[thebeardedone]

Out of curiosity, what data do you have in your development databases that this becomes such a grave concern? I mean I'm all for security and love to see how creative people can get but we are talking about dev environments and not some part of the infrastructure (automated test machines, production, etc).

[sbarre]

People work in development with copies of production databases all the time..

They absolutely should not, but I've seen it at companies I've worked at, at clients, and I'll admit I've done it at least a few times myself over the years.

[granos]

I once requested sample data to work against while triaging/fixing a production issue and was given an unredacted copy of the production database. Lots of customer names/addresses/phone numbers/emails in there. I nuked it from orbit when I was done.

[giosch]

If you had read the whole article, you would have the answer to your question. Es. It can get you to code execution if you poison python pickled data. Ecc..

[collyw]

I actually thought the opposite. Surely the database is more valuable than the ability to execute code. Assuming its a copy of the production database.

[thebeardedone]

I give you that; I stopped reading it just before he mentioned that point. Thanks for pointing it out, very creative vulnerability.

[lagadu]

You generally work with copies of production databases. Hell I have prod copies of a couple banks' databases on my machine at work which I'm pretty sure violates some data protection law somewhere, despite us being (I assume) legally bound to keep the data secret.

AFAIK we're only allowed to have them on our work machines and we encourage clients to sanitize them before handing them over but not many do.

[flukus]

I generally work with prod backups (it's not uncommon) because you get realistic performance and it makes debugging live bugs much easier.

I prefer to have an annonymization script but many companies are too cheap to allocate time for one.