webAI and MacStadium(link is external) announced a strategic partnership that will revolutionize the deployment of large-scale artificial intelligence models using Apple's cutting-edge silicon technology.
Security and the Twelve-Factor App - Step 6
A blog series by WhiteHat Security
March 04, 2019
The previous blog in this WhiteHat Security series highlighted the individual build, release and run stages within the app-building process, and the appropriate security posture to incorporate within each of these phases.
Start with Security and the Twelve-Factor App - Step 1
Start with Security and the Twelve-Factor App - Step 2
Start with Security and the Twelve-Factor App - Step 3
Start with Security and the Twelve-Factor App - Step 4
Start with Security and the Twelve-Factor App - Step 5
Step 6 of the Twelve-Factor App methodology encourages executing the app as one or more stateless processes. Here is some actionable security-focused advice which developers and ops engineers can follow during the SaaS build and operations stages.
Defining Processes in the Twelve-Factor App
In this sixth step, the Twelve-Factor methodology encourages executing the app as one or more stateless processes by using small programs that communicate over the network. In other words Twelve-factor processes are stateless and contained in a shared-nothing (SN) architecture, a distributed-computing architecture in which each node is independent and self-sufficient, and there is no single point of contention across the system. More specifically, none of the nodes share memory or disk storage. The benefits of SN architecture include eliminating any single point of failure, allowing self-healing capabilities. and providing an advantage in offering non-disruptive upgrade.
Many organizations are undertaking a “re-platforming” journey, in which the overarching platform is broken up into smaller programs that are more service focused, enabling changes to be made more quickly.
Applying Security to Step 6
Unfortunately, a major security drawback of this journey is that when you start to break up a big building block into smaller pieces, the attack surface increases. This means there are more places where requests can be sent to your infrastructure, which equates to more opportunities to send an attack. Assumptions about how code would be invoked by their callers will change when migrating to service oriented architectures, and some of those changes impact security. By way of example, consider the WhiteHat Security 2018 Stats Report. This report compared vulnerability related security metrics between monolith and microservices architectures and found that for every 100KLOC, monolith applications had 39 vulnerabilities whereas microservices had 180 vulnerabilities. Be mindful of legacy code that is being exposed over the network as you break up your app into services, as such code may have been written without security in mind.
Read Security and the Twelve-Factor App - Step 7, which focuses on exporting services via port binding, and what to apply from a security point of view.
Industry News
March 27, 2025
March 27, 2025
Development work on the Linux kernel — the core software that underpins the open source Linux operating system — has a new infrastructure partner in Akamai. The company's cloud computing service and content delivery network (CDN) will support kernel.org, the main distribution system for Linux kernel source code and the primary coordination vehicle for its global developer network.
March 27, 2025
Komodor announced a new approach to full-cycle drift management for Kubernetes, with new capabilities to automate the detection, investigation, and remediation of configuration drift—the gradual divergence of Kubernetes clusters from their intended state—helping organizations enforce consistency across large-scale, multi-cluster environments.
March 26, 2025
Red Hat announced the latest updates to Red Hat AI, its portfolio of products and services designed to help accelerate the development and deployment of AI solutions across the hybrid cloud.
March 26, 2025
CloudCasa by Catalogic announced the availability of the latest version of its CloudCasa software.
March 26, 2025
BrowserStack announced the launch of Private Devices, expanding its enterprise portfolio to address the specialized testing needs of organizations with stringent security requirements.
March 25, 2025
Chainguard announced Chainguard Libraries, a catalog of guarded language libraries for Java built securely from source on SLSA L2 infrastructure.
March 25, 2025
Cloudelligent attained Amazon Web Services (AWS) DevOps Competency status.
March 25, 2025
Platform9 formally launched the Platform9 Partner Program.
March 24, 2025
Cosmonic announced the launch of Cosmonic Control, a control plane for managing distributed applications across any cloud, any Kubernetes, any edge, or on premise and self-hosted deployment.
March 20, 2025
Oracle announced the general availability of Oracle Exadata Database Service on Exascale Infrastructure on Oracle Database@Azure(link sends e-mail).
March 20, 2025
Perforce Software announced its acquisition of Snowtrack.
March 19, 2025
Mirantis and Gcore announced an agreement to facilitate the deployment of artificial intelligence (AI) workloads.
March 19, 2025
Amplitude announced the rollout of Session Replay Everywhere.
March 18, 2025
Oracle announced the availability of Java 24, the latest version of the programming language and development platform. Java 24 (Oracle JDK 24) delivers thousands of improvements to help developers maximize productivity and drive innovation. In addition, enhancements to the platform's performance, stability, and security help organizations accelerate their business growth ...
