📊 NEW! Voice of Practitioners 2024: The State of Secrets in AppSec

READ REPORT

📊 NEW! Voice of Practitioners 2024: The State of Secrets in AppSec

READ REPORT

"Gives us more visibility into secrets in our code and helps to create awareness of security"

"The most valuable feature of GitGuardian is that it finds tokens and passwords. That's why we need this tool. It minimizes the possibility of security violations that we cannot find on our own."

Avatar

Igor Klyashchitskiy

Director of Development at a computer software company with 1,001-5,000 employees

Software vendor currently using GitGuardian Public Monitoring

Avatar

Igor Klyashchitskiy

Director of Development at a computer software company with 1,001-5,000 employees

  • Checkmark

    Review by a Real User

  • Verified

    Verified by PeerSpot

Challenges

Solution

Results

What is most valuable?

Key quote

What’s next

What is our primary use case?

We monitor our GitHub repositories for security violations and secrets. We have our organization on github.com for infrastructure as code and our use case is to find security violations as soon as possible. When development uses active tokens or passwords on github.com, we need to immediately escalate things to the right person, so they will be removed.

We started with public monitoring and switched to internal.

How has it helped my organization?

We have not tracked whether there has been a decrease in false positives, but GitGuardian has helped us to keep input clean, as much as possible, for infrastructure. 

It also gives us more visibility and helps to create awareness about security in our code.

Another benefit is that the speed of remediation has been significantly improved because we get notification immediately, as issues are detected, very close to the check-in time. We are then able to assign them to the responsible party for correction, according to our SLA.

There are times where it finds issues every two days, but of course, some of them are false positives. But our data for October, 2021 shows a 48 percent decrease in incidents from previous months, and that's a very good sign that development is reading our reports.

GitGuardian also efficiently supports our shift-left strategy. It gives us the ability to provide more information, and earlier, to development. That means when the time comes for releases, the code is clean from a security standpoint.

Using the solution, we have also seen an increase in the secrets-detection rate. We didn't have a previous solution, so in that sense, when we started to use it, the increase was 100 percent. For infrastructure as code, the increase is significant. Compared to the previous year, the dashboard shows it is 73 percent.

What is most valuable?

The most valuable feature of GitGuardian is that it finds tokens and passwords. That's why we need this tool. It minimizes the possibility of security violations that we cannot find on our own. We need to find out immediately when development breaks the rules.

Issues are detected pretty quickly.

The tool, from an administration standpoint, is very easy to support, and it has good audit-log visibility.

The breadth of GitGuardians' detection capabilities is very good. I like it. 

What needs improvement?

In three years, we have had only one major hiccup, a development bug that was very quickly fixed. 

There is room for improvement in its integration for bug-tracking. It should be more direct. They have invested a lot in user management, but they need to invest in integrations. That is a real lack.

For how long have I used the solution?

We have used GitGuardian Internal Monitoring for the last three years.

What do I think about the stability of the solution?

It's very stable. We haven't had any issues.

What do I think about the scalability of the solution?

The scalability is pretty good. Currently, we use it for internal monitoring but I'm looking to extend it to external as well. It depends on budget, but I'm trying to get us to start using it for that in the next few months.

I also plan to start utilizing webhooks for integrations.

How are customer service and support?

We have used their standard technical support once. Our experience with them was good. It was pretty quick and it was during a moment when we had a bad release and we had to do a rollback. They were quick to respond.

Which solution did I use previously and why did I switch?

How was the initial setup?

It was a pretty easy, straightforward installation, and we got results immediately.

In terms of maintenance of the solution, because we have an on-premises installation, we have to do upgrades periodically. But the maintenance does not require a lot of time, maybe an hour per month. It's pretty cheap to support. It's very easy to upgrade, and they happen once every couple of months. We are using version 1.29.1. In a reply from one of my administrators about the upgrade, he said it was done during a coffee break.

We have a little under 100 people who use it actively, in our security team and development management.

What about the implementation team?

What was our ROI?

We have seen ROI because GitGuardian has found some secrets that were checked in as part of the code and it helped us to prevent an area of possible attack on our corporate network and resources.

In the same way, it protects our customers. 

What's my experience with pricing, setup cost, and licensing?

It's a little bit expensive.

When you have a large organization, you would like to involve as many of your developers as possible. It's really expensive when you have 600 or 1,000 developers. That will push your price to close to $100,000 a year. So it's not a cheap solution. You have to create the correct interface to keep it in line with your budget.

For us, there are no additional costs beyond the standard licensing fees because we deploy it internally. If we deployed it in the cloud, we would incur infrastructure costs.

Which other solutions did I evaluate?

We compared GitGuardian to GitHub's features. GitGuardian was chosen because it has superior functionality when it comes to detection.

What other advice do I have?

If a colleague in security at another company were to tell me that secrets detection isn't a priority, I would tell him I highly recommend this product. We have achieved very good results. 

Secrets detection is one of the top-five priorities in a security program for any development. It defends the company's interests and secrets.

There's an old saying, "You cannot trust your developers." You always need to check their work.

The only issue that I can see is that sometimes an organization deploys a tool but does not utilize it as much as it could. That is the impression I have gotten from speaking with my colleagues at different companies.

Overall, I like this tool. We have used it for a few years and I'm very impressed. I'm happy with it as a tool and with the vendor as a company.

Which deployment model are you using for this solution?