Penetration Testing — Production vs Test Environment
Hello everyone, I’ve been contemplating writing a brief post about the Production vs Test environment discussion. I must admit upfront that I’m a Test environment kind of guy. The reason is that I believe there’s significantly less risk, and you can “go crazy” with your testing to uncover more substantial vulnerabilities that ultimately benefit the client. However, let’s conduct a quick analysis to see if this is the case.
Firstly, as usual for all my posts, let’s define what the production environment is. According to techopedia.com, a production environment is a term used predominantly by developers to describe the setting where software and other products are put into operation for their intended uses by end users. In essence, it’s where we host our apps for our users. It’s where all the critical information is and the target of most attackers.
As for a Test Environment, I was unable to find a direct definition of it, but OWASP SAMM, in the Implementation, Verification, and Operations business function, mentions the use of these environments for testing and verifications, and that they should closely reflect the production environment. A test environment, as the name implies, is for testing. There should be no production data, only test data, no production secrets or any information disclosure. All data in the test environment should be public in nature, and its compromise should have no impact on the platform users or corporations.
Testing in the production environment has the advantage of producing very accurate results, with vulnerabilities found directly impacting the platform and user base. The downside would be the risk. Testing, even when done by the most professional of testers, can impact the platform and risk the platform’s data. A good example is a Denial of Service, where a tester might inadvertently discover one of these and bring the platform down.
The test environment would be the complete opposite. There is little risk (if set up properly) to the production environment, but there is a higher risk of producing false positives as it might not be an exact mirror. An advantage, though, is that a wider range of testing activities can be carried out, and if a code review is added (white box penetration test), there is a higher chance of finding a larger number of vulnerabilities affecting the platform, which overall will result in a more secure platform.
The reason why I am more inclined to perform testing in testing environments is not because of its accuracy but its potential to find higher-risk vulnerabilities that could impact the organisation. Having said this, it is essential to penetration test the Production Environment and ensure that it is set up securely and that the measures are in place to protect the platform to an appropriate level.
Disclaimer: I used ChatGPT to assist with the grammar and spelling. Acknowledgements have been provided as links to the information I researched for this blog.
