The fundamental operation of Ozcode Production Debugger is based on a light-weight agent that records the runtime code execution flow when an exception is thrown. This provides the radical observability that enables you to dig into the deepest levels of your code and determine the root cause of the bug. However, it also presents challenges when the runtime code that your developer needs to debug contains Personally Identifiable Information (PII) because protecting PII is mandated by law.
Compliance with PII protection laws
In recent years, there has been a clamp-down on privacy and variety of laws and standards have been put in place to keep PII from getting into the wrong hands. While there are general international laws, such as the GDPR, protecting PII is especially critical in sensitive industries such as finance, health, and defense, where additional, industry-specific laws such as HIPAA and PCI DSS also apply. All these regulations put the burden of protecting PII on you, the vendor of any service that receives information like email addresses, ID numbers, credit card numbers, and a host of other PII from the consumer. Ozcode Production Debugger implements PII redaction as a first-class feature to ensure you can comply with PII protection laws, so your debugging developer is not exposed to any information they’re not allowed to see.
How does Ozcode PII redaction work?
The Ozcode architecture is comprised of an agent that is installed alongside your application, the Production Debugger server, and the front-end web application through which the users access the server for debugging.
After the Ozcode agent autonomously captures the code execution flow leading up to an exception, it sends that recording to the Production Debugging Server. When the developer, QA engineer or DevOps accesses the server to view the recorded code execution, PII is redacted before being delivered to the front end. Debugging is enabled, but PII data protection is fully maintained.
Configuring PII redaction
Ozcode Production Debugger is very flexible and provides granular control through the Admin console over which data is redacted by specifying regex patterns, identifiers, namespaces, and classes. While the required PII redaction may make debugging more difficult, the granularity provided by Ozcode strikes the best balance between giving the debugging engineer as much information as possible, while not exposing data that must remain hidden.
Using Regex is a convenient way to redact information that follows a well-known pattern, such as credit card numbers, addresses, and phone numbers. Ozcode allows you to create pattern types and specific patterns within each type. The example below shows that the Production Debugger has been configured to redact the credit card numbers for four major credit card providers as well as home and business addresses.
And it’s very easy to add a new type or name at any time:
Once a type or name is added, new exception captures containing that type will be redacted accordingly.
It’s also very easy to enable or disable specific patterns within a type. In the example below, we disable redaction for Business Address. We don’t usually mind people knowing where we work but aren’t always keen to expose our home address.
Ozcode Production Debugger lets you specify the name of any data field, property, or variable that should be redacted regardless of its scope. A list of standard field names such as “password” comes built into the system, which, of course, can be customized. Just be aware that Ozcode ignores case when matching identifiers for redaction.
Namespaces and Classes
To enable redaction of larger sets of data, Ozcode also lets you specify namespace or class names. In this case, all member variables of the specific class or all classes in a specified namespace will be redacted.
Note that within Classes, you can specify the fully qualified name of a class to have only that specific class redacted or just the class name. In that case, the class will be redacted regardless of the namespace under which it is created.
How is redacted data presented?
Any data redaction configured in the Admin console appears with PII data masking in the Debugging Screen.
Beyond PII data protection
Beyond PII redaction, Ozcode Production Debugger enables additional levels of security to protect not only the PII you hold but your application’s debug data in general.
One option for hosting the Ozcode server is to use Microsoft Azure. As one of the leading cloud service providers, Azure offers a secure cloud foundation with multiple layers of control to keep your debug data safe from threats. Azure also offers the largest global spread of regions and availability zones to enable you to comply with data sovereignty requirements, but Ozcode has your back even if you are operating in a region that is not covered by Azure. Ozcode can also be installed as an on-premises deployment so you can host Ozcode Production Debugger in your enterprise data center wherever Azure does not have an availability zone.
In addition, Ozcode Production Debugger supports IP whitelisting so you can ensure access only from approved IP addresses. Ozcode also keeps an audit trail of every variable exposed, and every user that viewed data, accessible via the admin console.
You can have the best of both worlds.
The legal requirement to maintain privacy and the urgent need to debug exceptions in production are two very conflicting, yet equally critical forces. Thankfully, you don’t have to choose between them; rather, you can have the best of both worlds. The capability for PII redaction in Ozcode Production Debugger lets you use the four pillars of production debugging, even under the strictest security controls, to get to the root cause of production bugs as quickly as possible.