lets application developers quickly scan and fix hardcoded secrets (such as API keys and other private information) across source code, CI/CD pipelines and within productivity tools. , CEO of GitGuardian, demonstrates key features of the platform. Learn more here - https://www.gitguardian.com/monitor-internal-repositories-for-secrets.
Register Now
Hi, everyone, welcome to DEMO, the show where companies come in and they show us their latest products and features. Joining me today is Eric Fourrier. He is the CEO of GitGuardian. So welcome to the show. Thank you, Keith. So it's up there. Yeah.
So what are we going to? What are we going to see today? You have an automated secrets detection and remediation platform. That's about the best I could figure out. Right?
Yeah, we I definitely like to have the code security platform really focusing on detecting secrets, everywhere and helping our companies not getting breached. Because obviously leakage. Okay, so generally, within a company, who is this designed for?
What role would they have in the company that would they would want to use it? Yeah, great question. Usually, it's like the application security engineers or director of platform engineering, buying the product. But the specificity in the beauty of keychain is like it.
So we are used by more than 300,000 developers among the world, we actually the most installed security application on the gaming marketplace. And it's really both like developers and security, Persona and security engineers working together just to produce more secure code and avoid leaking secrets in code.
Yeah, so So obviously, the problems that the platform is solving is, when when someone's writing a lot of code, they might not realize that they have secrets, that they might be revealing through this code. Correct. Is that you know, how big of a problem is that for?
Yeah, It's even I think the bigger picture is what we call the secrets poll is like, I would say the past like 10 or 15 years, you have more and more application, more developer more more SaaS, more and more micro service and all this application to talk together, they need what we call like secrets, or it could also call machine identities.
And what happened is like developers only even like it engineers, we like spread the secrets a bit everywhere.
And it can be inside of code, but it can be also in in ticketing systems, such as like JIRA or so share them through messaging systems, such as slack or teams. And really GitGuardian like to help you like, not only detect this, these secrets, but also prioritize them.
Help your developers with these tools to prevent them from leaking secrets, and also, especially up on the team on the remediation. So making sure we have no secrets. Right, right.
And so when you use the word secrets, it's a little different from from what I hear about secrets, it's always like you it's not like the formula for Coca Cola or anything like that. It's more application related secrets. What do you mean by executive? It's a great question.
So what is the secret so secrets or machine identity allows like really application to talk together so can be an API key to access an external service could be a cloud credential to access to your infrastructure, such as AWS, AWS key Google Cloud credential, or even a database credential to talk to your database and get data.
So it's basically any sort of credential identification that allows you to get access to service. Okay, and what would companies do? If they didn't use this platform?
They would, it would it be more mostly a manual process of going through line by line to see if, if different companies at a different maturity.
So some companies say we don't care, and they have a huge reliability and a huge risk, because it's one secrets in code is one of especially they are leaked publicly on a public space, like in open source code, like publicly available, and GitHub is one of the most dangerous and impactful vulnerability because anybody in the world can see them on the public space.
And it's super easy for an attacker to exploit it, you just take the secret to do a few API calls. And you can get the data from the customers and after do a walk somewhere and do anything. So really, it's yeah, it's it's super easy to do. So.
Some companies are doing nothing. The other ones are like can do manual review from developers. But engineers are really like, expensive. So yeah, you don't want to do that. And you want to use automated tools.
So some companies use open source tools that usually have a high false positive rate. And especially they don't really help you on the mediation. So they'll show you the problem, right? But then not fix it yourself.
Not up on them, like Yeah, and what we really what the game was try to do is like we see visibility, just noise, and you should really focus on on fixing the issues and not only showing more no issues to the customer, because everybody knows they have tons of problems.
They just want to remediation path. Alright, let's so let's get into the demo, show us some some of the cool features some of the key features of the platform. Awesome. Let's let's jump right into it. So usually a good guy and you have what we called like integration.
So the idea is like you can you can scan secrets everywhere. So it could be in code repository. So we can integrate with Bitbucket, GitHub GitHub Enterprise messaging system such as teams, Slack ticketing system. And what happens after is like we define what's called the perimeter.
So it will be a succession of all the people who are finding your In your new VCs, and we, we will scan them.
So we will analyze, actually, you can see, I will go through all the codes to all the different branches, all the different commits and scan it and the scan is extremely fast. So as you can see, it can take five seconds, 20 seconds, a couple of minutes.
So it's extremely fast. And after we can, we can find, we look at what we are finding. So some repos are safe, we don't find any secrets. And some of them contain secrets.
And to do so what is just give you some example about our secret detection logic and a couple of secrets. So we have more than actually looking at our like detector table over there. So we support over like, three model almost foundry directors.
So it could be like any type of key. So for example, AWS secrets, can be Google, Google secrets. And the idea is like for for each of these secrets, we can we can find the number of incidents.
So for example, if I'm looking at AWS secrets, you can look at all the AWS key we have we found in your in your parameter.
And, and what's great about it is like it can is not only giving you just your incident, but giving you a lot of context was introduced a vulnerability with the severity.
We also introduced what we call validity check, which is a huge innovation in our in our domain, which is ideal for any kind of secret where we can we can do a minimum HTTP call to see if the secret is valid or not.
