DevOps Security Means Moving Fast, Securely

In this world of lightning-fast development cycles, MVPs, and DevOps, it may intuitively feel like security gets left behind. You might be thinking, “Aren’t the security guys the ones who want to stop everything and look at our code to tell us how broken it is right before we try to deliver it?” Many feel that DevOps security is a pipe dream.

Is it possible to be fast and secure? Lately, I’ve been drooling over a sports car—namely, the Alfa Romeo Giulia Quadrifoglio. Long name, fast car. It holds some impressive racing records and sports 505 horsepower but also is a Motor Trend Car of the Year and an IIHS Top Safety Pick. These awards are due to automatic braking technology, forward-collision warning, lane-keeping assistance, blind-spot monitoring, and rear cross-traffic alert. It is possible to be fast and safe.

The key to DevOps security is to move forward with development. Security teams need to understand why DevOps practices are so effective and learn to adopt them.

Man Running Fast with Scalyr Colors

Read More

Verbose Logging: Your Magnifying Glass for Bad Application Behavior

You probably don’t think of verbose logging as the stuff that hackathons and startups are made of.  Nor would most programmers consider it an especially advanced technique.  But it is important, and enough people ask about it that it’s worth covering.

Part of the reason that so many people inquire about the subject of verbose logging is that it’s kind of general in the same way that searching for “logging” is general.  So let’s start by at least getting more specific with a definition.

Chat bubbles with Scalyr colors

Read More

Java Exceptions and How to Log Them Securely

As a security consultant, I perform assessments across a wide variety of applications. Throughout the applications I’ve tested, I’ve found it’s common for them to suffer from some form of inadequate exception handling and logging. Logging and monitoring are often-overlooked areas, and due to increased threats against web applications, they’ve been added to the OWASP Top 10 as the new number ten issue, under the name “Insufficient Logging and Monitoring.”

So what’s the problem here? Well, let’s take a look.

Java Exceptions alert sign
Read More

Getting Started Quickly with Ruby Logging

Time for us to continue with our ongoing series, in which we teach you how to get started logging quickly in a variety of programming languages. We started out the series with C#, we proceeded to cover Java, and then we wrote about Python.

So, what about tipping the scale to the side of dynamically-typed interpreted languages? That’s exactly what we’re doing today by teaching you how to get up and running with logging, using the Ruby programming language.

Today’s post will follow the basic structure that’s been used in the previous articles. It will cover

  • How to implement a very rudimentary logger.
  • A discussion on the fundamentals of logging: why bother logging, which data to log, and where to log.
  • Finally, a very simple yet realistic example of proper logging, with help from the Ruby “Logger” class.

Like the previous installments of the series, we’ll create a very simple toy app in order to demonstrate how to log. As we’ve just said, we’re going to start with a very primitive—though functional—approach, and we’ll then evolve it toward a more sophisticated and realistic solution.

Ruby With Scalyr Colors

Read More

HTTP Monitor: What It Is and Why You Need It

One day, one of our main web APIs was down, and the first person that knew it was my boss. We were so worried about bringing the API up that we never paid attention to how he was able to be one step ahead of us. There were times when we even thought he had nothing else to do than constantly refresh the web page. But the truth is that he wasn’t doing that at all. He was using an HTTP monitor that emailed him every time the API was down, slow, or unresponsive.

It was actually lucky for us that he had that monitor: it helped everyone fix things before our clients could notice. But what is an HTTP monitor, anyway? And why else would you need it?

 

Illustration of Person Using HTTP Monitoring

 

Read More

Get Started Quickly With Python Logging

Picking up from the previous logging articles on how to get started logging with C# and Java, today we’ll be looking at how to get up and running quickly with logging in Python.

Even if you’ve already read the previous articles, this post is worth a read. It will cover new ground, like the basics around application logging in Python and a few other things, such as

  • Configuring the logging module.
  • What to log and why.
  • The security implications of logging.

So what are you waiting for? Keep reading, and let’s get a simple project set up to begin working with.

Python Scalyr Colors with LogRead More

A Detailed Introduction to the Apache Access Log

What is the Apache access log?  Well, at the broadest level, it’s a source of information about who is accessing your website and how.

But as you might expect, a lot more goes into it than just that.  After all, people visiting your website aren’t like guests at your wedding, politely signing a registry to record their presence.  They’ll visit for a whole host of reasons, stay for seconds or hours, and do all sorts of interesting and improbable things.  And some of them will passively (or even actively) thwart information capture.

So, the Apache access log has a bit of nuance to it.  And it’s also a little…complicated at first glance.

But don’t worry — demystifying it is the purpose of this post.

Apache Access Log: the Why

I remember starting my first blog years and years ago.  I paid for hosting and then installed a (much younger) version of WordPress on it.

For a while, I blogged into the void with nobody really paying attention.  Then I started to get some comments: a trickle at first, and then a flood.  I was excited until I realized that they were all suspiciously vague and often non-sequiturs.  “Super pro info site you have here, oPPS, I HITTED THE CAPSLOCK KEY.”  And these comments tended to link back to what I’ll gently say weren’t the finest sites the internet had to offer.

Yep.  Comment spam.

Somewhere between manually deleting these comments and eventually installing a WordPress plugin to help, I started to wonder where these comments were all coming from.  They all seemed to magically appear in the middle of the night and they were spammy, but I was interested in patterns beyond that.

This is a perfect use case for the Apache access log.  You can use it to examine a detailed log of who has been to your website.  The information about visitors can include their IP address, their browser, the actual HTTP request itself, the response, and plenty more.

An apache feather, representing our look at the apache access log.Read More

Get Started Quickly With Java Logging

You’ve already seen how to get started with C# logging as quickly as possible.  But what if you’re more of a Java guy or gal? Well, then we’ve got your back, too: today’s post will get you up to speed with logging using C#’s older cousin.

As in the previous post in this series, we’ll not only provide a quick guide but also go into more detail about logging, diving particularly into the what and why of logging.

The Simplest Possible Java Logging

For this simple demo, I’m going to use the free community version of IntelliJ IDEA. I’m also assuming that you have the Java JDK installed on your machine.

Read More

A Tale of Siri and My Home’s Energy Usage

Full disclosure: I’m a Scalyr DevOps engineer, but I’d be geeking out over the sheer number of possible uses for Scalyr even if I wasn’t. It’s more than a log analysis tool—it’s a platform. Scalyr now monitors the temperature inside my house, as well as the history of my thermostat and HVAC system usage. I’m one of very few homeowners in the world with real-time access to information about my HVAC system’s energy usage.

What compelled me to do this? Siri.

And a desire to harness home automation to improve my house’s energy efficiency. Here’s the story.

Read More