« Security in process automation systems | Main | Computer: 0, Toaster: 1 »

07 December 2007


TrackBack URL for this entry:

Listed below are links to weblogs that reference Playing “Hide and Seek” with Obsolete Data :


Gary Hinson

Hi Harry.

Working as an IT auditor reviewing software development projects, I've often been through the arguments about using (hopefully a copy of) real live data for testing. The developers typically argue that real data is the ultimate testbed. I usually argue that real data is too valuable and often too sensitive, and normally lacks all the test cases that are needed. I believe that, to obfuscate real data or create realistic test cases, the architects and developers need to truly understand the data structures, and getting to that level of knowledge is in itself a valuable part of the process, but usually the project managers veto such ideas saying it's too expensive :-(

I've upped the ante a few times by insisting that if the developers/testers are going to use real data, then the entire development and testing environment must be secured to the same degree as the primary database system, complete with tight access control and personal accountability through individual accounts and traceability/auditability, which obviously goes against the grain for most development teams.

I'd be interested, though, to find examples of situations where development or test environments containing real data have been hacked. That would lend weight to my cause in persuading management.

Kind regards,

The comments to this entry are closed.

About the (ISC)² Blog

As the certifying body for more than 100,000 information security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other information security professionals and the public at large.

The (ISC)2 blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)2 website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org

Please click here for FAQs.

Please click here for the Blog Guidelines.