This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Cloud-10 Nonproduction Environment Exposure"

From OWASP
Jump to: navigation, search
(Created page with 'Nonproduction Environment Exposure')
 
Line 1: Line 1:
Nonproduction Environment Exposure
+
An IT organization that develops software applications internally
 +
employs a set of non-production environments for design, development,
 +
and test activities. The non-production environments are generally not
 +
secured to the same extent as the production environment. This is to
 +
ease and facilitate the development and test cycles. Such
 +
non-production environments are not only accessed by the employees of
 +
the organization, but also by the outsourced vendors. In a non-cloud
 +
environment, the non-production environments are in the data-center of
 +
the organization, and are under complete ownership of the organization.
 +
Therefore, the organization can control the access of these
 +
environments.
 +
 
 +
If an organization chooses to use a cloud provider for a
 +
non-production environment, then the organization loses control over
 +
them. Since cloud is publicly accessible, there is a high risk that an
 +
unauthorized user may get access to the non-production environment. A
 +
malicious user may alter the environment in such a way that it becomes
 +
unusable. Or even worse, a malicious user may completely delete the
 +
environment.
 +
 
 +
A non-production environment may use generic authentication
 +
credentials. The passwords used in non-production environment may not
 +
conform to the standard password policy of the organization. In such a
 +
case, unauthorized access becomes very easy.
 +
 
 +
An organization may create a non-production environment by copying
 +
data from its production equivalent. In such a case, an unauthorized
 +
user can steal the sensitive production data. Examples of such data
 +
are credit card and social security numbers.

Revision as of 02:44, 16 February 2010

An IT organization that develops software applications internally employs a set of non-production environments for design, development, and test activities. The non-production environments are generally not secured to the same extent as the production environment. This is to ease and facilitate the development and test cycles. Such non-production environments are not only accessed by the employees of the organization, but also by the outsourced vendors. In a non-cloud environment, the non-production environments are in the data-center of the organization, and are under complete ownership of the organization. Therefore, the organization can control the access of these environments.

If an organization chooses to use a cloud provider for a non-production environment, then the organization loses control over them. Since cloud is publicly accessible, there is a high risk that an unauthorized user may get access to the non-production environment. A malicious user may alter the environment in such a way that it becomes unusable. Or even worse, a malicious user may completely delete the environment.

A non-production environment may use generic authentication credentials. The passwords used in non-production environment may not conform to the standard password policy of the organization. In such a case, unauthorized access becomes very easy.

An organization may create a non-production environment by copying data from its production equivalent. In such a case, an unauthorized user can steal the sensitive production data. Examples of such data are credit card and social security numbers.