Ambassador Labs released Telepresence for Docker, designed to make it easy for developer teams to build, test and deliver apps at scale across Kubernetes.
Security and the Twelve-Factor App - Step 8
A blog series by WhiteHat Security
May 13, 2019
In the previous blog of this WhiteHat Security series, the Twelve-Factor App looked at exporting services via port binding and included advice on what to apply from a security point of view.
We now move on to Step 8 of the Twelve-Factor App, which recommends scaling out via the process model discussed in Step 7.
Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Defining Concurrency in the Twelve-Factor App
A simple explanation for this factor is to picture a lot of little processes handling specific requirements, such as web requests, API calls, or sending tweets. Keeping all these working independently means that the application will scale better, and you’ll be able to manage more activities concurrently.
According to the Twelve-factor app, processes are a first class citizen, in which processes take strong cues from the unix process model for running service daemons. Twelve-Factor goes on to say that by using this model, the developer can architect the app to handle diverse workloads by assigning each type of work to a process type. For example, HTTP requests may be handled by a web process, and long-running background tasks handled by a worker process.
Applying Security to Step 8
The security challenge to this step is that the ability to scale requires paying attention to APIs that are known to introduce Denial of Service issues. One such API is known as "readLine". Implementations of this method are available on almost every software development platform and yet is subject to Denial of Service. "readLine" will continuously read bytes from a given input stream until a newline character is found. Assume the attacker controls that stream… what if the attacker never provides a newline character? What will happen? More often than not, this will result in errors and stability issues stemming from memory exhaustion.
Two simple processes can be implemented to strengthen the security posture of this step:
1. Ban DoS-able API i.e. Document relevant DoS-able API for your platform (such as readLine) and ban them
2. Resource Closure i.e. Expose simplistic patterns to facilitate closing of I/O resources (e.g. scope)
In the next blog we will cover Step 9, Disposability, which is all about maximizing robustness with fast startup and a graceful shutdown, and what this means from a security point of view.
Industry News
March 23, 2023
Fermyon Technologies introduced Spin 1.0, a major new release of the serverless functions framework based on WebAssembly.
March 23, 2023
Torc announced the acquisition of coding performance measurement application Codealike to empower software developers with even more data that increases skills, job opportunities and enterprise value.
March 23, 2023
Progress announced a free online training and certification program for Progress® OpenEdge®, the flagship Progress application development platform.
March 22, 2023
Opsera announced five patents have been issued to enable enterprise engineering leaders and teams to gain unprecedented end-to-end visibility into their software delivery and accelerate the speed and security of delivery, all while maximizing their investment.
March 22, 2023
DuploCloud announced the general availability of its on-prem solution built on top of Kubernetes, focusing on containerized workloads with near term plans to integrate with on-prem compute, storage and networking vendors.
March 22, 2023
Postman announced the general availability of Postman Flows, a visual tool for creating API applications. Postman Flows simplifies building software by using APIs as the building blocks, allowing anyone to produce workflows, integrations, and automations in a collaborative environment without needing to write a single line of code.
March 22, 2023
SecureAuth announced an alliance partnership with HashiCorp®, enabling organizations to leverage SecureAuth’s advanced passwordless authentication and Multi-Factor Authentication (MFA) device recognition.
March 22, 2023
Backslash Security, a new cloud-native application security solution for enterprise AppSec teams, emerged from stealth.
March 21, 2023
OpenText launched the latest version of ValueEdge -- an innovative modular, cloud-based DevOps and value stream management (VSM) platform.
March 21, 2023
Oracle announced the availability of Java 20, the latest version of the programming language and development platform.
March 21, 2023
Rafay Systems introduced Environment Manager, a solution that empowers enterprise platform teams to improve the developer experience by delivering self-service capabilities for provisioning full-stack environments.
March 20, 2023
To meet the growing demand for Oracle Container Engine for Kubernetes (OKE) with global organizations, Oracle Cloud Infrastructure (OCI) is introducing new capabilities that can boost the reliability and efficiency of large-scale Kubernetes environments while simplifying operations and reducing costs.
March 20, 2023
Perforce Software joined the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program and listed its free Enhanced Studio Pack (ESP) in AWS Marketplace.
March 20, 2023
Aembit, an identity platform that lets DevOps and Security teams discover, manage, enforce, and audit access between federated workloads, announced its official launch alongside $16.6M in seed financing from cybersecurity specialist investors Ballistic Ventures and Ten Eleven Ventures.
