Environments other than production should use mock or automatically generated data.
Applications usually handle personal and other types of sensitive information. This information should not be used to perform tests or during development processes, as it could lead to unintended exposure. Non-production environments should use mock data or data that has been automatically generated.
This requirement is verified in following services
- CWE™-359. Exposure of private personal information to an unauthorized actor
- ePrivacy Directive-4_1a. Security of processing
- GDPR-32_4. Security of processing
- GDPR-R6. Ensuring a high level of data protection despite the increased exchange of data
- GDPR-R51. Protecting sensitive personal data
- OWASP TOP 10-A2. Cryptographic failures
- OWASP TOP 10-A3. Injection
- MITRE ATT&CK®-M1048. Application isolation and sandboxing
- PA-DSS-5_1_1. Live PANs are not used for testing or development
- HITRUST CSF-01_w. Sensitive system isolation
- HITRUST CSF-09_d. Separation of development, test and operational environments
- HITRUST CSF-10_i. Protection of system test data
- ISO/IEC 27002-8_25. Secure development lifecycle
- ISO/IEC 27002-8_31. Separation of development, test and production environments
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- PCI DSS-6_5_5. Changes to all system components are managed securely
- ISO/IEC 27001-8_25. Secure development lifecycle
- ISO/IEC 27001-8_31. Separation of development, test and production environments
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.