Production database exports must have database administration credentials and sensitive data removed before releasing the export.

From Application Security and Development Security Technical Implementation Guide

Part of ASDV-PL-003310

Associated with: CCI-002478

SV-85033r1_rule Production database exports must have database administration credentials and sensitive data removed before releasing the export.

Vulnerability discussion

Production database exports are often used to populate development databases. Test and development environments do not typically have the same rigid security protections that production environments do. When production data is used in test and development, the production database exports will need to be scrubbed to prevent information like passwords and other sensitive data from becoming available to development and test staff that may not have a need to know. Sensitive data should not be included in database exports because of classification, privacy, and other types of data protection requirement issues. Not all application developers have need-to-know sensitive information such as HIPAA data, Privacy Act Data, production admin passwords or classified data.

Check content

Review the application documentation and identify the existence of databases within the application architecture. Ask the application admin to identify when data exports from this database are imported to test or development databases. If no data is exported to test or development databases, this check is not applicable. If there are such data exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as passwords, financial, personnel, personal, HIPAA, Privacy Act, or classified data is included. If any database exports include sensitive data and that data is not sanitized or removed prior to or immediately after import to the development database, this is a finding.

Fix text

Remove sensitive data from production database exports.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer