Original Post: Fixing leaky logs: how to find a bug and ensure it never returns
The article discusses the benefits of transferring security enforcement duties to developers to quickly resolve issues without depending entirely on the security team, a concept termed "self-service DevSec". The author recounts a specific incident at r2c where they identified, addressed, and implemented measures to prevent future data leakage in their logs within hours, without security team involvement. The process involved:
- Discovery and Immediate Mitigation: Reverting a logging change that was causing the issue and auditing the logs for leaks.
- Permanent Solution: Avoiding the logging of sensitive information by creating an
ObfuscatedStringtype in SQLAlchemy, which obfuscates sensitive data in logs while keeping correct database operations intact. - Enforcement: Using Semgrep, a static analysis tool, to create and enforce a rule across the organization to detect any insecurely logged SQLAlchemy columns, thus ensuring continuous compliance.
The post emphasizes the efficiency and effectiveness of developers managing security with lightweight tools like Semgrep to automatically enforce security policies and prevent recurrent mistakes.
Go here to read the Original Post