve-Factor App - Step 2

Start with Security and the Twelve-Factor App - Step 3

Start with Security and the Twelve-Factor App - Step 4

Start with Security and the Twelve-Factor App - Step 5

Start with Security and the Twelve-Factor App - Step 6

Step 7 of the Twelve-Factor App focuses on exporting services via port binding, and what to apply from a security point of view. Here is some actionable security-focused advice which developers and ops engineers can follow during the SaaS build and operations stages.

Defining Port Binding in the Twelve-Factor App

In this seventh step, the Twelve-Factor methodology encourages the integration of the network handling traffic code inside your running application. To explain, web apps are sometimes executed inside a web server container. For example, PHP apps might run as a module inside Apache HTTPD, or Java apps might run inside Tomcat.

The twelve-factor app is completely self-contained and does not rely on runtime injection of a webserver into the execution environment to create a web-facing service. The web app exports HTTP as a service by binding to a port, and listening to requests coming in on that port.

The challenge is that these modules must still be configured, which can lead to security risks if an app is bound to privileged ports or protected with poor passwords.

Applying Security to Step 6

To elevate security risks, bind your app to an unprivileged port and make use of port forwarding facilities. Unprivileged ports are any port number greater than 1024. Binding to a port above 1024 will not require system or root level privileges, thus allowing your app to run with least privilege. Port forwarding can then be used to transfer production traffic from a well-known privileged port, such as port 443, to a non-privileged port being used by your app. This can be achieved at the operating system level, often using firewall configurations. For example, the IP Tables firewall is commonly used to achieve port forwarding on Linux operating systems.

In the next blog we’ll chat through Step 8, which recommends scaling out via the process model, and two simple processes that can be incorporated to enhance security.

Read Security and the Twelve-Factor App - Step 8

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Industry News

February 13, 2020

CyberArk announced the CyberArk Blueprint for Privileged Access Management Success, designed to help customers take a future-proof, phased and measurable approach to reducing privilege-related risk.

February 13, 2020

Cloudentity announced a partnership with Signal Sciences to provide a holistic approach for enterprise companies looking to secure their web applications and APIs.

February 13, 2020

OutSystems announced that the Portuguese government has agreed to co-finance €5.1 million through the Portugal 2020 economic development program for a pair of innovative research and development programs led by OutSystems.

February 12, 2020

Tata Consultancy Services (TCS) launched Jile 4.0, a major release of its on-the-cloud enterprise Agile DevOps platform that enables software teams to manage, automate and measure the end-to-end software delivery value stream from ideation to deployment.

February 12, 2020

Synopsys announced that on Feb. 18 it will release a major update to the Polaris Software Integrity Platform to extend its static application security testing (SAST) and software composition analysis (SCA) capabilities to the developer's desktop through the native integration of the Code Sight IDE plugin.

February 12, 2020

Tufin announced the availability of Tufin SecureCloud, a security policy automation service for enterprises needing to gain visibility and control of the security posture of their cloud-native and hybrid cloud environments.

February 11, 2020

Applause released its new Applause Accessibility Tool that automatically finds and fixes key accessibility issues earlier in the software development lifecycle.

February 11, 2020

Chef announced a new channel program specifically designed to ensure that partners and customers are able to take maximum advantage of Chef’s 100 percent open source business model.

February 11, 2020

IT Revolution announced the first round of speakers for DevOps Enterprise Summit London 2020.

February 10, 2020

Dynatrace announced new enhancements to its support for Kubernetes.

February 06, 2020

DevOps Institute announced its newly revamped Global Education Partner Program.

February 06, 2020

Automox raised $30 million in Series B funding.

February 05, 2020

Couchbase introduced Couchbase Cloud, a fully-managed Database-as-a-Service (DBaaS).

February 05, 2020

Univa announced the general availability of Navops Launch 2.0, its flagship cloud-automation platform, designed to help enterprises simplify the migration of HPC and AI workloads to their choice of cloud.

February 05, 2020

Fugue announced a Team plan to help cloud engineering teams collaborate and innovate faster and more securely.