1,284,920,341
All posts
SecurityBest PracticesObservability

Default-Deny Logging: The Shift That Actually Prevents Data Leaks

Thomas NelsonMay 19, 20268 min read

Stop Masking Logs Downstream. It’s Too Late.

Sensitive debug logs can quickly spread across various systems:

  • Container outputs
  • Local files
  • Cloud services
  • Backups and archives

By the time you try to redact them, unredacted versions have likely already spread. Just one accessible role can lead to exposure.

Why This Happens

  • Default Verbosity: Systems log too much irrelevant information.
  • Unstructured Logs: Free-form text makes leaks common and hard to detect.
  • Early Fan-Out: Data spreads before you can control it.
  • Schema Drift: Changes make regex unreliable.
  • “Temporary” Debug: Quick fixes tend to stick around.

Why Downstream Fixes Fail

  • Incomplete Cleanup: Some copies are left behind.
  • Pattern Brittleness: Regex misses variations.
  • Pipeline Stress: Complex rules can slow everything down.

Proactive Prevention

Start by controlling logging at the source:

  • Default Deny: Never log sensitive data.
  • Allowlist: Only log approved fields.
  • Structured Events: Clearly define and classify data.
  • Safe APIs: Enforce policies before writing.
  • Framework Guards: Disable automatic logging of sensitive data.
  • Pre-Disk Measures: Block data before it reaches storage.
  • Detection: Use lightweight detectors for issues.

Next Steps (90 Days)

  1. Stop Initial Leaks

    • Turn off “log full request/response” features.
    • Map all log paths.

  2. Establish Safe Logging

    • Create a logging policy and library.
    • Use structured logging in reviews.

  3. Edge Enforcement

    • Use middleware and gateways to handle sensitive information.

  4. First-Hop Guardrails

    • Apply local filters for sensitive markers.

  5. Test and Monitor

    • Continuously test to prevent leaks and watch for patterns.

  6. Remediation Plans

    • Rotate credentials, shorten token lifetimes, and manage retention.

  7. Iterate and Improve

    • Track incidents and update policies accordingly.

Efficient Practices

  • Use IDs, hashes, and summaries instead of raw values.
  • Transition gradually with pre-disk filters.
  • Leverage context and structured schemas.

Tooling Assistance

  • Central Policy, Local Action: Minimize drift.
  • Staged Implementation: Start in observation mode.
  • Developer-Friendly Defaults: Provide clear guidance.

Bottom Line

Block data leaks at their source. Downstream masking isn’t reliable. Adopt strong logging practices, enforce them proactively, and use downstream redaction only as a last resort.

Next Token in the Logs at 02:13: An Incident Retrospective on Log Exposure