webAI and MacStadium(link is external) announced a strategic partnership that will revolutionize the deployment of large-scale artificial intelligence models using Apple's cutting-edge silicon technology.
Security and the Twelve-Factor App - Step 2
A blog series by WhiteHat Security
June 25, 2018
The previous chapter in this WhiteHat Security series discussed Codebase as the first step of the Twelve-Factor App and defined a security best practice approach for ensuring a secure source control system. Considering the importance of applying security in a modern DevOps world, this next chapter examines the security component of step two of the Twelve-Factor methodology.
Start with Security and the Twelve-Factor App - Step 1
Here follows some actionable advice from the WhiteHat Security Addendum Checklist, which developers and ops engineers can follow during the SaaS build and operations stages.
Defining Dependencies in the Twelve-Factor App
All the environments in which code runs will need to have some dependencies, such as a database or an image library. The second step of the Twelve-Factor app methodology refers to the management of application dependencies, and calls for these dependencies to be explicitly declared and isolated. Apps built according to Twelve-Factor declare all dependencies completely and exactly via a dependency declaration manifest. Additionally, it uses a dependency isolation tool to make sure that no implicit dependencies ‘trickle in’ from the surrounding system. Irrespective of the tool chain, this step advocates that dependency declaration and isolation must always be used together.
The benefit it creates is a simplified setup for developers new to the app, who can examine and set up the app’s codebase onto their development machine needing only the language runtime and dependency manager installed as fundamentals.
Applying Security to Dependencies
Most modern applications consist of just 10% of built code, and up to 90% of borrowed code. Because open source is used everywhere, it’s logical that it can enter the code from everywhere and often, application security vulnerabilities come along with it. According to the National Vulnerability Database(link is external) more than 5,000 new vulnerabilities are disclosed in open source software each year. And it’s these vulnerabilities that pose the biggest security risk to applications. The Department of Defense and Security says that of all recorded security threats in the U.S., 90% occurred as a result of exploits against defects in software, rather than holes in the network.
In order therefore to ensure application security, it’s important to have an understanding of what third party dependencies are in your code. Are they affected by known security vulnerabilities? Are they up-to-date and do they comply with license policies?
Software Composition Analysis (SCA) is one solution that provides in-depth visibility into the third-party and open source dependencies that have been integrated into your applications, helping you to understand potential application vulnerabilities and the overall security posture of your web and mobile applications. SCA can help you accelerate the time-to-market for applications by allowing you to safely and confidently utilize third party code, without introducing unnecessary risk.
■ Know your composition. Software composition analysis will enable you to identify third party and open source dependencies that have been integrated into your applications. Build a portfolio of dependencies consumed by your applications and where those applications are deployed. In the event a third-party dependency becomes vulnerable, you should be able to quickly identify what applications are impacted and where those applications are deployed.
■ Know your risks. Software composition analysis also provides information about license risks and can therefore help organizations reduce these risks that may be hidden in open source agreements. This extends to identifying and remediating those dependencies that may introduce security and/or legal risks. It is not uncommon for an application to contain 10 or more explicitly declared dependencies and over 40 implicitly declared dependencies, totaling 40 or more dependencies. That’s a lot of potential risk!
■ Review dependencies regularly. Now that you know what risks each of these dependencies uses, it will be easy to identify and remove those ones that conflict with business policies. Automate the extraction of composition and liabilities and enforce risk acceptance policy via integration into the build pipeline.
Considering most code is open source, and that applications are a popular attack surface, coupled with further targeted attacks on vulnerabilities in open source code, SCA is an integral part of application security, and secure DevOps. It therefore has a critical role to play in the Twelve-Factor app and for any developer using the methodology, it should be an automatic part of Factor 2’s security checklist.
Industry News
March 27, 2025
March 27, 2025
Development work on the Linux kernel — the core software that underpins the open source Linux operating system — has a new infrastructure partner in Akamai. The company's cloud computing service and content delivery network (CDN) will support kernel.org, the main distribution system for Linux kernel source code and the primary coordination vehicle for its global developer network.
March 27, 2025
Komodor announced a new approach to full-cycle drift management for Kubernetes, with new capabilities to automate the detection, investigation, and remediation of configuration drift—the gradual divergence of Kubernetes clusters from their intended state—helping organizations enforce consistency across large-scale, multi-cluster environments.
March 26, 2025
Red Hat announced the latest updates to Red Hat AI, its portfolio of products and services designed to help accelerate the development and deployment of AI solutions across the hybrid cloud.
March 26, 2025
CloudCasa by Catalogic announced the availability of the latest version of its CloudCasa software.
March 26, 2025
BrowserStack announced the launch of Private Devices, expanding its enterprise portfolio to address the specialized testing needs of organizations with stringent security requirements.
March 25, 2025
Chainguard announced Chainguard Libraries, a catalog of guarded language libraries for Java built securely from source on SLSA L2 infrastructure.
March 25, 2025
Cloudelligent attained Amazon Web Services (AWS) DevOps Competency status.
March 25, 2025
Platform9 formally launched the Platform9 Partner Program.
March 24, 2025
Cosmonic announced the launch of Cosmonic Control, a control plane for managing distributed applications across any cloud, any Kubernetes, any edge, or on premise and self-hosted deployment.
March 20, 2025
Oracle announced the general availability of Oracle Exadata Database Service on Exascale Infrastructure on Oracle Database@Azure(link sends e-mail).
March 20, 2025
Perforce Software announced its acquisition of Snowtrack.
March 19, 2025
Mirantis and Gcore announced an agreement to facilitate the deployment of artificial intelligence (AI) workloads.
March 19, 2025
Amplitude announced the rollout of Session Replay Everywhere.
March 18, 2025
Oracle announced the availability of Java 24, the latest version of the programming language and development platform. Java 24 (Oracle JDK 24) delivers thousands of improvements to help developers maximize productivity and drive innovation. In addition, enhancements to the platform's performance, stability, and security help organizations accelerate their business growth ...
