3.4 Secure staging deployment concepts

Question 1

Sandboxing

Answer 1

No processes should be able to connect to anything outside the sandbox. Only the minimum tools and services necessary to perform code development and testing should be allowed in each sandbox.

Question 2

Development

Answer 2

The code will be hosted on a secure server. Each developer will check out a portion of code for editing on his or her local machine. The local machine will normally be configured with a sandbox for local testing.

Question 3

Test

Answer 3

In this environment, code from multiple developers is merged to a single master copy and subjected to basic unit and functional tests (either automated or by human testers). These tests aim to ensure that the code builds correctly and fulfills the functions required by the design.

Question 4

Staging

Answer 4

This is a mirror of the production environment but may use test or sample data and will have additional access controls so that it is only accessible to test users. Testing at this stage will focus more on usability and performance.

Question 5

Production

Answer 5

The application is released to end users.

Question 6

Secure Baseline

Answer 6

Each development environment should be built to the same specification, possibly using automated provisioning.

Question 7

Integrity Measurement

Answer 7

This process determines whether the development environment varies from the secure baseline. Perhaps a developer added an unauthorized tool to solve some programming issue. Integrity measurement may be performed by scanning for unsigned files or files that do not otherwise match the baseline.