Introduction

Last year, I had an opportunity to work with a mid-size company producing plastic products in Estonia. Due to client protection, I can’t disclose names, but the company is proud of its production and has worked in this business type for many years.

The environmental impact has been a challenge for them and one of the reasons why the company went for a battle to address these concerns smartly and sustainably. They have invested heavily in software systems to address many industry problems.

That’s where I came into the picture and started helping them to address security concerns regarding their software development. I was tasked with observing their code and giving security recommendations.

Discovery

I very quickly noticed a very troubling development. Developers weren’t controlling their secrets. Multiple repositories full of keys, secrets, and whatnot. Lots of legacy repositories with passwords in plain text. A terrifying scenario for companies.

Imagine if, by mistake, someone there opens the repository for the public. It can start a significant cyber-attack; the rest is the attacker’s mercy. They can cripple the entire business and render it shut.

GitGuardian

As a solutions-oriented person, I have investigated the market and tried to find out what could be an optimal tool for such a scenario. I found out about this company called GitGuardian. They are helping organizations to stay secure at every step of the development cycle. Created in Paris, GitGuardian revolutionizes secret sprawl detection. They have a code security platform to scan and fix hardcoded secrets in source code, CI/CD pipelines, and developer productivity tools.

Walkthrough

For this article, I will not talk about the actual implementation of GitGuardian; I will lightly touch the most essential pieces of the platform instead.

We start with a perimeter. GitGuardian can look into GitHub, GitLab, and Azure repositories. However, that’s just the tip of the iceberg. It can also look into Slack instances, and very soon, it will be possible to monitor Jira tickets for accidental secret exposure.

For each secret detected a system raises an incident on a GitGuardian platform. You can choose how to be alerted. Some prefer email, and some like messaging channels such as Discord or Slack.

Once you analyze the incident, what do you do then? The issue comes back to your internal processes. You must do more than remove things willy-nilly, especially in legacy platforms where components depend on each other. Only with data and prioritization can things be changed.

The GitGuardian platform will not remove a secret for you but will allow you to know and start the remediation process.

To wrap up a walkthrough section, I want to mention that GitGuardian can show you trends in your environment over time. This capability is significant for CISOs to feel the current temperature of the company from a dev security perspective.

Conclusion

I have informed the Estonian company about the importance of dev security. However, it takes time to adopt new technologies and ways of working. I am still waiting to hear of a successful implementation there. Still, I am sharing information about great products that can bring value and improve a security posture for organisations. Next time, I will dive into the CI/CD aspect of GitGuardian.