Managing data security¶

When running Lightrun agents in your application you can control retrieval of sensitive data in the instrumented code by using:

• Blocklists - to prevent developers from inserting snapshots inside sensitive classes

• PII redaction - to prevent sensitive data from appearing in snapshots and logs

Blocklists¶

Use blocklists to prevent snapshots being inserted in classes that might expose sensitive data. Files and packages that include the patterns you've specified in the Blocklist table are protected and your team won't be able to add snapshots.

You can configure blocklists to include package and class names, file names, and directory paths. You can also add blocklist exceptions for any relevant subclasses in which you want to allow snapshot insertion.

Each time your application is started, the agent's blocklist configuration is downloaded and applied to all future actions. If you modify the blocklist configuration, you must restart the application to activate the modified blocklist.

com.sales

com.sales.Admin

To configure a blocklist and blocklist exceptions¶

1. Log in to your Lightrun account.
2. Click Settings on the top right-hand side of your screen to navigate to the Settings dashboard.

3. Select Blocklist under Security in the Settings dashboard sidebar.

   The Blocklist window opens, showing a table of existing blocklist and blocklist exception patterns.

4. To add a text pattern for a new blocklist or blocklist exception, click the button next to Blocklist or Blocklist Exceptions.

   The Add Pattern dialog box opens.

   

5. Respectively for Blocklist and Blocklist Exceptions, in the Pattern text field, enter a pattern to be blocked or allowed as an exception (for example, a class name, file name, or directory path).

6. In the corresponding Name text field, for each pattern, enter a unique name.
7. Click OK. The dialog box closes and the Blocklist (or Blocklist Exceptions) table updates to include the newly added patterns.

Lightrun agents will fetch updated blocklists when they start up. To apply new filters to your existing agents you'll need to restart those agents.

PII redaction¶

Use PII redaction to prevent Lightrun from capturing sensitive data in snapshots and dynamic logs.

There are two options for redacting sensitive data:

• Variable name - Data is redacted based on variable name. Any variables which match the supplied pattern will be excluded from the data Lightrun captures. For example, adding a pattern apiToken will prevent Lightrun from logging data from any variable which includes apiToken in the variable name. So variables my_apiToken, theOtherapiToken, and someapiTokenVariable will all be redacted.

• Variable value - Data is redacted based on a specified regex pattern. The regex pattern is matched to a value, not a variable name. For example, the following regex pattern \b5[1-5]\d\d([\-\ ]?)(?:\d{4}\1){2}\d{4}\b will redact all Mastercard debit or credit card data from Lightrun.

To configure PII redaction¶

1. Log in to your Lightrun account.
2. Click Settings on the top right hand side of your screen to navigate to the Settings dashboard.

3. Select PII Redaction under Security in the Settings dashboard sidebar.

   The Data Redaction window opens with a table of existing patterns.

4. To add a new pattern for redaction, click the button.

   The Add Pattern dialog box opens.

   
   

   

5. Select your preferred data redaction mode.

6. In the Name text field, enter a unique name for the added pattern.
7. Add a Variable name or Variable value pattern depending on the mode you selected.
8. To verify the pattern, in the Test Input text field, enter a test string corresponding to the pattern specified in the previous step.
   Pattern verification is confirmed when the entered test string is highlighted in yellow.
9. Click Save.
   The dialog box closes and the list of redacted character string patterns updates to include the newly added pattern.

Lightrun agents will fetch updated PII filters when they start up. To apply new filters to your existing agents you'll need to restart those agents.

Best Practices for PII Redaction¶

To protect user privacy and improve data security, it is important that Personally Identifiable Information (PII) is not included in snapshots or logged in IDE plugins. This includes information such as email addresses, credit card data, passwords, personal mobile numbers, social security numbers, etc.

When implementing PII redaction with Lightrun, we recommend using the following best practices to reduce the risk of exposing sensitive data through Lightrun.

• Access Minimization - Ensure that only trusted users in your organization have access to specific roles and permissions in Lightrun. Only users with role_manager or System administrator permissions can specify or remove PII redaction patterns from Lightrun. For more information on how to manage users and user permissions, see Manager Users and Roles.

• Combine Variable values and Variable names for very sensitive information - If you have data related to any of the following in your system:

  • Credit cards
  • Social security numbers
  • Phone numbers
  • API tokens
  • ID numbers
  • Addresses

  Specifying both the variable names and values helps to reduce the risk of sensitive data being exposed to Lightrun.

The following table shows a list of regex patterns for protecting PII data:

Credit Cards¶

Financials¶

General PII¶