S 4.240 Setting up a testing environment for servers

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

For servers with high security requirements, a testing environment should be set up in which configuration changes, updates and patches can be tested before they are installed on the production system. This applies to security patches and updates as well as to normal updates published by the manufacturer.

The testing environment must be structured in such a way that it allows a "functionally equivalent" installation of hardware and software. This does not necessarily mean that a second, identically configured system must be purchased in addition to the expensive server computer. A system that is equipped with considerably cheaper technology usually suffices to test configuration changes, updates and patches of application programs and server software.

However, the option of testing new device drivers before installing them should also exist. Therefore, it can be advantageous to use different test systems for different types of tests, e.g. one system for testing system-related programs and patches for operating systems and another for tests related to the actual server software. In this case, however, one must be aware that certain forms of interaction between the operating system environment and the server software cannot be covered. If special demands are made on the server in regard to security and reliability, it can therefore be necessary to indeed have an identically configured system at one's disposal as a testing environment.

Checklists should be drawn up for typical and frequently recurring test cases. Beyond documenting the test, they can also contribute to increasing efficiency and avoiding mistakes.

All tests should be documented in such a way that they can be reconstructed at a later point in time.

Review questions:

© Federal Office for Information Security. All rights reserved.