Security Chats – Jon-Erik Schneiderhan, Senior SRE at a tech company
Jon-Erik has been using GitGuardian Internal Monitoring for 15 months with his team of three security engineers (and 80 developers). As Senior SRE, he was aware that many secrets could be hidden in the repositories he supervises, and new ones leaked every day.
He told Peerspot how and why he chose GitGuardian and the improvements his team received.
Rationale
Jon-Erik needed first and foremost a real-time secrets detection solution able to reduce the meantime to detection:
"Without GitGuardian, we wouldn't be doing real-time detection of secrets. It would be something that we did periodically. Maybe quarterly or semi-annually, we would review our code for secrets. This means that the meantime to detection would be much longer."
Before using GitGuardian, his team performed periodic code reviews than were not efficient:
“Previously, we only detected secrets when someone saw them, which was rare. Especially since a large portion of our secrets is in the Git history, not in the current state of the repository, we were only made aware of 10% of the secrets before.”
Return On Investment
Now, he estimates that the coverage has vastly improved thanks to the secrets detection capabilities of the solution:
“Now, we are probably in the 90 percentile.”
Not only that, but Jon-Erik also estimates that real-time monitoring saves his team an entire week per quarter in periodic code reviews:
"We don't have to do a periodic review to see if there are any secrets in our codebases. I would estimate, if we were to do that on a quarterly basis, we would be spending an entire week per quarter on it that we don't have to spend now. Therefore, it saves us a week every quarter in pure effort."
According to him, that represents a non-negligible amount of ROI:
“We have seen a return on investment. The amount of time that we would have spent manually doing this definitely outpaces the cost of GitGuardian. It is saving us about $35,000 a year, so I would say the ROI is about $20,000 a year.”
As he highlighted in his review, his initial objective of reducing MTTD and facilitating leaks remediation were achieved:
"GitGuardian reduces our mean time to detect substantially. In addition, we would be finding out about secrets much further away from the time that they were introduced into the codebase. We would be chasing people down to give us information about things that they did weeks or months ago. This would drastically reduce the effectiveness of us being able to triage and remediate the leaked secrets."
"The secrets detection and alerting is the most important feature. We get alerted almost immediately after someone commits a secret. It has been very accurate, allowing us to jump on it right away, then figure out if we have something substantial that has been leaked or whether it is something that we don't have to worry about. This general main feature of the app is great."
He summarizes the benefits :
"The solution efficiently supports our shift-left strategy."
Features
Here are the core features that help Jon-Erik in his day-to-day security work:
Dismiss invalid secrets :
“Recently, they added a feature that checks the validity of leaked secrets. It will actually reach out and see if the secret that leaked was valid or not. I have found, over the past couple months, this to be a super useful feature. We can go through a lot of the secrets in our codebase, which have been detected, and dismiss them if we know that they are invalid secrets that can't be used anyway. This saves us a bunch of time, which is why this has been a really neat feature that has been useful.”
Don't waste time on false positives:
“I have found that I have been very satisfied with the breadth of the solution's detection capabilities. I don't think it has missed anything. The false positive rate has been very low. Every single time something is detected, it is something that we should look at. It does a very good job of detecting things that we should look at and make a decision on. We don't waste a lot of time chasing down false positives.“
Sort & prioritize incidents:
“The solution helps to quickly prioritize remediation because it allows us to tell which keys are valid versus which ones are invalid. We prioritize the valid ones first. It also lets us sort by detection type, e.g., what kind of secret is it detecting. There are ones that we would obviously prioritize over others, like SSH keys or AWS credentials, versus less sensitive credentials that aren't as concerning. I think it does a great job of helping us prioritize.”
Get feedback from the developers:
“GitGuardian provides a feedback form feature that we utilize heavily. When a secret is detected, our process is to generate a feedback form link in GitGuardian, then provide that to the developer. The developer will give us contextual information about the secret, then we can take action. They have also recently released a feature, which we haven't started using yet, called automated playbooks where you can set it up to automatically create that feedback form. Then, it will be emailed to the developer so they get automatically notified that they introduce a secret with a feedback form to fill out. I suspect this will improve our developer's ability to resolve the secrets faster.”
Jon-Erik also suggested a missing feature:
“They could give a developer access to a dashboard for their team's repositories that just shows their repository secrets. I think more could be exposed to developers.”
Good news: this much-awaited feature is coming very soon! See our RBAC team management roadmap.
Lastly, we cannot say that we were not touched by the rating that Jon-Eric gave to our customer support ❤️
“I would rate them as nine out of 10. They respond to me almost immediately every time that I have a question, which has been great. I haven't experienced any delays or not had an issue solved.”
Summary: don't overlook code safety!
“We feel safe because we don't have valid credentials sitting in our code repositories. If any of our code was breached or any of our developer workstations were compromised or stolen, no one would be able to get valid API credentials out of the Git repositories on those workstations.”
"If you were to run a proof of concept with GitGuardian and see all of the things that it detects, then you would probably be very surprised. You can tell very quickly what the return on investment will be and how much risk a tool like this can mitigate."
"If you are not detecting secrets in code, then every developer's machine is a security breach waiting to happen."
*** This is a Security Bloggers Network syndicated blog from GitGuardian Blog - Automated Secrets Detection authored by Thomas Segura. Read the original post at: https://blog.gitguardian.com/customer-story-jon-erik/