Developers: Stop Your Engines
If I wanted to hack a site, I'd start with the developer's servers, cloud resources and backups for that site and not the production site itself.
We developers are busy and focused on delivering features, often with unreasonable demands. We also take shortcuts to quickly accomplish a task and sometimes, we are just lazy. Regardless, rigorous attention to securing every developer system, file share, cloud resource, test data and backups is often a lower priority.
"Developer systems are a gold mine for the hacker, they are the soft underbelly."
Developer and test systems often contain vast amounts of critical information. Essential software, access keys, secrets, and often complete copies of critical company data. Developer systems often also have access to other shares which make them ideal launching pads for further attacks.
However, these dev and test systems typically do not have the same level of security oversight as production systems. They are constantly changing environments which are more difficult to secure and offer hackers a wealth of easy opportunities.
There are many things we can do to improve the security of developer systems, and I'll write more about that soon. But for now, there is one quick, easy way to improve the security of these systems.
Turn them off!
That's right, just turn developer systems and cloud resources off when they are not in use. The fail-safe mode for these systems should be powered down when not in use.
Hackers can't hack what they can't see.
The most secure server is one that is powered down. For cloud services, all dev, test and staging environments should be turned off whenever not in active use.
See the Web Developer Security Checklist.