When Talend CISO, Anne Hardy, joined the company in 2020, she quickly identified that there was an issue relating to infrastructure credentials and other secrets leaking through GitHub.
When I arrived, I heard about quite a few issues with GitHub, including leaks of private information, keys, passwords that could be unintentionally stored and publicly exposed on GitHub by our developers or some of our professional services. We absolutely had to deal with the problem quickly.
Talend had already tried to remedy this problem by developing an in-house tool. This complex project quickly exposed the limitations of building effective in-house detection solutions. The solution not only had some flaws but also proved to be both challenging and expensive to maintain. Additionally (and crucially), it couldn’t identify and monitor developers’ public personal repositories.
It was at this point that Talend decided to look for a ready-made solution available on the market. The desired solution needed to allow for active monitoring of all their GitHub code repositories as well as the public personal code repositories of their developers.
“We started by looking at open source solutions such as Gitleaks and truffleHog, but they did not meet our expectations. In particular, it was necessary to declare all the directories to be monitored, which represented a substantial workload.” Indeed, it is tricky to identify personal repositories belonging to developers, especially when dealing with large teams. Automating this process was the only feasible way forward. “Then we discovered the GitGuardian solution, and analysts confirmed that it was a solid solution and suited our needs.”
What is most valuable?
Once we decided to deploy GitGuardian’s GitHub public monitoring solution, the ramp up was rapid. As soon as we had access to the platform, we were able to start remediating past incidents.
In parallel with the deployment of the solution, a procedure was put in place to treat of this type of leak, and all 400 developers were trained on secrets management.
“What I have found to be very effective with GitGuardian is that we can analyze the history of Talend related alerts on the entire GitHub perimeter, whether they are our official public directories or any public directory outside the control of Talend. We launched this audit, and several leaked secrets were brought to our attention. What was very interesting and what we didn’t anticipate was that most of the alerts came from the personal code repositories of our developers.” GitGuardian can confirm that almost 80% of corporate leaks on GitHub occur on personal repositories.
Talend’s first priority after taking ownership of the solution was to go through the list of historical incidents and enact the new procedure. This allowed them to start on a sound basis and rely on GitGuardian’s real-time alerting going forward. “ It took us 3 months to clean everything up and solve problems especially with employees who had left the company.”
Today, GitGuardian continuously monitors all commits within Talend’s perimeter, whether on Talend-owned repositories or developers’ personal repos. Credentials are detected a couple of seconds after they become publicly-visible and then listed on the dashboard along with information that will facilitate remediation.
Human error exists, but the key is to be alerted and be able to take appropriate action when a leak is found.
Talend has deployed GitGuardian for the Infosec team. They will also extend it to their team of security champions, developers who will act as an extension to the Infosec team and encourage best practices.