Test Systems: How to Protect Your Highly Sensitive Data

Test systems are the heart of your overall system design. They represent much of the history of your team’s code and development practices, which can include the beginnings of tools, applications, and services you provide to your users. Test systems serve as a record of how your systems, tools, and applications have matured and refined. Every genius and not-so-genius decision your team has made along the way can often be found there.

Test Systems: A Hidden Vulnerability

That said, the contents of test systems — test frameworks, CSV files, test data, etc. — can be ultra-sensitive. They could contain years upon years of private information, including intellectual property and competitive strategy. So, of course, you want to guard these with your life, right?

Well, yes. But often, in reality, that’s not what happens. Despite the sensitive nature of the data in these systems, they are often left unsecured or barely secured. This is because test systems are often built in an ad hoc way, and may even contain elements of ShadowOps. Often we find that they do not undergo the same security scrutiny that other parts of your development environment or production systems would. So the risk associated with them probably outstrips the regular investment that has been made to secure them.

What Constitutes Your Test Systems?

From a security point of view, it is time to toughen up the soft underbelly of your test systems so they don’t undermine your test, dev, and production environments.

First, let’s look at what we mean by test systems. Test systems generally constitute resources that are used by software testers (QA, SDET, SRE, customer service, product managers, etc.) to test and hone the products they want to release. These can include:

Non-unit testing resources are the most susceptible to intrusions because real resources are likely used more frequently than in-memory, mock resources.

Properly built test systems are generally situated inside isolated systems so that a system-under-test (SUT) can be controlled by the layer around it (e.g., a CI system like Jenkins or Travis CI, or language-specific test frameworks). Controlling this layer is important. So is preventing access to SUTs, the systems, and credentials. Building sandboxes is not quite enough, however. You’re going to need a real fence.

Best Practices for Protecting Test Systems

If you already integrate tools to manage your test systems and share them with an operations team’s configuration management tools or deployment process, then you can use the test systems to improve operations practices and tools while also improving the repeatability and documentation of the development and the accountability of the test systems. For example, you can use the same authentication tools in test and production instead of providing anonymous access. Anonymous access is an all-too-common practice and can lead to major security issues. This can, however, extend beyond authentication to most security practices.

Once you improve the security of your test systems, you can also help your development and QA teams by providing a safe, well-monitored environment in which you can:

In other words, improved security improves the testability of your systems by providing another valuable perspective on the development and execution of your systems. Increasing the isolation of a system should always lead to increased security, knowledge, and testability of that system — goals that will help to unite the QA/SRE (site reliability engineering), operations, and security teams.

As you can see, protecting test systems is very important. It is critical that you follow defined policies and procedures to ensure that your test systems are as secure as possible and don’t expose existing vulnerabilities or create new ones.

Here are three main areas where you can improve the security of your test systems, along with specific recommendations for each.

1. Build a Perimeter

2. Monitor and Alert on Test Systems

3. Improve Your Tests, Improve Your Security

Know Better, Do Better

When it comes to test systems, the lack of appropriate knowledge and/or lax security practices can cause these sensitive systems to become points of weakness or vulnerability. Following the recommendations outlined above, you should be able to toughen up the security of your test systems. Make it your goal to ensure that your team does not expose existing vulnerabilities or create new ones, and in doing so you will pass on the benefits of your test systems to your dev and ops environments.

 

 

 

 

Top