What action must be taken before applications become active or released to customers?

• A. Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers.
• B. Create additional test accounts for post-release testing.
• C. Keep development accounts active for debugging after release.
• D. Encrypt all credentials after release.

Answer: (A)

Removing development, test, and custom application accounts, user IDs, and passwords before the production release reduces the live system’s attack surface. Development and test credentials are often highly privileged or used for debugging, and leaving them active in production creates an easy backdoor for attackers or accidental misuse. By eliminating these accounts before activation, only approved production access remains, making it easier to enforce strict access controls, auditing, and credential management. Creating extra test accounts after release or keeping development accounts active would reintroduce risk and complicate security governance, and encrypting credentials after release doesn’t remove the presence of those unused accounts. So, the safest path is to remove these accounts before going live.