In 2016, Kevin Hoffman revisited the 12-factor app in Beyond the Twelve-Factor App (O’Reilly). His book revised and expanded the 12 factors to encompass 15 factors, accounting for advancements and learnings since 2012.
The additional factors—“API first,” Telemetry, and Security highlight the growing significance of security and observability in cloud native applications.
API First
The “API first” principle posits that any functionality that your application provides should be exposed through a well-documented and versioned API. This approach benefits both the development of your application and its potential integration with other systems.
From a development perspective, “API first” encourages a clean separation of front end and back end code, making it easier to develop, test, and scale each independently. It also provides a clear contract for what functionality the back end provides and how it should be used, which can help to reduce bugs and improve consistency.
From an integration perspective, an “API first” approach means your application can be more easily combined with other systems. This is increasingly important in modern cloud environments, where complex systems are often composed of multiple smaller services.
Telemetry
Telemetry involves the collection and analysis of data generated by remote systems to gain insights into their operation, usage, and performance. In a cloud native context, telemetry usually involves tracking metrics, logs, and traces from your application and its underlying infrastructure.
Telemetry is crucial for monitoring the health of your system, understanding how it’s being used, and diagnosing issues when they arise. It is also an essential part of many modern practices such as observability and site reliability engineering (SRE).
Security
While the original 12-factor app principles include some security considerations, the renewed focus on security reflects its growing importance in the modern software landscape. This principle acknowledges that security is not an afterthought or an optional extra, but a fundamental concern that should be integrated into every stage of application development and operation.
In a cloud native context, this can involve practices like secure coding, automated vulnerability scanning, use of encryption for data at rest and in transit, proper management of secrets and credentials, use of least-privilege access controls, and ensuring regular updates and patches to all software components to protect against known vulnerabilities. This principle emphasizes that security is a shared responsibility across developers, operators, and security teams.
When considering the 12 factors, remember that they were originally devised for the Heroku platform and subsequently adopted by Cloud Foundry, a similar platform. While these principles remain relevant for modern cloud platforms, some are shaped by the constraints of the Heroku platform, which may not be applicable to Google Cloud in certain scenarios.