This is a fine article about DevSecOps maturity https://r2c.dev/blog/2021/four-levels-of-maturity-that-bridge-the-app-sec-engineering-divide/ but the example does bother me, how should you stop sensitive data leaking into logs, systematically? 1/5
The article suggests writing tests on columns in log data with sensitive names e.g., containing “token”, “secret”, “key”, which is a common practise, and finds many cases 2/5
But you should think of this as a strong typing issue, all sensitive data needs to have a type that doesn't have a way of printing it at all, or only as "redacted". Look at the type signatures for a crypto library, there are operations on keys but you cannot extract them 3/5
A password should only have operations to check a hash, for example. There are very few exceptions, eg capabilities (eg one time URLs) can be passed, but this should not be a generic print method but more structured. Type systems are your friend. 4/5
Obviously this still needs tests, but the tests are much more generic, and behaviour can't be accidentally violated at the call site, and you can't depend on being able to read secrets. Get you security people to help design your types and operations. 5/5