For developers, GitHub has become an integral tool in their arsenal. The developer-focused hosting service has made it easier than ever before to store, track, and collaborate on software development projects, regardless of the development language. GitHub is a workflow tool that has become essential in expediting and enhancing development tasks.
Despite the benefits, GitHub has its downsides. Many developers store secrets, such as API keys and programmatic passwords, in public repositories — GitHub being the most widely used example. And these repositories are irresistible to nefarious actors.
“Normally, the best practice is to put secrets into specific files or vaults,” says GitGuardian CMO Carole Winqwist in an interview with Acceleration Economy. “But that’s not what’s happening because developers want to go fast, and sometimes they want to test the key and hard code the secret, so it’s present, it’s visible in the code.”
“A lot of people are now developing on public GitHub so the code is public by nature and anyone who has the capacity to scan GitHub can automate secret detection,” Winqwist adds. “Usually, they [hackers] get access to the application or the database, customer data, whatever data the key gives access to.”
Once they’ve gained access, they’ll get to more keys and make lateral movements to acquire more rights and potentially take over an entire system. In fact, this worst-case scenario played out for Uber when, in late 2022, a hacker found a secret that was hard-coded into a script and enabled them to access all of the company’s critical systems, even its Slack channel.
Who They Are
GitGuardian was founded in Paris by Jeremy Thomas and Eric Fourrier in November 2017. However, the service wasn’t officially launched until 2018 when the platform’s secret detection engine was successfully tested on GitHub.
In 2020, GitGuardian launched its internal monitoring enterprise facility as SaaS and on-prem, completing the two-tier product offering. The company has raised $56 million in venture capital funding; investors include GitHub and Docker co-founders Scott Chacon and Solomon Hykes.
Despite being a Paris-based organization, GitGuardian has opened a subsidiary in the U.S. in view of the fact that 80% of its customers are U.S. companies. Heading up the GitGuardian team is Co-founder and CEO Fourrier, who holds two Masters’s degrees, one in Machine Learning (ML) and another in Applied Mathematics.
Alongside Fourrier, Yohann Le Jeune, former finance manager at the popular dating app happn, is GitGuardian’s Head of Finance.
What They Do
GitGuardian is in the business of secrets, more specifically in protecting secrets for DevSecOps. It helps organizations to build software and support collaboration between developers, cloud ops, and security teams safely by making users aware of any secrets that may have been leaked on public GitHub repositories or internally. GitGuardian champions the “Shift Left” approach, which involves implementing security measures at every stage of the software development lifecycle, not just securing complete applications.
The contextual meaning of secrets in a development context is critical to understanding GitGuardian’s approach. Winqwist defined secrets as follows: “It’s API keys, it’s tokens, it’s what we call programmatic passwords — not a user putting a password in the system, but the exchange of tokens between machines to ensure they’re hooked correctly and they’re allowed to talk one to another.”
They’re keys that no one should see because they can be used to enter an application, and that’s especially relevant in today’s practices. Developers aren’t releasing code from end-to-end within one system, but instead are usually building pieces of a system.
“Imagine, for example, you’re a bank and you want an in-app payment system,” Winqwist explains. “You’ll use something outside and you need secrets to connect the services that you’re taking from other vendors or other pieces of the organization to connect all these.”
GitGuardian takes a two-pronged approach to find and neutralize the threat of leaked secrets. The first is public. The second is internal.
GitGuardian’s public monitoring service is free for small teams below 25 developers and individual developers. Yet, every developer who leaks a secret on GitHub gets a notification from GitGuardian, even if they haven’t signed up for the service. This viral approach brings in around 3,000 new users every month.
“When you have your code in your repositories in your company, you think, okay, it’s protected, so people are even less cautious. Yet the day someone hacks your company and gets access to your code, there are keys all over the place, usually thousands of them.”Carole Winqwist, CMO, GitGuardian
Organizations that do sign up can access GitGuardian’s dashboard to map the entirety of their attack surface on public GitHub and monitor their developers. They can also research leaks dating back up to three years and collaborate on remediation efforts.
