hello I'm professor wool today we're
going to talk about
to integrate security with the test
environment so to give us background
we're thinking of a developed type
environment where development of an
application is ongoing and the new
version coming out every so often and
you're handling this methodology with
separate development tests and
production environments so in this
sketch we have in black over here we
have the development environment then we
have in blue the test environment and on
the right the right hand side you can
see the production environment where
everything really functions so imagine
that developers are now adding new
functionality to the application so
they're modifying the application server
in the development environment to
include the new functionality and this
functionality requires access to another
resource let's say another database so
the developers develop the new
application version in the development
environment they have some bogus data in
the database they test it quickly and it
seems to function and do what is
necessary
so once development has reached this
point you roll it over into the test
environment so you put up a new resource
a new database with maybe more realistic
data introduce the updated codes to the
application server and the QA team
starts testing it in this environment is
in automatic tests manual tests and the
functionality is fine everything is
working as designed you're ready for the
big day you roll it over into the
production environment where there is
actually a real database with real data
in it you upgrade the application server
to the new version of the code and turn
the switch on and it fails
what happens after all you tested
everything properly in the development
and the test environment everything
functioned just fine when you rolled it
over to production it failed why well
the reason is that besides the
functionality of the systems there's
also the network to consider and the
structure of the network in the
production environment is slightly
different in particular the production
environment has additional network
filters as firewalls separating the
client machines from the application
server and also separating the
application server from the databases
and this firewall was missing in the
test environment and in the vid
development environment so when you
tested everything in the test
environment everything functioned but
once it's in production this firewall
over here apparently was not updated to
allow this required traffic in the
dotted line and therefore the
application failed so how can you find
this type of failure earlier in the
process and not wait until you roll it
into production and fail there you would
much rather have it same when you're in
the test environment so how can you do
that well the tip that I'd like you to
consider is actually introducing another
firewall over here and over here
introducing a network topology in the
test environment that is analogous to
the filtering policy and network
structure that you have in the
production environment and actually in
place policies on these firewalls that
are equivalent to the policies in the
production environment which means that
they are narrow and restrictive and only
allow traffic that is supposed to be
allowed if you do that then when you
deploy the new version of the code to
the application server in the test
environment it will fail because it
won't be able to communicate to the new
database and if you will remind you that
you need to also update the policy
in the firewall rules and then when you
record that knowledge you know what to
do when you roll over to the production
environment you'll remember that you
need to update the firewalls as well
thank you for your attention see you
next time
