Keeping secrets out of logs (2024)
3 days ago
- #secrets-management
- #logging
- #security
- The article discusses the challenge of keeping secrets out of logs, emphasizing that there is no single solution or silver bullet.
- Secrets in logs can range from minimal impact (e.g., internal API keys) to severe (e.g., customer passwords or PII).
- Common causes of secrets in logs include direct logging, kitchen sinks (logging entire objects with secrets), configuration changes, embedded secrets in URLs, telemetry, and user input.
- The article proposes 10 'lead bullets' (imperfect but effective strategies) to mitigate the issue, including data architecture, data transformations, domain primitives, read-once objects, log formatters, unit tests, sensitive data scanners, log pre-processors, taint checking, and people.
- Domain primitives are highlighted as a powerful tool to differentiate secrets from regular strings, providing compile-time and run-time safety.
- Read-once objects ensure secrets are used only once, preventing unintentional logging or misuse.
- Taint checking is recommended for static analysis to detect secret flows into logs.
- Log formatters and pre-processors can redact or drop sensitive data before logs are stored.
- A strategic approach is outlined: lay the foundation, understand data flow, protect chokepoints, apply defense-in-depth, and plan for response and recovery.
- The article concludes by stressing the ongoing nature of the challenge and the need for continuous improvement and adaptation.