OverOps Security Protocols

Introduction

When it comes to your production environment, security is of the utmost concern. OverOps takes security extremely seriously. Your data is fully encrypted any time it heads outside of your environment. You also have the ability to take security further, with personally identifiable information filtering and hybrid on-premises deployment models.

How does OverOps Analyze your Code?

When viewing an error within OverOps , you can see the source code and variables values that caused it at the moment of occurrence. OverOps uses a combination of VM-level signal detection and continuous code analysis in the cloud to determine and collect the right source code and variable state for each error.

OverOps encrypts all source code and variable data collected at run-time using a strong 256 bit AES key privately generated for you during installation. Code and variable data collected on your machines is only uploaded to and stored by OverOps in the cloud in its encrypted private form. This ensures that it can only be viewed by you and your team using your private encryption key, and that it cannot be accessed by anyone else (including OverOps administrators).

Bytecode/MSIL Analysis

To offload work from the local VM in order to analyze errors efficiently, OverOps converts bytecode loaded by the application (e.g., .jar, .war. class files) or MSIL (Microsoft Intermediate Language) files loaded by the application (e.g,, .dll, .exe files) into an abstract graph structure that it analyzes in the cloud. The graph structure does not contain symbols, values, or operators, and cannot be executed or reverse engineered. This conversion process, which runs on your machine, includes removing all jars and packages (for Java), namespaces (for .NET), classes, fields, methods, and variable names (both from your code and any Java, .NET, or 3rd party frameworks), as well as removing all logical and numeric operators, number and string constants, and code attributes.

The bytecode/MSIL graph is sent to the cloud for analysis to help determine which code fragments and variable values are required to analyze each error, and what is the fastest way to collect those in order to maintain a low production performance overhead.

Source Code Encryption

To display the source code for target methods that are related to an error using the OverOps user interface, the relevant pieces from the converted bytecode/MSIL graph are decompiled in the cloud into a source code template which does not contain any symbols, operator values, or literals. The code template is in turn sent back to the OverOps Micro-Agent on your server, where it is mapped and reconstructed into source code (using the original bytecode/MSIL that resides on your machine).

The reconstructed source code is encrypted on your machine using your private 256 bits AES encryption key (known only to you). The encrypted source code is then stored on the OverOps' servers for later viewing by authorized users. Storing the source related to each specific error at the moment of occurrence ensures that even if you deploy new code to your servers, you'll still have access to the exact source code and variable state in the future (pursuant to OverOps' data retention policy).

Viewing Source Code in OverOps

Because the source code viewed within OverOps is a result of a decompilation process, it may look slightly different from your original source code. Learn how to connect and view your actual source code in OverOps.

Source Code Decryption

When you open an error for viewing within the OverOps web interface it retrieves the relevant encrypted code from the cloud to your device. It is only at this point that the source code can be decrypted using your AES encryption key (which is not stored by OverOps), enabling you to privately view and debug your code without compromising its security.

Variable Data Encryption

OverOps takes the protection of your variable data very seriously. OverOps uses a private 256 bit AES encryption scheme to protect and ensure the privacy of any data (both source code and variable state) collected on your machine. Any variable data collected on your machines is encrypted by OverOps' agent with the help of a strongly randomized encryption key that is private to you, before it is sent to the cloud. This means that no one other than you (not even OverOps administrators) can access your data.
Decryption of variable data can only be performed on your device’s web browser where your AES key is stored. This also means that at no point is your AES key transmitted outside your domain. Any other team members within your company must explicitly be provided with access to the key by you in order to access collected data.

Related Articles

Before you Install OverOps
Managing Data Redaction