webAI and MacStadium(link is external) announced a strategic partnership that will revolutionize the deployment of large-scale artificial intelligence models using Apple's cutting-edge silicon technology.
Security and the Twelve-Factor App - Step 4
A blog series by WhiteHat Security
September 12, 2018
The previous chapter in this WhiteHat Security series examined the security component of step three of the Twelve-Factor methodology — storing config in the environment — with a key focus on the importance of auditing the environment when externalizing. This means identifying and applying hardening guidelines to the environment, and taking the opportunity to leverage a third party security team to assess the environment.
Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
This next blog examines the security component of step four of the Twelve-Factor methodology — backing services. Here follows some actionable advice from the WhiteHat Security Addendum Checklist, which developers and ops engineers can follow during the SaaS build and operations stages.
Defining Backing Services in the Twelve-Factor App
The fourth factor of the Twelve-Factor methodology advises treating backing services as attached resources. It describes backing services as anything that’s outside of your app that may be treated as a resource, for example datastores, messaging/queuing systems, SMTP services for outbound email and caching services.
According to Twelve-Factor, backing services like the database are traditionally managed by the same systems administrators as the app’s runtime deploy. Additionally, the app may also have services provided and managed by third parties. What’s key here is that the code for a twelve-factor app makes no distinction between local and third party services. From the app’s point of view, both are attached resources, which means that a deploy of the twelve-factor app should be able to interchange a local MySQL database with one managed by a third party without any changes to the app’s code.
The rationale is that resources can be attached to and detached from deploys at will. Twelve-Factor shares this example: “If the app’s database is misbehaving due to a hardware issue, the app’s administrator might spin up a new database server restored from a recent backup. The current production database could be detached, and the new database attached — all without any code changes.”
Applying Security to Backing Services
Treating backing services as attached resources helps to encourage encapsulated development and smaller programs for example, but from a security perspective, backing services can also inadvertently encapsulate vulnerabilities.
It’s important to keep the following in mind:
1. You assume their risk
Understand the security posture of the backing service and write code as if it is being attacked, or is attacking you. This is important because at some point in the application’s normal business operation, it will either send or receive sensitive data from the backing service.
If the backing service contains a vulnerability that is exploited, this means that the application’s sensitive data (including customer data) is subject to exposure. Even though you may not have written or built that backing service, ultimately the responsibility is still yours should it be exploited.
2. Secure your communications
Establish all connections using Transport Layer Security (TLS), a cryptographic protocol that provides communications security over a computer network. Authenticate to the backing service using a least privileged account i.e. an account that has only the minimum set of permissions or privileges necessary for it to complete its task.
For example, consider iOS or Android-based mobile devices. When logging into these devices, using a pin number, we are usually logging in with a personal account, which has limited capabilities and permissions. More specifically, it’s not possible to obtain system level privileges on iOS or Android devices. unless we jailbreak those devices. Apple and Google designed these products so that the users (as well as the applications) have enough capabilities to carry out basic tasks but restrict the ability of the user to perform system level tasks.
This analogy is similar to backing services. When we connect and authenticate to a backing service, we are using an account that has just enough permission to carry out the functionality that the application needs. As an example, assume the application needs to connect to a Postgres database. The solution involves creating a separate Postgres account for the application with only the necessary privileges.
3. Resource security abstraction
Encapsulate security checks within the Resource abstraction, and limit the need for users of the Resource abstraction to be security aware.
Industry News
March 27, 2025
March 27, 2025
Development work on the Linux kernel — the core software that underpins the open source Linux operating system — has a new infrastructure partner in Akamai. The company's cloud computing service and content delivery network (CDN) will support kernel.org, the main distribution system for Linux kernel source code and the primary coordination vehicle for its global developer network.
March 27, 2025
Komodor announced a new approach to full-cycle drift management for Kubernetes, with new capabilities to automate the detection, investigation, and remediation of configuration drift—the gradual divergence of Kubernetes clusters from their intended state—helping organizations enforce consistency across large-scale, multi-cluster environments.
March 26, 2025
Red Hat announced the latest updates to Red Hat AI, its portfolio of products and services designed to help accelerate the development and deployment of AI solutions across the hybrid cloud.
March 26, 2025
CloudCasa by Catalogic announced the availability of the latest version of its CloudCasa software.
March 26, 2025
BrowserStack announced the launch of Private Devices, expanding its enterprise portfolio to address the specialized testing needs of organizations with stringent security requirements.
March 25, 2025
Chainguard announced Chainguard Libraries, a catalog of guarded language libraries for Java built securely from source on SLSA L2 infrastructure.
March 25, 2025
Cloudelligent attained Amazon Web Services (AWS) DevOps Competency status.
March 25, 2025
Platform9 formally launched the Platform9 Partner Program.
March 24, 2025
Cosmonic announced the launch of Cosmonic Control, a control plane for managing distributed applications across any cloud, any Kubernetes, any edge, or on premise and self-hosted deployment.
March 20, 2025
Oracle announced the general availability of Oracle Exadata Database Service on Exascale Infrastructure on Oracle Database@Azure(link sends e-mail).
March 20, 2025
Perforce Software announced its acquisition of Snowtrack.
March 19, 2025
Mirantis and Gcore announced an agreement to facilitate the deployment of artificial intelligence (AI) workloads.
March 19, 2025
Amplitude announced the rollout of Session Replay Everywhere.
March 18, 2025
Oracle announced the availability of Java 24, the latest version of the programming language and development platform. Java 24 (Oracle JDK 24) delivers thousands of improvements to help developers maximize productivity and drive innovation. In addition, enhancements to the platform's performance, stability, and security help organizations accelerate their business growth ...
