A typical development workflow has three environments: development, staging, and production. Some developers don’t view staging as an environment, but we included it here to give you a full scope of the process.
A development environment is on your computer. It’s the environment where you’ll conduct all your code development without touching the actual data. In development, you can test upgrades, new features, and improvements without impacting the customer’s view. You may find bugs along the way, but that’s what this environment is meant to discover.
Typical use-cases for a development environment include:
- Building new features, extending existing features, and code refactoring.
- Running integration tests.
There are few restrictions on what developers can do in their development environment, and they are free to experiment with code until they are happy with it, at which point they will push it to the staging environment.
The staging environment is a production-like environment to see how your code will perform. This is the final testing ground before the code is pushed into production. Staging environments are often used for:
- Quality assurance and performance testing.
- Vulnerability testing and risk analysis.
- Integration testing, to ensure that the code integrates well with services and databases the app depends on.
Staging environments also give other developers, project managers, and clients an opportunity to examine software before it goes live.
Because extensive testing takes place in the staging environment, it’s important that it is as similar to production as possible, including both the software and hardware. While it’s fine to host a development environment on a laptop, the staging environment should be on a server with the same hardware it will run on in production.
In a production environment, systems go live and your developed code is released to end-users. You deploy completed code that has endured proper vulnerability testing and risk analysis. All of the testings are complete and there’s the expectation that you’ll find only minor bugs if any. Once it’s released, you’re relying on it as a profit source, so you want to make sure it’s secure
In theory, major bugs and software vulnerabilities should have been discovered before the code goes to production, but that’s rarely the case for complex software systems. It is likely that at least some bugs made it through testing, so organizations must design and implement network and data security systems that assume the existence of vulnerabilities.
Importance of Security Throughout Dev, Staging, and Production
With multiple environments comes the difficulty of securely managing them. The best practice is to separate your development, staging, and production environments. This allows each to evolve at its own pace – maybe the development environment is testing out features that won’t be available in production for at least a year – and reduces the risk of cross-contamination. Any bugs discovered in staging, for example, will be contained within that environment and not spread any further. Most importantly, keeping your development, staging, and production environment separate will help protect data.
Security Concerns in DevOps
For organizations that use the DevOps approach, security is an even greater concern. It’s face-based, there’s more overlap, there’s automation – there are many reasons to implement and verify security processes in DevOps.
To preserve high-level compliance practices within your development, staging, and production environments, you can implement configuration management techniques, monitoring, and logging processes, and even integrate infrastructure as code or policy as code. You can set yourself up for success by performing regular code review during the development process, making changes proactively to all environments, confirming that you have limited access to the proper channels, or even engage in continuous penetration testing to ensure no vulnerability is overlooked. These practices will ensure you’re doing your due diligence to securely manage your various environments.