secured

Hi everyone,

What we've been doing around here is trying to put together an implementation framework that would deliver the most secure Drupal possible. Our idea so far is this:

First layer is a Varnish cache - it is the only publically exposed port of the entire infrastructure.

Second layer is a Drupal install with a read-only mysql user (other than the session, watchdog and cache tables of course), so that even if someone elevates permissions in Drupal, they are unable to write anything to the database.

we have a LIVE website, with active (recurring) paid subscribers...
every month - they get charged on their credit card through paypal.

(so far - all good)

now - while creating the next version, updates, etc -
on DEV - we migrated all live user info and started working with it
(ouch)
and then - all our paid subscribers - got a false message - that their credit card cannot be charged!

my question is -
moving forward, as we are going to have automatic notification on content added, newsletters, recurring payment, etc.

is there any safe method / workflow -