Environments other than production should use mock or automatically generated data.
Applications usually handle personal and other types of sensitive information. This information should not be used to perform tests or during development processes, as it could lead to unintended exposure. Non-production environments should use mock data or data that has been automatically generated.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-359: Exposure of Private Personal Information to an Unauthorized Actor. The product does not properly prevent a person’s private, personal information from being accessed by actors who either are not explicitly authorized to access the information or do not have the implicit consent of the person about whom the information is collected.
Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.
GDPR. Art. 32: Security of processing.(4) The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller.
GDPR. Recital 6: Ensuring a High Level of Data Protection Despite the Increased Exchange of Data. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data, while ensuring a high level of the protection of personal data.
GDPR. Recital 51: Protecting sensitive personal data. Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.
ISO 27001:2013. Annex A - 14.3.1 Select, protect and control test data carefully.
ISO 27001:2013. Annex A - 18.1.3 Protect records against loss, destruction, forgery, unauthorized access and unauthorized release, in accordance with legal, regulatory, contractual and business requirements.
OWASP Top 10 A3:2017-Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.4) Verify that all sensitive data created and processed by the application has been identified, and ensure that a policy is in place on how to deal with sensitive data.
PCI DSS v3.2.1 - Requirement 6.4.1 Separate development/test environments from production environments, and enforce the separation with access controls.
PCI DSS v3.2.1 - Requirement 6.4.3 Production data (live PANs) are not used for testing or development.