Comprehensive software reviews to make better IT decisions
Conquering the Secrets Dilemma: A Real-World Case Study With GitGuardian
We should start by defining what a secret is. It’s really any piece of confidential information used to authenticate access to sensitive resources. This includes passwords, API keys, encryption keys, SSH keys, and other digital credentials. Many of the organizations I talk to have an application security program with some OWASP checks in the pipeline, some SAST, but rarely SCA or DAST testing. GitGuardian believes secrets detection and remediation is crucial for maintaining security and preventing unauthorized individuals from accessing sensitive information or disrupting critical systems. I agree and believe the value it can bring to an application security program is significant.
I am often asked about the differences in secrets solutions. Normally there are two types of solutions: secrets management and secrets detection. Both are important, but they serve different purposes. Secrets management focuses on the proactive protection of sensitive information by enabling the following:
- Storing secrets securely in a centralized vault, encrypted at rest and in transit.
- Controlling access to secrets with granular permissions and audit logs.
- Rotating secrets regularly to minimize the risk of compromise.
- Automating secrets management tasks to reduce human error.
Secrets detection on the other hand focuses on identifying and remediating leaks of sensitive information. Things that occur accidentally or because of malicious activity. This is where GitGuardian feels it’s the market leader. Based on its client portfolio, it’s a compelling argument. Its solution can deliver on some of the most asked about secrets detection features such as:
- Scanning code repositories for hardcoded secrets.
- Monitoring logs and network traffic for signs of suspicious activity.
- Analyzing data leaks to identify exposed secrets.
- Investigating and responding to security incidents related to secrets.
A little bit of background on GitGuardian if the name is new to you. It is a leader in its space and was founded in Paris, France, in November 2017, by Jeremy Thomas and Eric Fourrier. Both founders were experienced data scientists and software engineers. They quickly grew their platform for detecting secrets in code into a powerful cybersecurity value-add. GitGuardian officially launched in 2018 and gained traction by its commitment to open-source security. Today, with a team of over 130 associates, it continues to forge ahead with initiatives like GitGuardian Labs, ensuring developers remain at the forefront of security in the ever-evolving digital landscape and offering free tiers of service such as secrets detection and a fixed amount of Honeytokens to engage the developer community.
Honeytokens was an interesting topic that came up during my analyst demo with GitGuardian. This is clever; they are digital decoys designed to lure attackers into a trap and detect unauthorized access to your software supply chain. These so called Honeytokens are secret tokens that appear like legitimate credentials but grant no access to real resources. When they are exposed and triggered, like tripwire they issue immediate alerts that allow you to track attacker behavior that can reveal their IP address, user agent, and location, likely preventing a potential breach. You have the flexibility of embedding these secret tokens in:
- API keys: Embedded directly into your code or deployed as part of your CI/CD pipeline.
- Database credentials: Used to test the security of your database connections.
- SSH keys: Used to test the security of your SSH servers.
- Custom honeytokens: Create your own custom honeytokens to meet your specific needs.
I learned that GitGuardian's key differentiators are due to its focus on developer-centric security. That probably sounds like a no-brainer, but unlike traditional security solutions that are often complex and face adoption barriers, GitGuardian offers a seamless approach to integrating secrets management and leak detection directly into the developer workflow. This empowers developers to take ownership of security and shift security left and reduce the risk of leaks without sacrificing productivity, something that’s of significant value. Its unique and exceptional features, like honeytokens, code reviews, and CI/CD pipeline scanning, coupled with its intuitive UI and capable API, provide developers with the tools and visibility they need to securely manage secrets throughout the entire SDLC. When I asked how quick it was to see ROI, I was told that on average a company with 400 developers and four application security engineers will discover about 1,050 unique secrets leaked on first use.
Sources:
- Analyst demo December 8, 2023, with GitGuardian
- OWASP Cheat Sheet Series: Secrets Management
- SANS Institute Reading Room: Secrets Management
- About Us | GitGuardian
- Pricing | GitGuardian
- GitGuardian API (1.1.0) | GitGuardian
- The Honeytoken collection | GitGuardian
Our Take
Secrets detection and remediation is often overlooked or deprioritized by security practitioners, but with 10MM (+67%) new secrets detected in public Github commits in 2020, the secrets conversation isn’t going away. It’s clear GitGuardian will continue to perfect its core secrets detection and remediation platform and plans to grow its application security footprint with more scope, soon to take on supply chain risks with SCA as part of its solution set mid next year. Its secrets detection capabilities are exceptional, with natural language processing (NLP) and access to a massive data set of GitHub commits and a powerful AI making its accuracy a true differentiator. In a five-bullet summary, here is what I feel GitGuardian brings to the table in a very competitive landscape:
- Early detection: Real-time scanning across code repositories, CI/CD pipelines, and communication channels to proactively identify secrets leaks before they become critical issues.
- Developer-friendly experience: Intuitive interface that provides actionable insights. This empowers developers, allowing them to fix vulnerabilities directly within their workflows. This can help foster a culture of security and allocate proper ownership.
- Holistic protection: Comprehensive coverage across all stages of the SDLC, from code review to production, eliminating gaps and ensuring comprehensive security.
- Open-source commitment: Notorious for active contribution to open-source projects and transparency in security research that has built trust and encouraged community collaboration.
- Advanced features: Disrupting the market with clever solutions such as Honeytokens, severity rule management, and historical scan access that offers granular control and deeper insights into potential threats.
Want to Know More?
Threat Intelligence & Incident Response