Security and the Twelve-Factor App - Step 10
A blog series by WhiteHat Security
September 16, 2019

Eric Sheridan
WhiteHat Security

In the previous chapter of this WhiteHat Security series, we recommended applying signatures and expirations to limit the life of derived security assertions. This is relevant for Twelve-Factor App’s Step 9, which focuses on disposability i.e. apps built using the twelve-factor methodology can be started or stopped at a moment’s notice.

Step 10 highlights DEV/product parity and relates to keeping development, staging and production as similar as possible.

Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Start with Security and the Twelve-Factor App - Step 8
Start with Security and the Twelve-Factor App - Step 9

Defining DEV/Product Parity in the Twelve-Factor App

The tenth factor, DEV/product parity, suggests keeping development, staging and production as similar as possible. According to 12.factor.net, historically there have been significant gaps between development, edits to a local deploy of the app and production.

The twelve-factor app is designed for continuous deployment by keeping the gap between these as small and similar as possible.

Applying Security to Step 10

The Twelve-Factor app methodology puts a lot of emphasis on keeping services the same between the various phases of the product development lifecycle. However, when striving for DEV/prod parity as you move through the Twelve-Factors, it’s important that product secrets are not shared. Uber found this out the hard way when it stored a sensitive database key(link is external) on a public GitHub page.

Enforce the separation of duties. This means that DEV can’t see any secrets in QA, QA can’t see any secrets in STAGE, and STAGE can’t see any secrets in PROD.

Replicate security services. Simply put, product security services must be replicated in the DEV, QA, and STAGE processes.

Read Security and the Twelve-Factor App - Step 11

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Related Links

www.whitehatsec.com(link is external)
www.12factor.net(link is external)
Security and the Twelve-Factor App - Step 1

Industry News

LambdaTest Launches HyperExecute MCP Server
April 14, 2025

LambdaTest announced the launch of the HyperExecute MCP Server, an enhancement to its AI-native test orchestration platform, HyperExecute.

Cloudflare Announces Workers VPC and VPC Private Link
April 14, 2025

Cloudflare announced Workers VPC and Workers VPC Private Link, new solutions that enable developers to build secure, global cross-cloud applications on Cloudflare Workers.

Nutrient Expands Cloud-Based Services
April 14, 2025

Nutrient announced a significant expansion of its cloud-based services, as well as a series of updates to its SDK products, aimed at enhancing the developer experience by allowing developers to build, scale, and innovate with less friction.

Check Point Recognized for #1 AI-Powered Cyber Security Platform by Miercom
April 10, 2025

Check Point® Software Technologies Ltd.(link is external) announced that its Infinity Platform has been named the top-ranked AI-powered cyber security platform in the 2025 Miercom Assessment.

Orca Introduces Bitbucket App
April 10, 2025

Orca Security announced the Orca Bitbucket App, a cloud-native seamless integration for scanning Bitbucket Repositories.

Live API for Gemini Models in Preview
April 10, 2025

The Live API for Gemini models is now in Preview, enabling developers to start building and testing more robust, scalable applications with significantly higher rate limits.

Backslash Security Digital Twin Approach to Application Security Gains Traction as Legacy Tools Fall Short
April 09, 2025

Backslash Security(link is external) announced significant adoption of the Backslash App Graph, the industry’s first dynamic digital twin for application code.

SmartBear Releases API Hub for Test
April 09, 2025

SmartBear launched API Hub for Test, a new capability within the company’s API Hub, powered by Swagger.

Akamai Announces App & API Protector Hybrid
April 09, 2025

Akamai Technologies introduced App & API Protector Hybrid.

Veracode Secures Patent for Veracode Fix
April 09, 2025

Veracode has been granted a United States patent for its generative artificial intelligence security tool, Veracode Fix.

Zesty Introduces Vertical Pod Autoscaler
April 09, 2025

Zesty announced that its automated Kubernetes optimization platform, Kompass, now includes full pod scaling capabilities, with the addition of Vertical Pod Autoscaler (VPA) alongside the existing Horizontal Pod Autoscaler (HPA).

Check Point Software Emerges as a Leader in Attack Surface Management After Acquiring Cyberint, According to Latest GigaOm Radar Report
April 08, 2025

Check Point® Software Technologies Ltd.(link is external) has emerged as a leading player in Attack Surface Management (ASM) with its acquisition of Cyberint, as highlighted in the recent GigaOm Radar report.

GitHub Releases Security Campaigns with Copilot Autofix
April 08, 2025

GitHub announced the general availability of security campaigns with Copilot Autofix to help security and developer teams rapidly reduce security debt across their entire codebase.

DX and Spotify Partner on Portal for Backstage
April 08, 2025

DX and Spotify announced a partnership to help engineering organizations achieve higher returns on investment and business impact from their Spotify Portal for Backstage implementation.

Appfire Launches Cloud Advantage Alliance
April 07, 2025

Appfire announced its launch of the Appfire Cloud Advantage Alliance.

More Industry News