Traceability Loss

Need

Traceability and monitoring of system events

Context

• Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications

• Usage of Logger library for logging

Description

1. Non compliant code

defmodule MyApp.Service do
  def critical_action(param1, param2) do
    case MyApp.Repo.transaction(fun -> do_critical_action(param1, param2) end) do
      {:ok, _result} -> :ok
      {:error, _reason} -> :error
    end
  end
  defp do_critical_action(param1, param2) do...

The code is vulnerable because it doesn't log any information about the outcome of the critical action. If a critical action fails or an error occurs, there is no record of this event, making it difficult to identify and analyze the issue.

2. Steps

• Use the Logger module to log information about system events.

• Add logging statements at critical points in your code, such as before and after a critical action, and when an error occurs.

3. Secure code example

defmodule MyApp.Service do
  require Logger

  def critical_action(param1, param2) do
    Logger.info("Starting critical action with #{param1}, #{param2}")

    case MyApp.Repo.transaction(fun -> do_critical_action(param1, param2) end) do
        Logger.info("Critical action succeeded with result: #{result}")...

This code is safe because it uses the Logger module to log the beginning and outcome of a critical action. If a critical action fails or an error occurs, there is a record of this event, making it easier to identify and analyze the issue.

References

• 200. Traceability Loss

On this page