It’s really easy for secrets (passwords, personally identifiable information, etc.) to leak into logs and other telemetry emitted by your application.
Random idea to mitigate this: build a library that tags those secrets with an “isotope tracer”—a random string, say a UUID generated just for the purpose, which gets prepended to the secret value.
Everything that uses secret values in your application knows it has to remove the isotope just prior to using them.
Then you can set up monitoring over your logs and whatever else gets spit out of your application, looking for the UUID string. If you ever find it, you know you’re emitting something you shouldn’t and you can clean it up.
I poked around a bit looking for something existing like this and didn’t see anything, but if you know of someone who has tried it, let me know—I’d love to hear whether it works well or has downsides that aren’t obvious at first blush.