So it's filtering, like, between real positive and false positive. Okay. And so yeah, so that's, that's really well as a customer, you start to have a lot of secrets.
And the first if you want to see, the first if we can help is like on what we call like Pio isation. And we have tons of filters. So it will just show a bit of AI because now it's it's it's so natural language. Yeah.
So you can you can filter by natural language. So our customers, we usually look at I want like cloud provider, secrets that are valid, like valid cloud provider secrets. Triggered last month, for example.
So just looking at all the secrets that coming from cloud providers are extremely critical secrets. So AWS GCP, that are actually still valid. So let's actually give access to some information.
So as you can see, there's filters, so they automatically understand the the filter on the day, the type of detector or the status is triggered, and the valid is valid. And you can see here we catch up our secret here.
So AWS Secret Service editor, you guys, so then it shows you right in the code where the Yeah, exactly. Okay, if you jump in the code, you have even more context, when we detected the incident. Is it valid or not the key?
Where did we find the secret in which repo inside each repo like we actually going to look if it's a story of the code, or if it's actually a bad version of the code. So giving really precise information to the customer and the developer can can remediate.
But then you add the remediation capability as well. So people can fix it, right? Yeah, exactly. So how do we do that? So we do it like five, the remediation needs to start really, because it's the developers, it's introducing the vulnerability.
So we need actually to give tools to developers, so they can fix the issue. And the best remediation possible and what's what we call like prevention. And then we do a quick demo of it.
So I'm just going in like a developer, so you know, Id just developing some code. And so I will just go, this will be the classic for the developers is is like actually building a new features. So we will create a new branch called, like, new feature.
On this new features is making a mistake. So it's a bit big, like the robots are a bit more subtle than that. But I'm introducing here a new secret. So it's a Mongo DB credential. Okay.
And usually what the developer will do here, it will do actually a commit. So it's actually versioning his code for his teammate to show okay, I'm pushing this new piece of code. So I'm like saying adding new DB feature as a as a commit.
And what's what's what's, what's happening here is like, we actually scanning the scanning like we have introduced a tool on the on the developer laptop to scan the issue and to show him like, Okay, you have an error or like, if there was a secret in your code, you can actually not do that.
Okay. But sometimes so that's that's the preventative feature. Yeah, yeah, exactly. Okay. So yeah, they just meet. Because to give you all a bit … quick mistake here in features, and let me do it again.
So you can you can see clearly the message so yeah, as you can see here we can find the secret. Yeah, show to the developer Exactly. Like, where did we leaked? Why is the leak, find the username, the password.
And what happened usually here is like some developers would say we want to do is they would usually like to bypass process. So there is always a way to bypass the security tools.
So here, like gain is installed on the on the developer laptop as a pre commit, but they can actually bypass this pre commit with this unknown command in Git. So I have to buy something, I have to put my passkey.
And so I just bypass actually, the as you can see, I did the I did the commit and in succeed to bypass the the check, and then we'll actually after like, I will actually publish my code on GitHub. Let me let me publish it.
So if you go on GitHub, you can actually like find my new code. And I will create a pull request directly on GitHub. And here we have a second layer of defense. And you can see it with a different GitGuardian checks.
That will actually also like scan the code you've done on GitHub to make sure like, we catch even when a developer is trying to bypass a process.
Oh, yes, he has not installed our tool on its debit machine, we can catch him at actually at the pool request level. All right. And actually, everything is interconnected.
So if I go back to the dashboard here, and we're setting my filters, and I'm looking at, actually, so sources, my repo, I'm looking for my own repo. So Eric sample secrets on my demo repo.
You can see actually here, we just, we just leaked the new secrets, the MongoDB. Like credential, and you can also find the leak, to choose a new branch. Just here with the file, I just changed in the code, I just change. Wow, everything is interconnected.
So really, it's what we call the shared responsibility model. So the security team can know what the developer are doing good games, providing their own tools. So they are able to do their check themselves, but sometimes to go fast, they will die by process and do mistakes.
And we are present at every stage of the software development lifecycle. So we can catch a mistake. Is this now is this our software that's that's hosted on a site and you download it onto a laptop? Or is it is it an app? It's yeah, it's a SaaS.
So you can you can actually sign up actually, it's free for developers is free for company under 25. developer, it's why we have so many developers in our team using us. Yeah, and we have.
So we're setting actually, it's a product that used by company from can be 20 devs, 25 there, but we have customers with over like 10,000 to 20,000 developers, we can really scale. And yeah, get gains available inside.
But you can also also install it in your own cloud, if you are not confident sharing your code. So especially large, large customers that I highly regulated needs self hosted, we provide that so so lots of options for companies.
And I know you've only showed me a few features. I'm sure there's a lot more so where can people go for more information on the product? So yeah, we do have like a really strong documentation.
So you just type GitGuardian documentation on the internet, and we have a strong documentation with a platform, separate detection of different modules really. And after you can you can just sign up it's free. You can you can always sign up and connect to the platform for enjoyed yourself.
Alright, cool, Eric. Thanks for the demo. Awesome. That's all the time we have for today's episode. Don't forget to like the video, subscribe to the channel and any thoughts you have below. Join us every month for new episodes of demo. I'm Keith Shaw. Thanks for watching.
Transcribed by https://otter.ai
Sponsored Links