Skip to content

Security: naviNBRuas/_ObservabilityEngine

Security

SECURITY.md

Security Policy

Overview

The security of ObservabilityEngine and the data it processes is a top priority. This document describes our security policy, how we handle vulnerabilities, and best practices for secure deployment.

Reporting a Security Vulnerability

If you discover a security vulnerability in ObservabilityEngine, please do not open a public GitHub issue. Instead, please report it responsibly:

Reporting Methods

  1. Security Advisory (Recommended):

  2. Email:

    • founder@nbr.company
    • Include detailed information about the vulnerability
    • PGP key available upon request

  3. Responsible Disclosure:

    • Allow 90 days for the security team to address the issue
    • Do not publicly disclose until a patch is released
    • Coordinate with the security team on disclosure timing

What to Include

Please provide:

  • Clear description of the vulnerability
  • Steps to reproduce (if applicable)
  • Affected components and versions
  • Severity assessment (CVSS score if possible)
  • Proof of concept (if safe to share)
  • Your contact information

Response Timeline

  • 24 Hours: Initial acknowledgment of report
  • 48-72 Hours: Initial assessment and triage
  • 7-14 Days: Patch development and testing
  • 30 Days: Patch release and disclosure
  • Up to 90 Days: Coordinated disclosure for critical issues

Security Best Practices

Deployment Security

TLS/mTLS Configuration

Always enable TLS for all communications:

observability:
  tls:
    enabled: true
    cert_file: "/etc/observability/certs/tls.crt"
    key_file: "/etc/observability/certs/tls.key"
    
  mtls:
    enabled: true
    ca_cert: "/etc/observability/certs/ca.crt"
    require_client_cert: true

Authentication & Authorization

observability:
  auth:
    type: "oidc"
    issuer_url: "https://auth.example.com"
    client_id: "${OIDC_CLIENT_ID}"
    client_secret: "${OIDC_CLIENT_SECRET}"
    
  rbac:
    enabled: true
    default_role: "viewer"
    roles:
      viewer:
        - "metrics:read"
        - "traces:read"
      editor:
        - "metrics:read"
        - "metrics:write"
        - "traces:read"
      admin:
        - "*"

API Security

  • Always use HTTPS for API endpoints
  • Implement rate limiting on all endpoints
  • Validate and sanitize all inputs
  • Use API keys or OAuth 2.0 for authentication
  • Implement CORS policies correctly
  • Log all security-relevant events

Data Security

Data in Transit

  • ✅ TLS 1.2 or higher for all connections
  • ✅ Certificate pinning for critical paths
  • ✅ Mutual TLS (mTLS) for service-to-service communication
  • ✅ Encrypted backups in transit

Data at Rest

  • ✅ Encryption of sensitive data in databases
  • ✅ Encrypted backups with separate key management
  • ✅ File-level encryption for data directories
  • ✅ Secure key storage (HashiCorp Vault recommended)

PII Protection

ObservabilityEngine includes built-in PII masking:

observability:
  security:
    pii_masking:
      enabled: true
      patterns:
        email: "(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])*\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\])"
        ssn: "\\d{3}-\\d{2}-\\d{4}"
        credit_card: "\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}"
      action: "redact"  # or "hash"

Compliance Standards

ObservabilityEngine is designed to support:

  • SOC 2 Type II: Verified through annual audits
  • HIPAA: When properly configured with encryption and access controls
  • GDPR: Data retention policies and PII handling
  • ISO 27001: Information security management
  • OWASP: Top 10 vulnerabilities addressed

Vulnerability Scanning

The project uses:

  • Dependabot: Automated dependency updates
  • CodeQL: Static code analysis for security issues
  • Trivy: Container image vulnerability scanning
  • OWASP ZAP: Dynamic security testing

Security Features

Built-In Security

  • ✅ Input validation and sanitization
  • ✅ SQL injection prevention (prepared statements)
  • ✅ XSS protection (output encoding)
  • ✅ CSRF protection (token validation)
  • ✅ Rate limiting and throttling
  • ✅ Audit logging
  • ✅ Access control enforcement

Secure Defaults

  • TLS enabled by default
  • Strong password requirements
  • Secrets not logged
  • Debug mode disabled in production
  • Minimal permissions principle

Known Security Considerations

Resource Limits

Set appropriate resource limits:

observability:
  limits:
    max_connections: 10000
    max_request_size: 10MB
    read_timeout: 30s
    write_timeout: 30s
    idle_timeout: 90s
    max_memory_mb: 4096
    max_cpu_percent: 80

Network Security

observability:
  network:
    bind_address: "127.0.0.1"  # Bind to localhost, use reverse proxy
    allowed_hosts:
      - "metrics.example.com"
      - "traces.example.com"
    cors:
      allowed_origins:
        - "https://app.example.com"
      allowed_methods:
        - "GET"
        - "POST"
    rate_limit:
      requests_per_second: 1000
      burst_size: 5000

Incident Response

In case of a security incident:

  1. Isolate: Disconnect affected systems if necessary
  2. Assess: Determine scope and impact
  3. Preserve Evidence: Collect logs and data
  4. Notify: Inform founder@nbr.company
  5. Remediate: Apply patches and fixes
  6. Review: Conduct post-incident review
  7. Document: Update security procedures

Dependency Management

  • Regular updates: Dependencies updated monthly
  • Security patches: Applied within 7 days of release
  • Vulnerability tracking: Use go list -m all and scan for CVEs
  • Pinned versions: Production deployments should pin versions
  • Audit: Run go mod audit before deployment

Security Audit

ObservabilityEngine undergoes:

  • Regular security audits (quarterly)
  • Penetration testing (semi-annual)
  • Code review for security issues (per commit)
  • Dependency vulnerability scanning (continuous)

Latest audit results available to enterprise customers upon request.

Supported Versions

Version Release Date End of Support Security Fixes
1.0.x Jan 2026 Jan 2027
0.9.x Dec 2025 Jun 2026 ⚠️ Limited
Earlier Before Dec 2025 Unsupported

Security Checklist for Deployment

  • TLS/HTTPS enabled for all endpoints
  • mTLS enabled for service-to-service communication
  • Authentication (OIDC/OAuth2) configured
  • RBAC rules defined and enforced
  • Audit logging enabled
  • Rate limiting configured
  • Input validation rules in place
  • PII masking policies configured
  • Backup encryption enabled
  • Network segmentation applied
  • Log aggregation and monitoring setup
  • Incident response plan documented
  • Security updates applied
  • Regular security scans configured

Contact

Version: 1.0
Last Updated: January 5, 2026
Next Review: July 5, 2026

There aren’t any published security advisories