In recent years, the multitude of high-profile attacks in development environments has demonstrated the clear need to have security protocols at all stages of the software development lifecycle.
According to a report prepared by Argon, large companies such as Microsoft and Mercedes have been victims of cyberattacks in a pre-production or development environment, with the resulting problems that this type of access entail, from reputation crisis to significant economic losses.
Nevertheless, it is still quite common for companies to neglect security in development environments: this report by Argon showed that 80% of companies stated that their development environments were not able to withstand a cyberattack.
Why is it crucial to have protection in development environments and the pre-production environment, and how to ensure this protection? Let us explain you.
The development environment is the first stage within the software supply chain, followed by the pre-production environment, and finally, the production environment.
In this first stage, generation of the new software is worked on, developing the code which will in a certain way act as a fundamental pillar of the new tool once completed. It is therefore common to use datasets which are sometimes generated synthetically, and others which contain sensitive data, as they come from production environments.
Nevertheless, many developments have neglected data protection in development environments: the aforementioned report noted that only 30% of developments have specific protection for this first phase.
In this context, there are several reasons why this is a significant error:
To address this problem, the protocols of Test Data Management oriented toward test environments constitute the appropriate solution for protecting non-production environments (development and pre-production environments).
In short, through masking techniques, companies will be able to guarantee that sensitive data does not reach the development environment, and that it therefore cannot be compromised at any time.
Information leakage is defined as the output of information from data which, in principle, should be confidential. In development environments, undue intrusions by persons from the organisation itself are particularly common, being a very significant point of entry to the information network of a company and its overall infrastructure.
In this sense, preventing the presence of sensitive data through anonymization or dissociation of data is key, guaranteeing that it does not reach the development environment and is duly protected.
Furthermore, development environments have characteristics (different providers, uncertainty over the reliability of the code, etc.) which may entail the need for extraordinary security measures.
The GDPR, establishes, in article 32, that companies are responsible for applying technical and organisational measures and for guaranteeing the security of the personal data they use.
This legislation is in turn complemented by the “Guidelines on the protection of personal data in IT governance and IT management of EU institutions”, which specifically mention the pre-production phases, including development environments.
In this regard, several guidelines are set out on the processing of data in these contexts:
Thus, European legislation establishes meticulous requirements for companies to be able to use data from production environments in development environments, highlighting the need to have adequate protection and dissociation techniques.
Fraudulent access to development environments allows hackers to introduce faults or vulnerabilities within the software or application that is being constructed. These faults have a very significant impact on developments and may entail costly reengineering processes.
Any of the incidents due to vulnerabilities in personal data has served to show the significant losses of reputation these entail for companies. On many occasions this has led to economic losses and loss of clients, who decide to look for companies that will guarantee the security of their data instead.
The GDPR imposes substantial fines for companies that do not manage to protect the personal data that they use, including in development environments.
The fines may amount to 4% of the global annual invoicing or 20 million euros, and there is already data on the first years of collections in this regard:
Security problems affect a business as a whole, and as such entail financial problems and stagnation. The need to assign resources to crisis management programs and software faults derived from vulnerabilities in development environments are some of the most notable causes of the economic costs of an attack multiplying.
The solution: to have data management software in development environments.
Tools such as icaria TDM allow sensitive data to be detected, and, by applying adequate masking techniques, minimise the possibility of vulnerabilities, in addition to complying with the data protection law, all automatically. Do you want to know more about data protection in development environments? Request a demo of icaria TDM and discover first hand how this software helps you to manage data security efficiently and legally.