JFrog announced an expansion of its AI governance capabilities within the JFrog Software Supply Chain Platform with the introduction of Shadow AI Detection.
Security and the Twelve-Factor App - Step 8
A blog series by WhiteHat Security
May 13, 2019
In the previous blog of this WhiteHat Security series, the Twelve-Factor App looked at exporting services via port binding and included advice on what to apply from a security point of view.
We now move on to Step 8 of the Twelve-Factor App, which recommends scaling out via the process model discussed in Step 7.
Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Defining Concurrency in the Twelve-Factor App
A simple explanation for this factor is to picture a lot of little processes handling specific requirements, such as web requests, API calls, or sending tweets. Keeping all these working independently means that the application will scale better, and you’ll be able to manage more activities concurrently.
According to the Twelve-factor app, processes are a first class citizen, in which processes take strong cues from the unix process model for running service daemons. Twelve-Factor goes on to say that by using this model, the developer can architect the app to handle diverse workloads by assigning each type of work to a process type. For example, HTTP requests may be handled by a web process, and long-running background tasks handled by a worker process.
Applying Security to Step 8
The security challenge to this step is that the ability to scale requires paying attention to APIs that are known to introduce Denial of Service issues. One such API is known as "readLine". Implementations of this method are available on almost every software development platform and yet is subject to Denial of Service. "readLine" will continuously read bytes from a given input stream until a newline character is found. Assume the attacker controls that stream… what if the attacker never provides a newline character? What will happen? More often than not, this will result in errors and stability issues stemming from memory exhaustion.
Two simple processes can be implemented to strengthen the security posture of this step:
1. Ban DoS-able API i.e. Document relevant DoS-able API for your platform (such as readLine) and ban them
2. Resource Closure i.e. Expose simplistic patterns to facilitate closing of I/O resources (e.g. scope)
In the next blog we will cover Step 9, Disposability, which is all about maximizing robustness with fast startup and a graceful shutdown, and what this means from a security point of view.
Industry News
November 13, 2025
Red Hat introduced the general availability of Red Hat Enterprise Linux 10.1 and 9.7, building on the innovations of Red Hat Enterprise Linux 10 for a more intelligent and future-ready computing foundation.
November 13, 2025
Solo.io announced the launch of agentregistry, a centralized, trusted, and curated open source registry for AI applications and artifacts.
November 12, 2025
Red Hat announced the general availability of Red Hat OpenShift 4.20, the latest version of the hybrid cloud application platform powered by Kubernetes.
November 12, 2025
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced a major new release of Helm, coinciding with the project’s 10th anniversary.
November 12, 2025
Mirantis announced the latest release of Mirantis k0rdent Enterprise, with Mirantis k0rdent Virtualization – enabling workloads to run with cloud-native applications and traditional virtualized workloads.
November 12, 2025
Couchbase announced significant advancements to the Couchbase Mobile platform, which makes it possible to run AI-powered applications on devices operating at the disconnected edge.
November 12, 2025
Legit Security announced VibeGuard, a solution designed to secure AI-generated code at the moment of creation and to secure coding agents.
November 12, 2025
Black Duck announced that Black Duck® SCA can now identify and analyze AI models, starting with the 2025.10.0 release.
November 10, 2025
Parasoft is showcasing its latest innovations in software quality assurance for safety- and security-critical embedded systems at embedded world North America, booth 8031.
November 10, 2025
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced new integrations between Falco, a graduated project, and Stratoshark, a forensic tool inspired by Wireshark.
November 10, 2025
CKEditor announced the launch of CKEditor AI, an addition to CKEditor that makes it a rich text editor to integrate multi-turn conversational AI.
November 10, 2025
BellSoft announced Hardened Images, a tool for enhancing the security and compliance of containerized applications in Kubernetes.
November 06, 2025
Check Point® Software Technologies Ltd. announced it has been named as a Recommended vendor in the NSS Labs 2025 Enterprise Firewall Comparative Report, with the highest security effectiveness score.
November 06, 2025
Buoyant announced upcoming support for Model Context Protocol (MCP) in Linkerd to extend its core service mesh capabilities to this new type of agentic AI traffic.
