Dev server is meant for raw versions of the product. The software may contain errors and vulnerabilities. If any issue occurs on the development project, it can affect the production website in case they both are on the same server. Plus, development usually leaves lots of impact points and sensitive files exposed.
- Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. A10:2017-Insufficient Logging&Monitoring
- Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as other users’ accounts, view sensitive files, SPH files, modify other users’ data, change access rights, etc. A2:2017-Broken Authentication, A5:2017-Broken Access Control
Most of that is called A6:2017-Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely manner.
Why we recommend having separate development and production environments.
If you store the dev and prod websites on one server, you should understand that:
- they both are using common resources such as CPU/RAM/Disk/etc.;
- if any error/issue occurs on the dev project, it can affect production aka live website;
- errors may result in losing customers and revenue;
- development environment may be an excellent target for hacker attacks if you don’t follow the basic rules of information security.
We can provide development servers for your projects, where you can enhance and improve your store.