Operations content input auditing - sql command example
We have here a large discussion with InfoSec office because of the following: in the automation process several things are going to change like the DB scripts execution (today is entirely manual, they assure if a given script contains security issues or simply it just needs some elevated credentials to be executed then they do it instead of DBA or operations) but with the scripts inside the flows and using flow variables in them it doesn't seems very straightforward to them to audit and be aware of what we are will be executing during the flow development.
Any ideas? With powershell and other kind of scripts we solve it because we have it versioned outside the flow and we just invoke them with parameters but we can't do it because we lost so much flex using tools like sqlcmd for example, reading the out file, parsing the response (besides the engine error that could happen).
We tried to do an xml parsing using xpath for extract the input's value before the deploy but it's very inaccurate and when you reference other cp flows it's a big issue.
Thanks in advice 😄
Just an idea:
If i have well understand 💡, Because any operation variables are available in the flow context (script, server, port, commands, users...) , why not constructing a predefined log format which will be used by OO to insert each info in it's predefined place and give it to the audit team.
Hi, thankns for answering! The problem is that we need to audit the script before the deploy, the OO logging once executed it's perfect I think but think in a staging environment for example where we haven't got any permissions of deploying or modifying nothing, how could the security team view the scripts that we are sending inside a SQL Command operation before deploying, before executing?
Maybe the real problem is that they don't perform a SAST over the OO flow code but todat that's our scenario =(