In this episode, we talk about development environments and specifically about index pages that are left unintentionally exposed to the internet for anyone to find.
1. What are the risks?
2. How common is this exposure?
3. What can you do to prevent such exposures?
What are development index pages?
Development index pages are a one stop shop for all the development environments a company owns. These pages often contain pretty sensitive information that should not be exposed to the internet such as links to QA environments, mobile development environment as well as API documentation for development. In some cases these pages will also include detailed descriptions for future products. Beside these environments, some of these pages may include links to the company’s Jenkins, Jira, confluence and other internal systems.
How common is it to find such exposed development index pages online?
On average, Reposify finds about a hundred thousand new exposed development environments every week, many of which are development index pages. We see this type of exposure across all types of companies, large and small companies alike, no matter how secure they are.
This exposure is typically a result of failing to secure these environments behind a VPN. This can happen to internal teams but also to third party vendors with whom a company works.
How to avoid unnecessary exposures of development index pages?
The first and most basic thing is to make sure that all your development and QA environments are properly secured behind a VPN. This and other related company policies should be clearly communicated both internally and with any vendors with whom you work. However, relying on communications and policies isn’t enough.
How can Reposify help?
Reposify’s Attack Surface Management platform automatically discovers all your internet exposed assets including development environments no matter where they are located.
Once discovered, the system will send you a real-time notification alerting on such exposure so your team can remediate the issue before attackers can find it and exploit it.