This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cloud-10 Nonproduction Environment Exposure"
(Created page with 'Nonproduction Environment Exposure') |
|||
Line 1: | Line 1: | ||
− | + | An IT organization that develops software applications internally | |
+ | employs a set of non-production environments for design, development, | ||
+ | and test activities. The non-production environments are generally not | ||
+ | secured to the same extent as the production environment. This is to | ||
+ | ease and facilitate the development and test cycles. Such | ||
+ | non-production environments are not only accessed by the employees of | ||
+ | the organization, but also by the outsourced vendors. In a non-cloud | ||
+ | environment, the non-production environments are in the data-center of | ||
+ | the organization, and are under complete ownership of the organization. | ||
+ | Therefore, the organization can control the access of these | ||
+ | environments. | ||
+ | |||
+ | If an organization chooses to use a cloud provider for a | ||
+ | non-production environment, then the organization loses control over | ||
+ | them. Since cloud is publicly accessible, there is a high risk that an | ||
+ | unauthorized user may get access to the non-production environment. A | ||
+ | malicious user may alter the environment in such a way that it becomes | ||
+ | unusable. Or even worse, a malicious user may completely delete the | ||
+ | environment. | ||
+ | |||
+ | A non-production environment may use generic authentication | ||
+ | credentials. The passwords used in non-production environment may not | ||
+ | conform to the standard password policy of the organization. In such a | ||
+ | case, unauthorized access becomes very easy. | ||
+ | |||
+ | An organization may create a non-production environment by copying | ||
+ | data from its production equivalent. In such a case, an unauthorized | ||
+ | user can steal the sensitive production data. Examples of such data | ||
+ | are credit card and social security numbers. |
Revision as of 02:44, 16 February 2010
An IT organization that develops software applications internally employs a set of non-production environments for design, development, and test activities. The non-production environments are generally not secured to the same extent as the production environment. This is to ease and facilitate the development and test cycles. Such non-production environments are not only accessed by the employees of the organization, but also by the outsourced vendors. In a non-cloud environment, the non-production environments are in the data-center of the organization, and are under complete ownership of the organization. Therefore, the organization can control the access of these environments.
If an organization chooses to use a cloud provider for a non-production environment, then the organization loses control over them. Since cloud is publicly accessible, there is a high risk that an unauthorized user may get access to the non-production environment. A malicious user may alter the environment in such a way that it becomes unusable. Or even worse, a malicious user may completely delete the environment.
A non-production environment may use generic authentication credentials. The passwords used in non-production environment may not conform to the standard password policy of the organization. In such a case, unauthorized access becomes very easy.
An organization may create a non-production environment by copying data from its production equivalent. In such a case, an unauthorized user can steal the sensitive production data. Examples of such data are credit card and social security numbers.