Software is no longer written from scratch. To create applications, developers rely on thousands of building blocks and components. As a consequence, developers have access to more and more sensitive information needed to programmatically connect these services together: API keys, private keys, certificates, database credentials, various usernames and passwords, … Secrets are unlike passwords. They are made to be shared and distributed so that they can be used by developers, applications and systems. These credentials are so sensitive that one leak could jeopardize the entire organization. We are at a point where secrets are literally spreading into the organization and in the public space: this pain is so huge that it was conceptualized under the name “secret sprawl”.
The secret sprawl threat has two dimensions:
Secrets in public code on GitHub. GitHub is used by over 50 million developers. What is counterintuitive is that corporate secrets are found in developers’ public personal repositories. These secrets are exploitable by anyone, with no special skills, and malicious activity takes place in real-time. These public code repositories are a blind spot for companies that have no authority to implement preventive approaches. If you have more than 100 developers, you are exposed to leaking secrets in public code.
Secrets in internal code. Even if the code is internal, it represents a vulnerability because of the very nature of the source code that is intended to be distributed, cloned an unlimited number of times and on different machines. It is going to transit on networks. A malicious actor who penetrates your system can then very easily use the secrets to move laterally. A recent example is the Codecov case where secrets were left in a docker container and exploited by attackers to penetrate the application.
How Big Is This Secret Sprawl Problem?
Earlier this year GitGuardian has released the most comprehensive report on the topic: 2021 State of Secrets Sprawl on GitHub report
The report, which is based on GitGuardian’s constant scanning of every single commit pushed to public GitHub, shows that over 2 million secrets were detected in a year and an alarming growth of 20% year-over-year in the number of secrets found. 15% of leaks on GitHub occur within public repositories owned by organizations and 85% of the leaks occur on developers’ personal repositories. Secrets present in all these repositories can be either personal or corporate and this is where the risk lies for organizations as some of their corporate secrets are exposed publicly through their current or former developer’s personal repositories.
Talend, one of GitGuardian customers confirms this finding: “We launched an audit using GitGuardian, and several leaked secrets were brought to our attention. What was very interesting and what we didn’t anticipate was that most of the alerts came from the personal code repositories of our developers.” Anne Hardy – CISO Talend
Unfortunately, it is even worse in internal repositories as they tend to host more secrets. Internal repositories give the illusion of protection and a false sense of secrecy.
How Are You Solving That Problem?
GitGuardian is solving the issue of secrets sprawling through source code by automating secrets detection for Application Security and Data Loss Prevention purposes.
GitGuardian Internal Monitoring focuses on secrets in internal code. It integrates with the Version Control System to further secure the software development life cycle. It scans existing code as well as incremental changes to detect secrets to ensure total coverage. GitGuardian has a native integration with GitHub, GitLab and Bitbucket and there is both a Saas and an on-premises version available. It is also integrated with most common SIEM, ITSM, ticketing systems and chat to integrate with companies’ alerting flows.
GitGuardian Public Monitoring focuses on public GitHub. It allows real-time GitHub scanning and alerting to uncover sensitive company information hiding in online repositories. Apart from its detection engine, one of the most critical differentiators is its capacity to build a dynamic surveillance perimeter including both organization repositories and developers’ personal repositories (current developers, former developers or subcontractors). The solution gives visibility on this very critical blindspot that are the organization developers’ personal repositories on GitHub.
Both products are powered by the same secret detection engine which covers 250+ API providers, database connection strings, private keys, certificates, usernames and passwords and allows also to build custom detectors. GitGuardian uses sophisticated pattern matching techniques to detect credentials that cannot be strictly defined with a distinctive pattern (like unprefixed credentials). The focus is also put on the precision of the detection engine so that it returns the highest rate of “true positives”. It is critical not to overwhelm the AppSec teams with alerts and false positives.
The developer and the application security team get the alert and can start the remediation process immediately.
What Are Your Latest Innovations?
With an ARR growth of 350% YoY, GitGuardian is a major player in the code security market segment and continuously innovates to help companies detect and remediate.
The latest product innovations are both serving the shift-left strategy of companies willing to put the developer at the center of their security and the DevSecOps approach by fully integrating the GitGuardian dashboard with the development teams’ tools and workflows. GitGuardian is also extending its detecting capabilities towards Intellectual property leaked on public GitHub, as well as personal identifiable information and medical data.
GitGuardian Public Monitoring has also been enriched with Explore, a pentesting feature allowing red teams to proactively look for company’s sensitive information by performing complex queries on 12 billion documents and metadata from 3 years of GitHub history.
What Is The Next Big Challenge In Application Security?
The organizational, technical and cultural shifts that DevOps has introduced create a trove of new types of vulnerabilities but also new places to look for them and new ways to remediate them. The issue is that the DevSecOps tooling is not up to the challenge. Vendors like GitGuardian are investing to bring efficient and collaborative solutions.
How Do People Get Involved/Buy into Your Vision?
GitGuardian has been raising awareness around the secrets sprawl since early 2017, we have been scanning every public GitHub commit and sent nearly 1 million emails last year to developers through our pro-bono alerting program.
Our Internal Monitoring solution is free to use for individual developers and for small teams of less than 25 developers, you can sign-up today. For larger organizations, a free trial is available, sign-up and activate the free trial in the dashboard. Your code will be protected within a couple of minutes and a history scan will give you an idea of your current exposure.