"Alerts us about secrets being leaked so that we can remediate, and shows vulnerabilities in open-source software"

We work for a research institute and there are a lot of disparate security practices. A lot of people work for us for short periods of time, through internships and other temporary positions, and it's been hard to communicate security best practices across the company. GitGuardian helps prevent the leaking of secrets, but it's also for educating our company about our policies.

The main benefit is that, previously, secrets would be leaked and nobody would ever hear about it. Now, we actually have alerts and the opportunity to follow up with researchers to deal with these problems. It has provided the opportunity to collaborate on remediation rather than not knowing there are issues.

In addition, we do a review of security alerts when we open-source software. We used to have a script that we wrote that we would run to scan these repositories. It would produce a lot of noise. Now, we go to GitGuardian and immediately we have a dashboard that tells us what vulnerabilities there are.

GitGuardian has helped to modestly increase security team productivity whenever we do a review of open-source software for security leaks. Previously, that would take about an hour per repository and now it takes five minutes. We have 1,500 repositories, which is a lot. We're open-sourcing them weekly, so it doesn't amount to a huge number of hours, but it's turned something from fairly inconvenient, that had the potential to take an hour out of someone's day, to something that's just quick, easy, minimal, and more effective.

It has also helped to decrease false positives.

The most valuable feature is the alerts when secrets are leaked and we can look at particular repositories to see if there are any outstanding problems. In addition, the solution's detection capabilities seem very broad. We have no concerns there.

In terms of the accuracy of detection and the solution's false positive rate, we had to make some adjustments, but now that we've made those adjustments we're very happy with where we are.

We have also used the dev in the loop feature and it works well when it comes to remediating an incident. For collaboration between developers and security teams it's very good.

We have been somewhat confused by the dashboard at times.

We've been using GitGuardian Internal Monitoring for about a year.

I have no concerns about its stability at all.

We also have no concerns about its scalability. Maybe we'll hit something, but I've seen no evidence of scalability issues.

We're using it for about one-third of our organization. We'd like to use it for more.

We've always gotten quick, thorough responses from their technical support.

We did not have a previous solution.

It was very easy to get started. There was an amazing trial where they showed us vulnerabilities we already had.

It requires no maintenance on our side.

It's not cheap, but it's not crazy expensive either. We negotiate a price and it stays at that price, which is very nice.

We did evaluate other products over a fairly long period of time, but GitGuardian stood out in that it was something we would pay for and we wouldn't have to worry about it. It would just work.

I would tell a security colleague who says that secrets detection is not a priority that it might be worth trying this tool out and seeing what it shows you before jumping to that conclusion.

The importance of secrets detection to a security program for application development is tough to determine because the biggest players already detect secrets on GitHub and disable those tokens. If I pretend those don't exist, then it's extremely important. Since they do exist, it's somewhat important.

Try out GitGuardian Internal Monitoring. It's easy to try it out and you can go from there.