We're building the future of Supply Chain Security. View Roles

08) Does your organisation segregate development environments from any testing or production environments?

August 31, 2022 Software Development Environment Segregation Testing Development

Answer yes if your organisation uses segregated environments for the development of applications, the testing of applications, and the hosting of production systems that handle live data. Please state in the notes the nature of the segregation (logical/physical).

What is the control?

Development, testing, and production environments all have different purposes. It’s important they be kept separate as the different activities could otherwise negatively impact each other.

Why should I have it?

For example, development could potentially freeze a server due to errors in programming code or an experimental approach, while testing could also cause unpredictable events or load on the infrastructure that could cause production outages. Conversely, the requirements (and restrictions) of a production environment could mean that your development and testing possibilities are severely limited.

It’s therefore important to have separate environments for these activities. They allow the maximum output of testing and development activities while safeguarding your production environment from being corrupted, slowed, or even brought down. It also reduces the risks of data being incorrectly uploaded or deleted to or from a production environment, or of permissions being incorrectly set, as well as other scenarios that could result in a data breach.

How to implement the control:

You should have multiple environments separated for purposes such as development, testing, and production. Some organisations may also have other environments such as staging. There can be as many environments as needed as long as the necessary segregation exists and each environment’s purpose is defined. Note that there may be differences between the environments due to their purposes. For example, production may have more capacity than development.

You should create a policy that clearly defines what each environment is for. These criteria should then be used by any relevant processes in your organisation that prescribes interaction with one or more of these environments.

There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and implementing an SDLC that includes security best practice in a way that meets your business and technical requirements. Please message us if you would like a recommendation.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Leave a public comment

Please do not submit your answer on the knowledge base.