1

Are there good ways to put guardrails on not logging sensitive information? For example, passwords

If there isn't a guardrails approach, is there a way to help make the easy thing the right thing like create a logging library wrapper that filters out passwords and whatever other data you deem should be omitted from logs?

It seems like DataDog has some functionality to help with this, but Datadog may not be the only place you're logging (AWS, etc) so something in the application code feels like the right place?

stk1234
  • 202
  • 2
  • 6
  • I think you are looking for data classification and tagging at the code level. Lots of tools to provide for this. – schroeder Jul 05 '22 at 08:58

1 Answers1

1

Some languages are better than others in that regard. Those that support runtime annotations permit you to flag sensitive items (e.g. @DoNotLog in Java) and then you must ensure your logging mechanism do not log those (or log them in a not reversible form, it can still be useful to have e.g. PBKDF representation in case of need for forensics). There is still the need to flag all sensitive data.

But any good answer will be pretty language and framework specific.

Bruno Rohée
  • 5,507
  • 30
  • 41