Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Ask The Experts

09:10 AM
Brad Causey
Brad Causey
Edge Ask The Experts

Is My Development Environment at Risk?

Development environments pose a few unique risks to the organization.

Question: What threats to developers and development environments should I know about, and how do I defend against them?

Brad Causey, CEO at Zero Day Consulting: Developers should be on the lookout for several threats. First, be wary of what libraries and thirty-party code you integrate into your applications. Aside from the obvious older and vulnerable versions out there, many companies are seeing supply chain attacks. This is where the attacker compromises an application or library in use by the organization but hosted and provided by a vendor. Recently, for example, a Chinese hacker group, Wicked Panda, has been compromising system admin tools and vendor update repositories in order to gain footholds into their consumer networks. The takeaway? Make sure anything you bundle into your software is vetted and safe. Also, take a close look at your integrated development environment (IDE) and other development tools.

Development environments pose a few unique risks to the organization. First, the security of these environments is generally lacking. Often, they will have weak permissions or poor/reused credentials. Additionally, they often have production data used for testing. This combination can often lead to production data being exposed to an attacker who homes in on the weaker security of a development environment.

Another common mistake is to use production credentials and configurations in both development and production environments. For example, if the username and password for a system administrator is the same for both production and development databases, attackers can pivot from one to the other more easily. Always segment out and protect your production environment from any attacks on dev.

What do you advise? Let us know in the Comments section, below.

Do you have questions you'd like answered? Send them to [email protected].

Brad Causey is an active member of the security and forensics community worldwide. Brad tends to focus his time on Web Application security as it applies to global and enterprise arenas. He is a member of the OWASP Global Projects Committee and the President of the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
8/25/2019 | 8:31:55 AM
mimic production
By mimicking production we can put in controls that address a number of the issues from the outside world, one of the things the security and devops teams can do is to address the application development process on a case-by-case basis. This will ensure that the application works in a controlled environment where security and development work synergistically together. Also, in order to do that effectively it would be better to develop a DevSecOps team that has a clear understanding of the code and identify the outside areas of what it effects. T
Cartoon Caption Winner: Be Careful Who You Trust
Flash Poll