Secure Software Development: Setting up multiple environments

Focus: Security process for the software development component for California software contractor:

Several recommendations follow to support a more secure software development environment, especially for contractors who develop software for the organization. These recommendations are even for small programming environment, as sensitive data often is a part of the mix when developing, testing and deploying software. The recommendations for a more secure software development environment.

The first strategy is to separate the development environments from the production environment. The separation will help to keep untested and un-vetted code from corrupting the production systems that are already in place. Scott Ambler of the “Agile Data” organization recommends the following virtual sandboxes (Ambler, 2020), which will add isolation of the development sandbox from the production environment, requiring software to be transitioned (approved) from one environment through the final acceptance for the production environment.

Figure 1: Virtual Sandboxes in the Software Development Environment (Ambler, 2020).

Separation of the environments include:

1. The Development Sandbox: This is the prime environment for the software development engineer. Once code is developed, verified, and validated, it can be transitioned into the Project Integration Sandbox.

2. The Project Integration Sandbox: In this environment, the new/modified application is placed in a mock production environment where string testing and interaction testing is accomplished. Once testing is done in this environment, the code is placed in the Demo and Pre-production Test/QA sandboxes.

3. The Demo Sandbox: In this environment, users who initiated the project, will verify and validate that the specifications denoted in use-cases was achieved, or not. User acceptance testing typically occurs simultaneously with the Pre-production/QA testing.

4. The Pre-production test/QA sandbox: In this environment, the software is inspected to assure that it meets a rigorous standard for production, including data security requirements. Also, software quality is inspected to assure that the software meets strict standards for software security. Once the user testing (Demo Sandbox) and QA (Pre-production test/QA) is met, the software is transitioned to the production environment.

5. The Production sandbox: In this environment, active production software is monitored, and execution is controlled.

This article provides a quick overview of several environments necessary to develop, test, and deploy software in an organization.

More to come….

References

Ambler, S. (2020). Development sandboxes: An agile core practice. Agile Data. Retrieved September 15, 2021, from http://www.agiledata.org/essays/sandboxes.html.

About the Author

Ron McFarland, PhD, CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security and other Cisco courses and was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications. Dr. McFarland can be reached at his CMTC email address: rmcfarland@cmtc.com