In regards to private monitoring, GitGuardian focuses on hard-coded secrets that often go undetected internally. “The problem is even worse when your code is in private,” says Winqwist. “When you have your code in your repositories in your company, you think, okay, it’s protected, so people are even less cautious. Yet the day someone hacks your company and gets access to your code, there are keys all over the place, usually thousands of them.”
To access these private repositories, GitGuardian needs read permissions. With this, the technology can detect any secrets exposed in the software development lifecycle.
How GitGuardian Works
GitGuardianʼs cybersecurity solution is centered on its detection engine. This powerful tool can uncover over 350 types of secrets.
The technology scans public, and when given permissions, private GitHub repositories and alerts a user as soon as a secret is leaked. When a company signs up to GitGuardian, it can receive notifications when a developer’s personal repository contains a violated secret, ensuring they have full coverage.
In regards to internal monitoring, GitGuardian can plug in at any level of the development cycle as specified by the organization. Using a system of ‘hooks’, GitGuardian can connect at any time. Although there is the option to hook in at the point of coding, some organizations may choose to commit to the detection process later so as not to disrupt the development cycle.
GitGuardian’s remediation techniques are key differentiators. The company provides organizations with information on severity through analytics, enables developer feedback through its Developer in the Loop feature, makes patches available, and offers the option to initiate security policies with remediation workflows. All of this functionality is accessible through a single dashboard.
Moving forward, GitGuardian has compelling future enhancements in the works. As well as public GitHub, customers can now integrate GitGuardian with all the most popular development platforms, including GitHub Enterprise, GitLab, Bitbucket, and the Azure DevOps suite.
Furthermore, GitGuardian is moving beyond secret detection to catch misconfigurations too. GitGuardian’s ggshield Infrastructure-as-Code (IaC) security scanning enables developers using the company’s command line interface, or CLI, to identify over 70 misconfigurations that can then be fixed pre-deployment.
Who They’ve Impacted
Cloud computing company Mirantis used GitGuardian to secure the repositories of many developers working for the company. “The combination of people working on Git repos and the handling of credentials leads to issues,” Yury Koldobanov, director of IT and acting CISO at Mirantis, said in a GitGuardian case study.
Initially, the Mirantis team considered onboarding a data loss prevention and analysis tool to detect secrets leaked through keywords. Yet, while this would cover many data sources, such as Google Drive, it wouldn’t address GitHub and the various types of secrets it supports.
Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner-analysts.
It chose to use GitGuardian. Almost immediately, the company utilized the developer feedback features of GitGuardian that, on top of the instant automated alert structure, helped significantly in detection and remediation workflows.
Mirantis developed a questionnaire that enabled the team to create a triaging process and receive feedback automatically, covering all systems and slashing the time it would take to develop a remediation plan manually.
“GitGuardian is tackling one of the most prevalent challenges in the era of Cloud and DevSecOps. Secret sprawl continues to be a major problem and credential exposure and compromise remain among the most likely attack vectors that malicious actors use. GitGuardian helps organizations ensure sensitive credentials aren’t getting into the hands of attackers.”Chris Hughes, Acceleration Economy analyst and CISO
Why GitGuardian Makes Our Cybersecurity Top 10 Shortlist
GitGuardian builds code security for the DevSecOps era, and its powerful solution enables it to create a high level of source code security. The company was chosen for our Top 10 list of Cybersecurity as a Business enablers list because it:
- Performs comprehensive monitoring of hundreds of secrets both in public and private repositories.
- Empowers customers to take a focused remediation approach, tackling issues based on accurate prioritization with key signifiers.
- Utilizes a Shift Left approach to help keep costs down and increase the efficiency of software development and testing from the earliest point.
- Operates with a customer-centric product and development roadmap that helps customers utilize its technology on a flexible basis across key platforms.
Acceleration Economy cybersecurity analyst and CISO Chris Hughes says that protecting secrets is a critical element of cybersecurity strategy, so GitGuardian has the potential to serve a vital function as part of the CISO toolkit.
“GitGuardian is tackling one of the most prevalent challenges in the era of Cloud and DevSecOps,” says Acceleration Economy cybersecurity analyst Chris Hughes. “Secret sprawl continues to be a major problem and credential exposure and compromise remain among the most likely attack vectors that malicious actors use. GitGuardian helps organizations ensure sensitive credentials aren’t getting into the hands of attackers.”
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: