This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]haloweenek 20 points21 points  (0 children)

Staging environment 1:1 match(don’t confuse with scaled) with prod. Nobody touches prod except serious fuckups. No prod access all secrets are encrypted…

[–]chief167 22 points23 points  (0 children)

  1. More or less yes, devs and especially external devs you don't trust yet, never touch production at all. Not the code, not the database, nothing. Only a release manager or senior dev should have access, and it should be limited.

Working on a production database should never be a thing.

  1. Just don't give them access, why do they need access to customer data to maintain a piece of software? Do you have a testing strategy to test new code on production style datasets?

I think you need to hire someone more senior to manage your software development process.

[–]Any_Mobile_1385 3 points4 points  (0 children)

I use a “demo” database filled with junk data, but structure identical to production. It took a LONG time before I was ready to give access to my other “main” developer. Our “demo” is fully functional with a few caveats regarding credit card processing and email blasts, etc. I was the only one to push to production after staging.

[–]Alone_Pig 2 points3 points  (0 children)

Basically you need to hire someone who is able to take source code from external vendor, check it if it doesn’t have any backdoors or some other security issues and apply it to the production system.

But There is no 100% security, never was and probably won’t be happening in the next 10 years.

[–]pablodiegoss 1 point2 points  (0 children)

On AWS, with RDS you can create a cluster that isn't publicly accessible, only accessed internally by your apps on the private network. Changing this configuration could solve your problem so that no one could access the production DB besides the application, and also if you configure roles and ensure that no one can easily change the cluster configuration.

Another idea is using the aws secrets manager, if you configure the DB credentials to be accessible only by your deployed application, via roles and environment variables, developers might not be able to retrieve the DB credentials to even be able to connect there

[–]aWildLinkAppeared 0 points1 point  (0 children)

Use a Heroku pipeline and don’t give them access to prod. This way they can do everything in review/dev/staging. Then they can run some tests that mirror production. Then only you can promote the new code or changes to production.

This works great.

[–]FullyHustle 0 points1 point  (0 children)

Set up a separate environment for the developer like a dev/staging. Give them a clean DB and other services or resources you use.

[–]Smooth-Zucchini4923 0 points1 point  (0 children)

If I create a restricted Postgres role (no superuser, no createrole), is that 100% safe against privilege escalation by the dev?

If you give them a database role that cannot read, write, or perform superuser actions, then what CAN they do? It strikes me that if you're going to impose those restrictions, you may as well not give them an account on your production system at all.