Security and the Twelve-Factor App - Step 8
A blog series by WhiteHat Security
May 13, 2019

Eric Sheridan
WhiteHat Security

In the previous blog of this WhiteHat Security series, the Twelve-Factor App looked at exporting services via port binding and included advice on what to apply from a security point of view.

We now move on to Step 8 of the Twelve-Factor App, which recommends scaling out via the process model discussed in Step 7.

Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7

Defining Concurrency in the Twelve-Factor App

A simple explanation for this factor is to picture a lot of little processes handling specific requirements, such as web requests, API calls, or sending tweets. Keeping all these working independently means that the application will scale better, and you’ll be able to manage more activities concurrently.

According to the Twelve-factor app, processes are a first class citizen, in which processes take strong cues from the unix process model for running service daemons. Twelve-Factor goes on to say that by using this model, the developer can architect the app to handle diverse workloads by assigning each type of work to a process type. For example, HTTP requests may be handled by a web process, and long-running background tasks handled by a worker process.

Applying Security to Step 8

The security challenge to this step is that the ability to scale requires paying attention to APIs that are known to introduce Denial of Service issues. One such API is known as "readLine". Implementations of this method are available on almost every software development platform and yet is subject to Denial of Service. "readLine" will continuously read bytes from a given input stream until a newline character is found. Assume the attacker controls that stream… what if the attacker never provides a newline character? What will happen? More often than not, this will result in errors and stability issues stemming from memory exhaustion.

Two simple processes can be implemented to strengthen the security posture of this step:

1. Ban DoS-able API i.e. Document relevant DoS-able API for your platform (such as readLine) and ban them

2. Resource Closure i.e. Expose simplistic patterns to facilitate closing of I/O resources (e.g. scope)

In the next blog we will cover Step 9, Disposability, which is all about maximizing robustness with fast startup and a graceful shutdown, and what this means from a security point of view.

Read Security and the Twelve-Factor App - Step 9

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Industry News

October 02, 2023

Spectro Cloud announced Palette EdgeAI to simplify how organizations deploy and manage AI workloads at scale across simple to complex edge locations, such as retail, healthcare, industrial automation, oil and gas, automotive/connected cars, and more.

September 28, 2023

Kong announced Kong Konnect Dedicated Cloud Gateways, the simplest and most cost-effective way to run Kong Gateways in the cloud fully managed as a service and on enterprise dedicated infrastructure.

September 28, 2023

Sisense unveiled the public preview of Compose SDK for Fusion.

September 28, 2023

Cloudflare announced Hyperdrive to make every local database global. Now developers can easily build globally distributed applications on Cloudflare Workers, the serverless developer platform used by over one million developers, without being constrained by their existing infrastructure.

September 27, 2023

Kong announced full support for Kong Mesh in Konnect, making Kong Konnect an API lifecycle management platform with built-in support for Kong Gateway Enterprise, Kong Ingress Controller and Kong Mesh via a SaaS control plane.

September 27, 2023

Vultr announced the launch of the Vultr GPU Stack and Container Registry to enable global enterprises and digital startups alike to build, test and operationalize artificial intelligence (AI) models at scale — across any region on the globe. \

September 27, 2023

Salt Security expanded its partnership with CrowdStrike by integrating the Salt Security API Protection Platform with the CrowdStrike Falcon® Platform.

September 26, 2023

Progress announced a partnership with Software Improvement Group (SIG), an independent technology and advisory firm for software quality, security and improvement, to help ensure the long-term maintainability and modernization of business-critical applications built on the Progress® OpenEdge® platform.

September 26, 2023

Solace announced a new version of its Solace Event Portal solution that gives organizations with Apache Kafka deployments better visibility into, and control over, their Kafka event streams, brokers and associated assets.

September 26, 2023

Reply launched a proprietary framework for generative AI-based software development, KICODE Reply.

September 26, 2023

Harness announced the industry-wide Engineering Excellence Collective™, an engineering leadership community.

September 25, 2023

Harness announced four new product modules on the Harness platform.

September 25, 2023

Sylabs announced the release of SingularityCE 4.0.

September 25, 2023

Timescale announced the launch of Timescale Vector, enabling developers to build production AI applications at scale with PostgreSQL.