The News: GitGuardian expands into infrastructure-as-code security and the market for honeytoken threat detection, complementing its core secrets identification capabilities for a comprehensive approach to software supply chain security. Read more on the GitGuardian blog page.
Secure Cloud Applications: Stop Leaky Secrets with GitGuardian
Analyst Take: For modern, cloud-native applications, secrets help to prevent unauthorized access to sensitive information such as API keys and database credentials. Consequently, secrets, and the developers that require access to them as a part of the application development process, represent potentially prime targets for attackers as organizations increasingly adopt cloud-hosted and container-based applications.
The problem is that secrets are leaking as a part of agile application practices. For example, developers might not be aware of the risks of using GitHub, a code hosting platform commonly used by developers for version control and collaboration on projects. As a result, they might engage in risky behavior such as reusing code across a variety of GitHub accounts, reusing secrets across projects they are working on, or sending secrets to other developers over Slack. This approach creates areas of exposure such as multiple instances of secrets and access vulnerabilities.
Developers also might not be diligent about conducting all of the security checks that they should, in the interest of pushing code into production more quickly or because they might not be aware of best practices or company-mandated or regulatory requirements. Additionally, while typically modern applications are being developed in the cloud, if the application is being developed in a private environment, developers might be lax because they think nobody else has access to their repository. This situation creates a can of worms if the account is compromised, especially in complex enterprise environments that use a large number of files and repositories. Secrets manager and vault tools exist, but their usage cannot be enforced, and it cannot be guaranteed that secrets still will not leak.
GitGuardian provides a platform that scans developers’ code and outputs to make sure that API keys, credentials, and other sensitive information is not exposed, in source code or otherwise. Its ability to identify and address potential security risks in real-time helps to prevent code vulnerabilities before they are exploited. The objective is to facilitate secure agile code development. The tool is designed to integrate with existing workflows, though it may require some initial training for developers unfamiliar with the command line interface.
Specifically, GitGuardian scans the organization’s public GitHub repositories and internal Git servers for API keys, database credentials, certificates, and other secrets, as well as more than 100 infrastructure-as-code misconfigurations (the latter of which is a new addition to the platform). In total, the platform can detect and prevent over 350 types of secrets, according to GitGuardian.
Incidents can be prioritized in a number of manners, including based on secret type, location, recency, validity checks, and contextual tags such as “public leakage.” Alerts can be directed to developers for investigation and to leave comments, empowering developers to remediate incidents without intervention from the security team. This approach helps security operations to scale and to be more efficient. Detection and remediation are accelerated with the recent addition of GitGuardian Honeytoken, as well as through the platform’s automated playbooks for alerting, severity scoring, and incident closing. The result is a more collaborative model between security and development teams for remediation. Exposure trends can be monitored over time, which can help to gauge the effectiveness of remediation efforts.
Since its founding in 2017, GitGuardian has cultivated a well-rounded set of software supply chain security capabilities, spanning the ability to detect hardcoded secrets (secrets security), vulnerable open source dependencies (software composition analysis, SCA), and misconfigurations and other risks in cloud infrastructure (infrastructure-as-code). The honeytoken capability also provides a unique additional intrusion detection capability.
Also important is the ability to bridge security and development teams for remediation. This functionality includes translating complex vulnerabilities into actionable insights for developers to facilitate communication between the two teams and more independence for developers, as well as automation of manual-intensive tasks relating to sifting through code for vulnerabilities, for security teams. The result is an avoidance of more breaches and faster remediation of breaches that do occur. Looking ahead, The Futurum Group anticipates a focus on capitalizing on the expanded scope of GitGuardian’s protection capabilities, and finding opportunities to use AI to add contextual detail that can support remediation.
Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.
Other Insights from The Futurum Group:
Secure Your Devices: HP Wolf Security Suite
Talking AI GPUs and Ransomware Detection – Infrastructure Matters, Episode 23
2024 Trends and CIO Strategic Focus Areas – Infrastructure Matters, Episode 24
Author Information
Krista Case brings over 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.
