# Securing the Troubleshooting Process
When production problems arise, SRE engineers capture various dumps (like Application Log, GC log, Thread dump, Heap dump, TCP dump) from the production servers and share them with Developers/Testers to identify the root cause. Several enterprises classify these artifacts as confidential information, since they tend to contain sensitive information such as PII data, SSNs, Credit Card Numbers, VAT, etc.
Unfortunately, the sensitivity of these artifacts is often overlooked. They pass through multiple hands (opens new window) without adequate restrictions, and in many cases, remain undeleted after analysis. If compromised, these artifacts can lead to reputational damage, regulatory fines, and lawsuits, leaving enterprises grappling with significant financial and operational challenges.
With yCrash, you can secure these artifacts and ensure they remain protected throughout the troubleshooting process. Let’s explore how yCrash’s security features address these critical concerns.
# 1. Sanitize Heap Dump
When working with heap dump files, it's crucial to be aware that they often contain sensitive information such as credit card details, passwords, and other personally identifiable information (PII). Traditional heap analysis tools can inadvertently expose this data. To mitigate this concern, yCrash offers the Heap Dump Sanitization feature as part of our Security Pack.
For more details on how this feature works and how to use it, visit our Heap Dump Sanitization (opens new window) documentation.
# 2. Stops Scattering of Sensitive Data
Production dumps are often shared (opens new window) among SRE, development, and QA teams, creating a significant vulnerability, especially when the dumps remain undeleted after analysis. yCrash eliminates this risk by securely transmitting raw dumps from your production servers to a yCrash server hosted on your premises. During the transmission process, all dumps are encrypted and archived, ensuring they remain protected at every step. Access to raw dumps is restricted, and engineers can only view the generated reports, reducing the potential for data exposure.
# 3. SSO Authentication
yCrash supports Single Sign-On (SSO) through SAML integration, enabling secure and seamless authentication for users across various platforms like Okta, OneLogin, ActiveDirectory, ForgeRock. By configuring the SSO settings, enterprises can centralize authentication, reduce the need for multiple login credentials, and enhance security through a streamlined access process.without exposing critical information.
# 4. Token-Based Authentication for REST APIs
REST APIs can be secured with token-based authentication instead of static API keys. Users authenticate against LDAP or Active Directory and obtain short-lived JWT tokens for GC log, heap dump, thread dump, and bundle upload APIs. Tokens are passed in the Authorization: Bearer header, reducing exposure of long-lived credentials. For configuration details, visit our LDAP-Based JWT Authentication for REST APIs
# 5. Granular Authorization Controls
yCrash includes robust authorization controls, ensuring that only authorized personnel can access specific data and features within the platform. These controls help safeguard sensitive information and maintain compliance with organizational security policies, allowing for fine-grained access management tailored to the needs of your team. By integrating yCrash into your troubleshooting workflow, you not only streamline the process but also fortify your organization's defenses against potential data breaches, ensuring that sensitive information remains protected at every stage. For more information, visit Restricting Resources Access page.
# 6. Data Masking
The Data Masking feature in yCrash ensures that sensitive information within heap dumps, such as passwords, API keys, and other confidential data, is protected. By masking a specified percentage of the data, this feature prevents unauthorized access to sensitive content, allowing developers and engineers to analyze memory usage and performance issues without exposing critical information.
# 7. Encrypt Configuration Files
In today's security-conscious world, protecting sensitive data is a top priority for organizations. Recognizing this need, yCrash offers an encryption solution that allows enterprise customers to securely manage their configuration files. This feature is designed to protect sensitive data such as configuration files and system properties, which often contain critical details like passwords. For detailed instructions, visit How to encrypt configuration file .
# 8. Encrypted SSL Keystore Password
To enhance security in enterprise environments, where sensitive information like SSL keystore passwords must be protected, we have implemented a feature to support encrypted passwords. Instead of configuring passwords in plain text, you can use the yc-codec.jar tool to encrypt them securely. For more information, visit Encrypt SSL Keystore Password page.
# 9. Automated Incident Retention
yCrash's Incident Retention feature helps manage storage space and keep your dashboard organized by automatically deleting old incident reports after a specified retention period. You can configure the retention settings to retain data for a certain number of days, months, or years, ensuring that only relevant data is kept, while obsolete data is automatically removed to optimize storage and maintain a clutter-free environment.
In today’s security-conscious world, protecting sensitive data is more important than ever. yCrash equips your organization with the tools needed to handle production dumps securely, safeguarding sensitive information from exposure while optimizing the troubleshooting process.
# 10. Audit Trail
When engineers access production diagnostic data - GC logs, heap dumps, thread dumps. It's important to know who accessed what and when. yCrash automatically writes a dedicated audit log that captures every meaningful user action within the platform: page visits, file uploads, analysis runs, and report views. When SSO is configured, each log entry is tied to the authenticated username, giving your security and compliance teams a complete, timestamped record of activity. The audit logs are written directly to your own servers and can be fed into any log management or SIEM tooling you already use, such as Splunk, ELK, or Datadog.
For more information, visit the Audit Trail page.