Even very sophisticated software companies with very smart people working in them have experienced breaches.
When attackers get as far as software development systems, they could - theoretically - use the victim's source code and spin out malicious versions that are virtually indistinguishable from the original. They may also exploit data that's used in test environments.
It turns out that protecting development systems is complicated but critical. The damage that an attacker could do to your business with control of those systems is considerable.
One major tool in protecting such systems is segmentation. You should separate different functional areas in the network--Finance, Human Resources, Engineering, and so on--from one another as rigidly as possible.
The same premise applies to app dev, test and production environments in the public cloud. Each should be segmented, going so far as to keep apps and data separate within each segment. Rudimentary segmentation can be accomplished with networking features. More advanced segmentation -- based on application workload and perhaps even user privilege levels -- can be achieved with next-generation firewalls. These inspect traffic flowing into and out of ports that are left open to these network segments and flag any data leakage. Data in transit, meanwhile, must be encrypted via VPN.
Segmentation applies to public clouds just as it applies to private ones and on-premises installations. You can and should segment your virtual networks and. erect security barriers around each segment, allowing only authorized traffic to and from authorized systems. Palo Alto Networks supports this endeavor with User-ID, a component of its cloud-based Next-Generation Firewalls for Amazon Web Services and for Microsoft Azure.
This practice follows the principle of least privilege: Communications into each segment should be limited only to those source IPs, ports, and applications that have the need to do so. Start by blocking all traffic, then open connections only to needed systems. This guideline applies at least as strongly for app dev and test segments as for any other. You should protect each segment in the network from each other, not just from the outside.
It is typical for attackers to gain entry through some lower-profile, less-guarded element and then move laterally into other areas of the network, until they gain access to the assets they really want.
Applying this concept to developers in a modern environment is both difficult and necessary. Developers commonly rely on Internet-based tools and libraries and protest at any restrictions on their freedom, but security has to be a higher priority. Certainly, they need to have access to those tools, but it should be on a separate, carefully monitored system that's isolated from the developer segment by policy.
Cloud architectures facilitate segmentation because all networking, from the customer standpoint, is virtual. You don't need to buy physical boxes and move cables around; you create it in software. Using security policies that reinforce the network segmentation can help ensure your app dev and test environments are protected.
Palo Alto Networks' GlobalProtect products, for example, lock down connections and inspect all packets in the context of the application in which they run. Virtual security appliances like these are helpful tools that make it easier for you to protect your organization. When in doubt, isolate. And if your in-house security team isn't fully knowledgeable when it comes to software-defined environments, don't hesitate to seek expert help from a trusted partner.