Development environments

Why it is important to protect development environments

In recent years, the multitude of high-profile attacks in development environments has demonstrated the clear need to have security protocols at all stages of the software development lifecycle.

According to a report prepared by Argon, large companies such as Microsoft and Mercedes have been victims of cyberattacks in a pre-production or development environment, with the resulting problems that this type of access entail, from reputation crisis to significant economic losses.

Nevertheless, it is still quite common for companies to neglect security in development environments: this report by Argon showed that 80% of companies stated that their development environments were not able to withstand a cyberattack.

Why is it crucial to have protection in development environments and the pre-production environment, and how to ensure this protection? Let us explain you.

Why it is important to protect development environments

The development environment is the first stage within the software supply chain, followed by the pre-production environment, and finally, the production environment. 

In this first stage, generation of the new software is worked on, developing the code which will in a certain way act as a fundamental pillar of the new tool once completed. It is therefore common to use datasets which are sometimes generated synthetically, and others which contain sensitive data, as they come from production environments.

Nevertheless, many developments have neglected data protection in development environments: the aforementioned report noted that only 30% of developments have specific protection for this first phase.

In this context, there are several reasons why this is a significant error:

  • If the development environment acts as the foundation of the future software, it will be essential to guarantee that no vulnerabilities have arisen during its creation.
  • According to the General Data Protection Regulation (GDPR), it is essential to limit the exposure of sensitive data in any stage of software development. For example, the explicit permission of the personal data concerning him would be necessary to use their data in software development and testing processes.
  • Specifically due to being an area often neglected in terms of protection of sensitive data, as the PoneMon Institute notes, the most common security breaches have to do with negligence or malicious actions of employees and subcontractors, as the development environments are more exposed than production environments.

To address this problem, the protocols of Test Data Management oriented toward test environments constitute the appropriate solution for protecting non-production environments (development and pre-production environments). 
In short, through masking techniques, companies will be able to guarantee that sensitive data does not reach the development environment, and that it therefore cannot be compromised at any time.

What risks exist in development environments

Information leakage

Information leakage is defined as the output of information from data which, in principle, should be confidential. In development environments, undue intrusions by persons from the organisation itself are particularly common, being a very significant point of entry to the information network of a company and its overall infrastructure. 

In this sense, preventing the presence of sensitive data through anonymization or dissociation of data is key, guaranteeing that it does not reach the development environment and is duly protected.
Furthermore, development environments have characteristics (different providers, uncertainty over the reliability of the code, etc.) which may entail the need for extraordinary security measures.

GDPR compliance

The GDPR, establishes, in article 32, that companies are responsible for applying technical and organisational measures and for guaranteeing the security of the personal data they use.

This legislation is in turn complemented by the “Guidelines on the protection of personal data in IT governance and IT management of EU institutions”, which specifically mention the pre-production phases, including development environments.

In this regard, several guidelines are set out on the processing of data in these contexts: 

  • Resorting to the anonymisation or pseudonymisation of data in the processing of sensitive data.
  • The use of non-dissociated personal data must be minimised (prioritising the use of artificially created or synthetic data), which will be restricted to cases in which it is not possible to test the software in another way.
  • In case of it being strictly necessary to use personal data, this need must be documented. Documentation on the technical measures for protecting this data will also be required, taking into account proportionality in accordance with the risk of processing this data.

Thus, European legislation establishes meticulous requirements for companies to be able to use data from production environments in development environments, highlighting the need to have adequate protection and dissociation techniques.

Vulnerability in development itself

Fraudulent access to development environments allows hackers to introduce faults or vulnerabilities within the software or application that is being constructed. These faults have a very significant impact on developments and may entail costly reengineering processes.

What implications do these risks have for the company

Loss of reputation

Any of the incidents due to vulnerabilities in personal data has served to show the significant losses of reputation these entail for companies. On many occasions this has led to economic losses and loss of clients, who decide to look for companies that will guarantee the security of their data instead.

Financial penalties

The GDPR imposes substantial fines for companies that do not manage to protect the personal data that they use, including in development environments. 

The fines may amount to 4% of the global annual invoicing or 20 million euros, and there is already data on the first years of collections in this regard: 

  • A report by the European Commission revealed the substantial fines in the first years since data protection legislation was put in place: Google was fined 50 million euros and a social network operator paid a €20,000 fine.
  • The DLA Piper law firm quantified the amount collected from GDPR penalties in one year as almost 1.1 billion euros, according to its 2022 publication.

Economic costs

Security problems affect a business as a whole, and as such entail financial problems and stagnation. The need to assign resources to crisis management programs and software faults derived from vulnerabilities in development environments are some of the most notable causes of the economic costs of an attack multiplying.

How to protect test environments

The solution: to have data management software in development environments

Tools such as icaria TDM allow sensitive data to be detected, and, by applying adequate masking techniques, minimise the possibility of vulnerabilities, in addition to complying with the data protection law, all automatically. Do you want to know more about data protection in development environments? Request a demo of icaria TDM and discover first hand how this software helps you to manage data security efficiently and legally.