back to article If only hackers could stop slurping test and dev databases. Wait, our phone is ringing ...

Exposure and loss of sensitive data is happening everywhere these days. One attack surface, as the jargon has it, is sensitive production data used in internal testing and development systems. Delphix reckons it can secure this surface, and in the process remove time-consuming layers of security-checking bureaucracy that slows …

  1. Brian Miller

    Patching bad practices with stupid fixes

    The first big problem is that people are using sensitive data for testing, instead of making up proper test data. If good practices are adhered to in the first place, then hackers won't pick up all those juicy nuggets left carelessly lying about.

    The second big problem is a stupid fix like this. instead of replacing sensitive data with valid bogus data, they think that developers and testers should still have access to the sensitive data! Wrong! Generate good test data, and then "fixes" will not be needed.

    1. yoganmahew

      Re: Patching bad practices with stupid fixes

      Absolutely. Or lock down production copy data as if it's production - just because it is test data, doesn't mean, for example, exposing the structure of the DB is not important.

      Does this sound like VPARS to anyone? (Er, anyone who knows what VPARS is!).

      http://www-304.ibm.com/partnerworld/gsd/solutiondetails.do?solution=18259&expand=true

      Perhaps someday my production copy system will finally be able to debug production traffic with open systems content attached... I will dream on...

    2. fbsharp

      Re: Patching bad practices with stupid fixes

      Disagree - you can never make data like Production data. You might be able to execute a few happy path functional tests, what about the unhappy scenarios when your using data that has been through multiple transformations and migrations from previous db, but what about performance tests when you want a full data set of real data.

  2. jake Silver badge

    Serious question ...

    "One attack surface, as the jargon has it, is sensitive production data used in internal testing and development systems."

    Who in the hell allows such systems to come into contact with the Internet at large, including sneaker-net? I mean, really?

    1. Pascal Monett Silver badge

      Agreed.

      Production data is quite difficult to mimic. Although I applaud anyone who can generate a proper set of test data, in practice I find that test data only works for testing what has been specified. Production data includes all the errors, quick fixes and workarounds users employ to "get work done" and that represents scenarios that, by definition, cannot be reproduced in test data.

      So, by all means, put some production data in to the test system to fully validate the application.

      But if you allow Internet access to/from the dev environment, I will fire your ass in a second.

  3. Mookster
    Unhappy

    Clearly you paid for copy-pasting marketing sh1te.. but by whom? (The Reg or some snakeoil vendor)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon