Security and the Twelve-Factor App - Step 8
A blog series by WhiteHat Security
May 13, 2019

Eric Sheridan
WhiteHat Security

In the previous blog of this WhiteHat Security series, the Twelve-Factor App looked at exporting services via port binding and included advice on what to apply from a security point of view.

We now move on to Step 8 of the Twelve-Factor App, which recommends scaling out via the process model discussed in Step 7.

Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7

Defining Concurrency in the Twelve-Factor App

A simple explanation for this factor is to picture a lot of little processes handling specific requirements, such as web requests, API calls, or sending tweets. Keeping all these working independently means that the application will scale better, and you’ll be able to manage more activities concurrently.

According to the Twelve-factor app, processes are a first class citizen, in which processes take strong cues from the unix process model for running service daemons. Twelve-Factor goes on to say that by using this model, the developer can architect the app to handle diverse workloads by assigning each type of work to a process type. For example, HTTP requests may be handled by a web process, and long-running background tasks handled by a worker process.

Applying Security to Step 8

The security challenge to this step is that the ability to scale requires paying attention to APIs that are known to introduce Denial of Service issues. One such API is known as "readLine". Implementations of this method are available on almost every software development platform and yet is subject to Denial of Service. "readLine" will continuously read bytes from a given input stream until a newline character is found. Assume the attacker controls that stream… what if the attacker never provides a newline character? What will happen? More often than not, this will result in errors and stability issues stemming from memory exhaustion.

Two simple processes can be implemented to strengthen the security posture of this step:

1. Ban DoS-able API i.e. Document relevant DoS-able API for your platform (such as readLine) and ban them

2. Resource Closure i.e. Expose simplistic patterns to facilitate closing of I/O resources (e.g. scope)

In the next blog we will cover Step 9, Disposability, which is all about maximizing robustness with fast startup and a graceful shutdown, and what this means from a security point of view.

Read Security and the Twelve-Factor App - Step 9

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Industry News

November 07, 2019

To help developers increase the speed and quality of their SQL coding, enhance efficiency, and take advantage of the latest improvements in SQL Server, Redgate has released a major upgrade for its most popular tool, SQL Prompt.

November 07, 2019

CloudBees announced a partnership with Atos and VMware surrounding a solution to help customers adopt DevOps best practices at scale on Atos’ recently announced Atos Digital Hybrid Cloud (DHC) powered by VMware Tanzu and CloudBees cloud native continuous integration/continuous delivery (CI/CD) enterprise solution.

November 07, 2019

Fugue announced the release of the Fugue Best Practices Framework to help cloud engineering and security teams identify and remediate dangerous cloud resource misconfigurations that aren’t addressed by common compliance frameworks.

November 06, 2019

Red Hat and the Quarkus community announced Quarkus 1.0.

November 06, 2019

Copado announced its Winter 20 release to provide Salesforce customers the fastest path to continuous innovation.

November 06, 2019

Applause announced its new solution for AI training and testing.

November 05, 2019

Broadcom announced an expanded collaboration with Infosys to help SAP customers mitigate risks and costs associated with the upgrade to SAP’s next-generation enterprise resource planning application, S/4HANA.

November 05, 2019

Opsani AI is now generally available for services providers running on Microsoft's Azure cloud computing platform.

November 05, 2019

Wind River announced the release of its latest version of Wind River Simics.

November 04, 2019

Red Hat announced the latest release of Red Hat Process Automation, unveiling new applied artificial intelligence (AI) capabilities for predictive decision modeling, and support for the development of process- and decision-based business applications using micro-frontend architectures.

November 04, 2019

JFrog announced the availability of the JFrog Platform package Cloud Pro X in the Microsoft Azure Marketplace.

November 04, 2019

Volterra​, a provider of distributed cloud services, launched from two years of stealth operations with over $50 million in funding to date.

October 31, 2019

Redgate this month celebrated its 20th anniversary as a software company dedicated to creating advanced database development solutions ...

October 31, 2019

Tidelift announced integration with the Bitbucket code collaboration platform.

October 31, 2019

Rancher Labs announced that The Cloud Native Computing Foundation (CNCF) has accepted the company’s vendor-neutral container storage solution - Longhorn - as its latest Sandbox project.