180 – Use mock data

Summary

Environments other than production should use mock or automatically generated data.

Description

Applications usually handle personal and other types of sensitive information. This information should not be used to perform tests or during development processes, as it could lead to unintended exposure. Non-production environments should use mock data or data that has been automatically generated.

Supported In

Advanced: True

References

• CWE-359. Exposure of private personal information to an unauthorized actor
• EPRIVACY-4_1a. Security of processing
• GDPR-32_4. Security of processing
• GDPR-R6. Ensuring a high level of data protection despite the increased exchange of data
• GDPR-R51. Protecting sensitive personal data
• OWASP10-A2. Cryptographic failures
• OWASP10-A3. Injection
• MITRE-M1048. Application isolation and sandboxing
• PADSS-5_1_1. Live PANs are not used for testing or development
• HITRUST-01_w. Sensitive system isolation
• HITRUST-09_d. Separation of development, test and operational environments
• HITRUST-10_i. Protection of system test data
• ISO27002-8_25. Secure development lifecycle
• ISO27002-8_31. Separation of development, test and production environments
• NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
• PCI-6_5_5. Changes to all system components are managed securely
• ISO27001-8_25. Secure development lifecycle
• ISO27001-8_31. Separation of development, test and production environments

Weaknesses

• 226 – Business information leak - Personal Information

Last updated

2023/09/18