Monday, October 5, 2015

Live Data In Dev, Live Data in Test

One of the more recent examples of poor development policies was the compromise of Patreon's test environment, in which they used live data, apparently. This is a bad practice for many reasons, but it's a practice that still happens often.



Live Data In Dev, Live Data In Test


I had a cool dream to build a cool site.
I coded it hard, with all my might.
When I decided twas time for a test,
I wanted the data I knew that was best.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

I sent out the link to my friends in QA.
Worried a bit about what they may say.
But bringing in Infosec wasn't a thought:
Only later they found what a mess I had wrought.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

My friends in QA were happy, they said.
I migrated to live sans feelings of dread.
My dev and test servers? I'd keep them around
In case there were unforeseen bugs that were found.

One of those bugs was the QA account:
Password of "QA" and a live data mount,
Still active within my development host,
Discovered by hackers and shared on a post.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

All of that data has flown all away!
The old morning papers have so much to say.
Pastebin and reddit have made many copies
Someone has even wrote it to floppies.

Infosec's asking me what I was thinking.
Using live data; had I been drinking?
"No," I explained, "I was doing my job,
Though not any more," it dawned with a sob.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

No comments:

Post a Comment