Can security testing only happen in the production environment?

Can security testing only happen in the production environment?

What is the best practice for testing security vulnerabilities in Web applications? Testing of our production environment is not currently feasible using automated tools due to the generation of thousands of records into the production data base. Everything seems to indicate the production environment is the best and only place you can test web application vulnerabilities with any certainty. Is this the case?

    Requires Free Membership to View

    Login

    When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.

    Hannah Smalltree, Editorial Director

    By submitting your registration information to SearchSoftwareQuality.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSoftwareQuality.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Your concern is a valid one. You don't necessarily want automated scanning tools generating thousands of requests that submit junk data into your database(s). They can certainly do that in a hurry and the ramifications can be widespread.

Which applications you actually test is completely up to you and, of course, any contracts, policies, or standards that may contain specific testing requirements. I typically test applications in production but have also tested applications running in staging and DR environments. You don't necessarily have to have the latest code to test as long as it's reasonably current (i.e. within a couple of weeks). Again, know your requirements.

If production is off limits, then the simplest solution is probably to test staging where you can easily blow away the database – or not care how you muck it up. You may also consider setting up an environment that mirrors production at a DR facility or on a backup set of servers on your own network. I've seen people create a virtual environment that allowed for simple code updates and configuration changes and, when the time's right, they just scrapped the environment and started over.

Getting back to testing applications in production, doing so can be beneficial because you know it's running the latest code and represents the real world environment you're presenting to everyone. What you may be able to do is, on the back end, limit or redirect the specific application requests that are made during your application security testing so they don't actually insert data into the database. As long as input is not hindered and the application can make database calls you should still be able to get a good representation of actual vulnerabilities. Of course doing so depends on your unique environment, which user you're connected as, application logic and so on but if you can figure out a way to do it this may be the best overall solution.

This was first published in October 2010

Back to top