[Owasp-leaders] OWASP Community Inquiry on Dev Ops [ ref:_00DU0IvqV._5000Bdo2pB:ref ]

Andy Willingham andy.willingham at owasp.org
Tue Aug 29 11:14:20 UTC 2017

H i Mohamed,

I want to make sure that I am fully understanding your question. Are you asking if it is OK to use production data in test? Or are you asking what are the correct steps to ensure that you are properly protecting production data when it is used in a test environment?

I will attempt to answer both of these. First, it is best NOT to use production data in a test environment. Simply because you want to minimize the copies of prod that you have in different places and because in most cases the test environment is not as secure as production and does not have the same level of controls in place to ensure that the data is not misused. While in a "perfect world" test and prod are the same very few organizations have the resources to allow this to happen.
Second, if you are going to use prod data in a test environment then there are several things that you can do to minimize the risk.
1. Sanitize the data to try and obfuscate the sensitive data so that if it is accessed by unauthorized individuals then they are not seeing the "real" data
2. If you can't obfuscate the data then you need to restrict who has access to the test environment to only those who absolutely need access.
3. You need to ensure that the test environment is properly segmented from the rest of the network and that any internet connections are well protected and that they use strong authentication to connect to them. When possible it is also advisable to use IP restrictions to reduce the likelihood of unauthorized connections.
4. Use what you can in regards to controls such as firewalls, IDS/IPS, Application level security controls, etc to make the test environment as close to prod as you can.

These are not all inclusive but they will allow you to give more protection to your data than without them. Hopefully others who are better versed at this than I am will chime in with additional advice.


Andy Willingham

On Aug 28, 2017, 10:43 PM -0400, Claudia Aviles-Casanovas <claudia.casanovas at owasp.org>, wrote:
> Hello Mohammed:
> Thank you for submitting your inquiry to our OWASP Community. I have cc'd our Project Leaders to help answer your question.
> OWASP Community Inquiry:
> Devops - is it the right step to copy production data into a test environment - what are the risks and mitigating controls one should consider?
> Please let me know if you have any other additonal questions.
> Thank you,
> Claudia Aviles-Casanovas
> Project Coordinator
> ref:_00DU0IvqV._5000Bdo2pB:ref
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170829/2c0b6658/attachment.html>

More information about the OWASP-Leaders mailing list