Security and the Twelve-Factor App - Step 11
A blog series by WhiteHat Security
October 15, 2019

Eric Sheridan
WhiteHat Security

In the previous chapter of this WhiteHat Security series, DEV/product parity was the key focus area, and relates to keeping development, staging and production as similar as possible. The security posture to adopt when striving for DEV/prod parity as you move through the Twelve-Factors is to ensure that product secrets are not shared.

Step 11 suggests treating logs as event streams.

Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Start with Security and the Twelve-Factor App - Step 6
Start with Security and the Twelve-Factor App - Step 7
Start with Security and the Twelve-Factor App - Step 8
Start with Security and the Twelve-Factor App - Step 9
Start with Security and the Twelve-Factor App - Step 10

Defining Logs in the Twelve-Factor App

12.factor.net explains that Logs, which are the stream of aggregated, time-ordered events collected from the output streams of all running processes and backing services, offer visibility into the behaviour of a running app.

A twelve-factor app never concerns itself with routing or storage of its output stream. It should not attempt to write to or manage logfiles. Instead, each running process writes its event stream, unbuffered, to stdout. During local development, the developer will view this stream in the foreground of their terminal to observe the app’s behavior.

Applying Security to Step 11

The most important security step in this factor is to log for security in such a way that anyone who is aggregating the log can easily extract the security log messages to avoid being burdened with stack traces for example.

In other words, create a log record for each security critical event with supporting information, as well as a "SECURITY" log record category to assist in aggregation.

In the final chapter we cover Step 12, which is all about admin processes and running admin/management tasks as one-off processes.

Eric Sheridan is Chief Scientist at WhiteHat Security
Share this

Related Links

www.whitehatsec.com
www.12factor.net
Security and the Twelve-Factor App - Step 1

Industry News

Postman Launches AI Agent Builder
January 22, 2025

Postman announced the Postman AI Agent Builder, a suite empowering developers to quickly design, test, and deploy intelligent agents by combining LLMs, APIs, and workflows into a unified solution.

CNCF Announces CubeFS Graduation
January 22, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of CubeFS.

BrowserStack Partners with Bitrise on Mobile App Testing
January 21, 2025

BrowserStack and Bitrise announced a strategic partnership to revolutionize mobile app quality assurance.

Render Raises $80M Series C Funding
January 21, 2025

Render raised $80M in Series C funding.

Mendix 10.18 Released
January 16, 2025

Mendix, a Siemens business, announced the general availability of Mendix 10.18.

Red Hat OpenShift Virtualization Engine Released
January 16, 2025

Red Hat announced the general availability of Red Hat OpenShift Virtualization Engine, a new edition of Red Hat OpenShift that provides a dedicated way for organizations to access the proven virtualization functionality already available within Red Hat OpenShift.

Contrast Security Releases Application Vulnerability Monitoring
January 16, 2025

Contrast Security announced the release of Application Vulnerability Monitoring (AVM), a new capability of Application Detection and Response (ADR).

Red Hat Connectivity Link Released
January 15, 2025

Red Hat announced the general availability of Red Hat Connectivity Link, a hybrid multicloud application connectivity solution that provides a modern approach to connecting disparate applications and infrastructure.

Appfire Brings 7pace Timetracker to the Atlassian Marketplace
January 15, 2025

Appfire announced 7pace Timetracker for Jira is live in the Atlassian Marketplace.

SmartBear Introduces AI-Driven Hubs
January 14, 2025

SmartBear announced the availability of SmartBear API Hub featuring HaloAI, an advanced AI-driven capability being introduced across SmartBear's product portfolio, and SmartBear Insight Hub.

Azul Announces Java Solutions to Help Financial Institutions Meet DORA Requirements
January 14, 2025

Azul announced that the integrated risk management practices for its OpenJDK solutions fully support the stability, resilience and integrity requirements in meeting the European Union’s Digital Operational Resilience Act (DORA) provisions.

OpsVerse Launches Aiden 2.0
January 14, 2025

OpsVerse announced a significantly enhanced DevOps copilot, Aiden 2.0.

Progress Once Again Honored as a Top Place to Work and Socially Responsible Organization by Prestigious Publications
January 13, 2025

Progress received multiple awards from prestigious organizations for its inclusive workplace, culture and focus on corporate social responsibility (CSR).

Red Hat Completes Acquisition of Neural Magic
January 13, 2025

Red Hat has completed its acquisition of Neural Magic, a provider of software and algorithms that accelerate generative AI (gen AI) inference workloads.

Code Intelligence Launches Spark
January 13, 2025

Code Intelligence announced the launch of Spark, an AI test agent that autonomously identifies bugs in unknown code without human interaction.

More Industry News